IIRC, the current guide says not to configure a GUI unless necessary. So, if you don't need a GUI (most servers), then hidepid=2. If you do need a GUI, then note that some things might not work unless hidepid is set to 0 and here's the security risk that you are accepting.
Users shouldn't be messing with the network in locked down systems in general either. Thanks, Trevor On Fri, Sep 7, 2018 at 10:14 AM Steve Grubb <[email protected]> wrote: > On Wednesday, September 5, 2018 10:59:42 AM EDT Trevor Vaughan wrote: > > As some related info, I was curious and this feature was added in 2011 > with > > specific security-relevant justification. > > > > http://www.openwall.com/lists/kernel-hardening/2011/11/15/3 > > > > The biggest issue that I know of (that would probably solve a lot of the > > issues referenced) is the ability to allow multiple groups access to the > > information. If this were added, everything should be able to very easily > > "just work". > > Note that even hidepid=1 is enough to cause problems. > > Sep 7 08:22:17 NetworkManager[1034]: <warn> [1536322937.2986] error > requesting auth for org.freedesktop.NetworkManager.network-control: > Authorization check failed: Failed to open file “/proc/2332/status”: > Operation not permitted > Sep 7 08:22:17 NetworkManager[1034]: <info> [1536322937.2988] audit: > op="connection-activate" uuid="f281b867-85e1-4979-8adf-ad9fac216a7c" > pid=2332 > uid=4325 result="fail" reason="Not authorized to control networking." > > Sep 7 08:26:38 gnome-session[1665]: gnome-session-binary[1665]: WARNING: > Could not get session path for session. Check that logind is properly > installed and pam_systemd is getting used at login. > Sep 7 08:26:38 gnome-session-binary[1665]: WARNING: Could not get session > path for session. Check that logind is properly installed and pam_systemd > is > getting used at login. > > Agree that having multiple groups might help. But that does not exist and > I > don't think its planned. > > -Steve > > > On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan <[email protected]> > > > > wrote: > > > Hi Matus, > > > > > > The workaround for X seems reasonable (and honestly, I haven't seen any > > > issues with X when running in this mode). > > > > > > The systemd problems are problems with systemd and need to be fixed. I > > > shouldn't have to disable security mechanisms because of systemd. > > > > > > Note: I've also not seen any issues with DBus operations in with this > > > enabled but maybe I wasn't trying the right operations. Granted, I > can't > > > manage other people's processes but that's...good, right? > > > > > > Trevor > > > > > > On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka <[email protected]> > wrote: > > >> Hello Trevor, > > >> > > >> this feature would be nice to have and it can be definitely > implemented > > >> in SSG. I would suggest to have a rule for it but I would not include > it > > >> into any profile by default as this option currently causes issues > with > > >> other components (see > > >> https://wiki.archlinux.org/index.php/security#hidepid). This way we > can > > >> provide a possibility for users to include it into their profiles > using > > >> tailoring if they really want to. > > >> > > >> Regards, > > >> Matus Marhefka > > >> > > >> On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan < > [email protected]> > > >> > > >> wrote: > > >>> I've had this feature request open for a while at > > >>> https://github.com/OpenSCAP/scap-security-guide/issues/1648 > suggesting > > >>> that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 > > >>> controls. > > >>> > > >>> As we approach EL8 (I think), I'd like to have this discussion since > > >>> this capability has shown to be valuable in a practical way on > > >>> multi-user > > >>> systems. > > >>> > > >>> Thanks, > > >>> > > >>> Trevor > > >>> > > >>> -- > > >>> Trevor Vaughan > > >>> Vice President, Onyx Point, Inc > > >>> (410) 541-6699 x788 > > >>> > > >>> -- This account not approved for unencrypted proprietary information > -- > > >>> > > >>> _______________________________________________ > > >>> scap-security-guide mailing list -- > > >>> [email protected] > > >>> To unsubscribe send an email to > > >>> [email protected] > > >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > >>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> List Archives: > > >>> > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. > > >>> fedorahosted.org>> > > >> _______________________________________________ > > >> scap-security-guide mailing list -- > > >> [email protected] > > >> To unsubscribe send an email to > > >> [email protected] > > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > >> > https://lists.fedorahosted.org/archives/list/[email protected] > > >> edorahosted.org> > > > -- > > > Trevor Vaughan > > > Vice President, Onyx Point, Inc > > > (410) 541-6699 x788 > > > > > > -- This account not approved for unencrypted proprietary information -- > > > > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
