Hide running processes from users other than root

4 years ago · e1a612966c
parent d0e9962d04
commit e1a612966c
3 changed files with 45 additions and 0 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -97,6 +97,8 @@ raspbian_repository_use_sources: yes

 # System configuration

+global_fstab_file: "/etc/fstab"
+
 global_users_directory: "/home"

 # Application configurations
@ -186,6 +188,7 @@ global_systemd_preset_directory: "/lib/systemd/system"
 global_systemd_configuration_directory: "/etc/systemd/system"
 global_systemd_journal_configuration_directory: "/etc/systemd/journald.conf.d"
 global_systemd_journal_max_storage: 1G
+global_systemd_login_service_name: "systemd-logind.service"
 global_systemd_network_directory: "/etc/systemd/network"
 global_systemd_network_service_name: "systemd-networkd.service"
 global_systemd_network_system_user: "systemd-network"
--- a/roles/common/tasks/kernel_hidepid.yml
+++ b/roles/common/tasks/kernel_hidepid.yml
@ -0,0 +1,37 @@
+---
+
+# protecting process list of users different than root
+# Source: https://wiki.archlinux.org/index.php/Security#hidepid
+
+- name: Configure group for reading other processes
+  group:
+    state: present
+    name: proc
+    system: yes
+
+- name: Configure proc mounting in fstab
+  lineinfile:
+    path: "{{ global_fstab_file }}"
+    regexp: '^\S+\s+/proc\s+proc\s+'
+    line: >-
+      proc /proc proc
+      nosuid,nodev,noexec,hidepid=2,gid=proc
+      0 0
+
+- name: Ensure configuration directory for systemd-logind service exists
+  file:
+    state: directory
+    path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Configure systemd-logind to adapt to hidepid setting
+  copy:
+    content: |
+      [Service]
+      SupplementaryGroups=proc
+    dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -9,6 +9,11 @@
 - name: Configure ufw
  import_tasks: ufw.yml

+- name: Enforce kernel security
+  import_tasks: kernel_hidepid.yml
+  tags:
+    - kernel_hidepid
+
 - name: Configure locales
  import_tasks: locales.yml