Parker Samp Linux Administration and More

4Aug/120

Process List Hiding in CentOS 6 and Linux Kernel 3

Recently the Gentoo hardened project seems to have some serious bugs, particularly with the grsec kernel. I have been forced to switch to CentOS 6 and configure it to act similarly to Gentoo/grsec.

One of the biggest draws to grsec is the process hiding feature. CentOS 6 uses selinux and I decided to stay with it. Lucky for me, support for process hiding was added around kernel version 3.3.X

Solution

Mount /proc with the hidepid option.

I will show you the steps required to use hidepid with CentOS 6. These directions may not translate easily to other distributions of Linux.

Installing a Version 3.X.X Kernel

server ~ # wget http://elrepo.org/linux/kernel/el6/x86_64/RPMS/kernel-ml-3.5.0-2.el6.elrepo.x86_64.rpm
server ~ # rpm -i kernel-ml-3.5.0-2.el6.elrepo.x86_64.rpm
server ~ # new-kernel-pkg --mkinitrd --install --make-default --depmod 3.5.0-2.el6.elrepo.x86_64
server ~ # reboot

Figuring Out Where to Enable hidepid

hidepid is a mount option for /proc, but it seems that it does not work when added to /etc/fstab. Once you reboot, the system will clearly tell you /proc is mounted with hidepid but nothing happens. I've found that this feature does not work unless you remount /proc.

This might be a bug, so my instructions will be a workaround as opposed to a proper way to do it.

More About hidepid

hidepid comes in three settings:

  • hidepid=0 - Disabled, no point in setting this
  • hidepid=1 - Enabled, hides processes not belonging to the user, user can still learn processes VIA other means
  • hidepid=2 - Enabled, hides processes not belonging to the user, user may not learn processes VIA other means

Configure hidepid

Find the following lines:

if [ ! -e /proc/mounts ]; then
        mount -n -t proc /proc /proc
        mount -n -t sysfs /sys /sys >/dev/null 2>&1
fi

Insert the following after 'fi':

mount /proc -o remount,hidepid=2

Please be aware that adding the option to "mount -n -t proc /proc /proc" has not worked for me and only remounting works.

Sample Output

(psamp@test) (/home/psamp) $ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
psamp     1366  0.0  0.0 108344  1868 pts/0    Ss+  18:51   0:00 -bash
psamp     1415  0.0  0.0 108344  1868 pts/1    Ss   19:29   0:00 -bash
psamp     1477  0.0  0.0 110220  1144 pts/1    R+   20:32   0:00 ps aux

Additional Resources

hidepid Configuration Explanation

Tagged as: , , , Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.

«

Pages

Categories

Favorites

Archive

Meta