hidepid=2 should be enabled

[trevor-vaughan]

A warning caveat should be placed in EL7 systems that note that setting the gid= option on the /proc mount will necessitate starting mcstransd with the same Group option if it is in use.

Enabling hidepid=2 enhances least privilege protections on the system by ensuring that users can only see the processes for which they are responsible.

See proc(5) for additional details.

[trevor-vaughan]

Additional information: This appears to map cleanly into AC-3 and AC-6 from NIST 800-53.

[shawndwells]

Since you've had this enabled in SIMP for awhile... any tips on how life changed post-enablement?

Meaning the new requirements (e.g. OSPP) leave it up to the operating system vendors to decide what settings would be a good idea. Would this be akin to enabling SELinux in RHEL5 and telling everyone good luck? Or in your opinion has it matured enough?

(many Red Hatters may be biased... really interested in your thoughts!)

[trevor-vaughan]

@shawndwells Honestly, it's worked very well and does exactly what it says. In terms of least privilege, it has been VERY effective in preventing users from seeing other user's processes (excepting root by default of course) which leads to overall decreased enumeration capabilities from non-privileged accounts.

The biggest issue is that the way systemd works with hidepid groups is currently broken as referenced in the original ticket and, unfortunately, my support request to have it modified was rejected, so that's something that the vendor(s) will have to figure out. That said, this is not a failing of the feature, but a failing of systemd.

The capability itself has been mature for years and does exactly what it says. Obviously, it may not work for everyone, but it's up to them to figure out whether the user separation capabilities outweighs whatever random thing is trying to see other people's processes.

That said, there is nothing in the current SSG that fails to function with this feature enabled from what I have experienced nor have I seen issues with any of the standard set of software during testing to include docker, IPA, openshift, etc...

[trevor-vaughan]

@jan-cerny What's unclear about this?