On Sunday, January 22, 2017 6:31:43 PM EST Shawn Wells wrote: > On 1/21/17 4:16 PM, Trevor Vaughan wrote: > > While that's a good point, you could say the same thing for a few of > > the options in here. > > > > IPTables, SELinux, etc... > > > > They *all* say: "do this but turn it off if it doesn't work for you". > > > > In the hidepid case, you can add the gid= option to allow monitoring > > systems access to the proc table which has worked around all issues > > that I've seen so far. > > > > If you decide to do this on EL7, be aware that you'll need to start > > mcstransd (if you're using it) with the group that you specify in the > > gid= option. > > > > If you have specific cases where the risk of arbitrary user process > > enumeration outweighs the benefits, I would be most interested to hear > > them. Fundamentally, this is antithetical to the container approach to > > the world that is being pushed by so many. > > > > I have seen some issues with poorly written software and have filed > > bugs with those vendors since they are asking for privileges which > > they do not require. > > > > Thanks, > > We can add it to the catalog, allowing people to enable in tailored > profiles
There is a good chance that this breaks existing functionality. Anything that walks the /proc/<pid > listing could have problems, inclusing openscap. I did recommend some sysctls privately that can help with the worst problems in / proc, which is the possibility of working out ASLR addresses. Maybe that is enough for most people? -Steve _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
