On Wednesday, September 5, 2018 10:59:42 AM EDT Trevor Vaughan wrote: > As some related info, I was curious and this feature was added in 2011 with > specific security-relevant justification. > > http://www.openwall.com/lists/kernel-hardening/2011/11/15/3 > > The biggest issue that I know of (that would probably solve a lot of the > issues referenced) is the ability to allow multiple groups access to the > information. If this were added, everything should be able to very easily > "just work".
Note that even hidepid=1 is enough to cause problems. Sep 7 08:22:17 NetworkManager[1034]: <warn> [1536322937.2986] error requesting auth for org.freedesktop.NetworkManager.network-control: Authorization check failed: Failed to open file “/proc/2332/status”: Operation not permitted Sep 7 08:22:17 NetworkManager[1034]: <info> [1536322937.2988] audit: op="connection-activate" uuid="f281b867-85e1-4979-8adf-ad9fac216a7c" pid=2332 uid=4325 result="fail" reason="Not authorized to control networking." Sep 7 08:26:38 gnome-session[1665]: gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login. Sep 7 08:26:38 gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login. Agree that having multiple groups might help. But that does not exist and I don't think its planned. -Steve > On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan <[email protected]> > > wrote: > > Hi Matus, > > > > The workaround for X seems reasonable (and honestly, I haven't seen any > > issues with X when running in this mode). > > > > The systemd problems are problems with systemd and need to be fixed. I > > shouldn't have to disable security mechanisms because of systemd. > > > > Note: I've also not seen any issues with DBus operations in with this > > enabled but maybe I wasn't trying the right operations. Granted, I can't > > manage other people's processes but that's...good, right? > > > > Trevor > > > > On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka <[email protected]> wrote: > >> Hello Trevor, > >> > >> this feature would be nice to have and it can be definitely implemented > >> in SSG. I would suggest to have a rule for it but I would not include it > >> into any profile by default as this option currently causes issues with > >> other components (see > >> https://wiki.archlinux.org/index.php/security#hidepid). This way we can > >> provide a possibility for users to include it into their profiles using > >> tailoring if they really want to. > >> > >> Regards, > >> Matus Marhefka > >> > >> On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan <[email protected]> > >> > >> wrote: > >>> I've had this feature request open for a while at > >>> https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting > >>> that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 > >>> controls. > >>> > >>> As we approach EL8 (I think), I'd like to have this discussion since > >>> this capability has shown to be valuable in a practical way on > >>> multi-user > >>> systems. > >>> > >>> Thanks, > >>> > >>> Trevor > >>> > >>> -- > >>> Trevor Vaughan > >>> Vice President, Onyx Point, Inc > >>> (410) 541-6699 x788 > >>> > >>> -- This account not approved for unencrypted proprietary information -- > >>> > >>> _______________________________________________ > >>> scap-security-guide mailing list -- > >>> [email protected] > >>> To unsubscribe send an email to > >>> [email protected] > >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: > >>> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. > >>> fedorahosted.org>> > >> _______________________________________________ > >> scap-security-guide mailing list -- > >> [email protected] > >> To unsubscribe send an email to > >> [email protected] > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/[email protected] > >> edorahosted.org> > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > > -- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
