As some related info, I was curious and this feature was added in 2011 with specific security-relevant justification.
http://www.openwall.com/lists/kernel-hardening/2011/11/15/3 The biggest issue that I know of (that would probably solve a lot of the issues referenced) is the ability to allow multiple groups access to the information. If this were added, everything should be able to very easily "just work". Trevor On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan <[email protected]> wrote: > Hi Matus, > > The workaround for X seems reasonable (and honestly, I haven't seen any > issues with X when running in this mode). > > The systemd problems are problems with systemd and need to be fixed. I > shouldn't have to disable security mechanisms because of systemd. > > Note: I've also not seen any issues with DBus operations in with this > enabled but maybe I wasn't trying the right operations. Granted, I can't > manage other people's processes but that's...good, right? > > Trevor > > On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka <[email protected]> wrote: > >> Hello Trevor, >> >> this feature would be nice to have and it can be definitely implemented >> in SSG. I would suggest to have a rule for it but I would not include it >> into any profile by default as this option currently causes issues with >> other components (see >> https://wiki.archlinux.org/index.php/security#hidepid). This way we can >> provide a possibility for users to include it into their profiles using >> tailoring if they really want to. >> >> Regards, >> Matus Marhefka >> >> On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan <[email protected]> >> wrote: >> >>> I've had this feature request open for a while at >>> https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting >>> that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls. >>> >>> As we approach EL8 (I think), I'd like to have this discussion since >>> this capability has shown to be valuable in a practical way on multi-user >>> systems. >>> >>> Thanks, >>> >>> Trevor >>> >>> -- >>> Trevor Vaughan >>> Vice President, Onyx Point, Inc >>> (410) 541-6699 x788 >>> >>> -- This account not approved for unencrypted proprietary information -- >>> >>> _______________________________________________ >>> scap-security-guide mailing list -- >>> [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >>> >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
