You are mentioning the original ticket with the systemd and hidepid groups issue in the https://github.com/ComplianceAsCode/content/issues/1648 Can you provide a link to that?
Thanks, Matus On Wed, Sep 5, 2018 at 4:59 PM, Trevor Vaughan <[email protected]> wrote: > As some related info, I was curious and this feature was added in 2011 > with specific security-relevant justification. > > http://www.openwall.com/lists/kernel-hardening/2011/11/15/3 > > The biggest issue that I know of (that would probably solve a lot of the > issues referenced) is the ability to allow multiple groups access to the > information. If this were added, everything should be able to very easily > "just work". > > Trevor > > On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan <[email protected]> > wrote: > >> Hi Matus, >> >> The workaround for X seems reasonable (and honestly, I haven't seen any >> issues with X when running in this mode). >> >> The systemd problems are problems with systemd and need to be fixed. I >> shouldn't have to disable security mechanisms because of systemd. >> >> Note: I've also not seen any issues with DBus operations in with this >> enabled but maybe I wasn't trying the right operations. Granted, I can't >> manage other people's processes but that's...good, right? >> >> Trevor >> >> On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka <[email protected]> >> wrote: >> >>> Hello Trevor, >>> >>> this feature would be nice to have and it can be definitely implemented >>> in SSG. I would suggest to have a rule for it but I would not include it >>> into any profile by default as this option currently causes issues with >>> other components (see https://wiki.archlinux.org/ >>> index.php/security#hidepid). This way we can provide a possibility for >>> users to include it into their profiles using tailoring if they really want >>> to. >>> >>> Regards, >>> Matus Marhefka >>> >>> On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan <[email protected]> >>> wrote: >>> >>>> I've had this feature request open for a while at >>>> https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting >>>> that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls. >>>> >>>> As we approach EL8 (I think), I'd like to have this discussion since >>>> this capability has shown to be valuable in a practical way on multi-user >>>> systems. >>>> >>>> Thanks, >>>> >>>> Trevor >>>> >>>> -- >>>> Trevor Vaughan >>>> Vice President, Onyx Point, Inc >>>> (410) 541-6699 x788 >>>> >>>> -- This account not approved for unencrypted proprietary information -- >>>> >>>> _______________________________________________ >>>> scap-security-guide mailing list -- scap-security-guide@lists. >>>> fedorahosted.org >>>> To unsubscribe send an email to scap-security-guide-leave@ >>>> lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/scap- >>>> [email protected] >>>> >>>> >>> _______________________________________________ >>> scap-security-guide mailing list -- scap-security-guide@lists. >>> fedorahosted.org >>> To unsubscribe send an email to scap-security-guide-leave@ >>> lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/scap- >>> [email protected] >>> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 x788 >> >> -- This account not approved for unencrypted proprietary information -- >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/scap- > [email protected] > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
