banananetwork
/
ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Hide running processes from users other than root

Browse Source
master
Felix Stupp 4 years ago
parent d0e9962d04
commit e1a612966c
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
3 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
group_vars/all/vars.yml
Unescape Escape View File

@ -97,6 +97,8 @@ raspbian_repository_use_sources: yes
# System configuration # System configuration
global_fstab_file: "/etc/fstab"
global_users_directory: "/home" global_users_directory: "/home"
# Application configurations # Application configurations
@ -186,6 +188,7 @@ global_systemd_preset_directory: "/lib/systemd/system"
global_systemd_configuration_directory: "/etc/systemd/system" global_systemd_configuration_directory: "/etc/systemd/system"
global_systemd_journal_configuration_directory: "/etc/systemd/journald.conf.d" global_systemd_journal_configuration_directory: "/etc/systemd/journald.conf.d"
global_systemd_journal_max_storage: 1G global_systemd_journal_max_storage: 1G
global_systemd_login_service_name: "systemd-logind.service"
global_systemd_network_directory: "/etc/systemd/network" global_systemd_network_directory: "/etc/systemd/network"
global_systemd_network_service_name: "systemd-networkd.service" global_systemd_network_service_name: "systemd-networkd.service"
global_systemd_network_system_user: "systemd-network" global_systemd_network_system_user: "systemd-network"

37
roles/common/tasks/kernel_hidepid.yml
Unescape Escape View File

@ -0,0 +1,37 @@
---
# protecting process list of users different than root
# Source: https://wiki.archlinux.org/index.php/Security#hidepid
- name: Configure group for reading other processes
group:
state: present
name: proc
system: yes
- name: Configure proc mounting in fstab
lineinfile:
path: "{{ global_fstab_file }}"
regexp: '^\S+\s+/proc\s+proc\s+'
line: >-
proc /proc proc
nosuid,nodev,noexec,hidepid=2,gid=proc
0 0
- name: Ensure configuration directory for systemd-logind service exists
file:
state: directory
path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d"
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: Configure systemd-logind to adapt to hidepid setting
copy:
content: |
[Service]
SupplementaryGroups=proc
dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf"
owner: root
group: root
mode: u=rw,g=r,o=r

5
roles/common/tasks/main.yml
Unescape Escape View File

@ -9,6 +9,11 @@
- name: Configure ufw - name: Configure ufw
import_tasks: ufw.yml import_tasks: ufw.yml
- name: Enforce kernel security
import_tasks: kernel_hidepid.yml
tags:
- kernel_hidepid
- name: Configure locales - name: Configure locales
import_tasks: locales.yml import_tasks: locales.yml

Write Preview
Loading…
Cancel
Save