If you are using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) you can hide process from other users. Only root can see all process and user only see their own process. All you have to do is remount the /proc filesystem with the Linux kernel hardening hidepid option. This hides process from all other commands such as ps, top, htop, pgrep and more.
|Requirements||Linux kernel v3.2+|
Linux hide processes from other users using hidepid option
This option defines how much info about processes we want to be available for non-owners. The values are as follows:
- hidepid=0 – The old behavior – anybody may read all world-readable /proc/PID/* files (default).
- hidepid=1 – It means users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.
- hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
Linux kernel protection: Hiding processes from other users
Type the following mount command:
# mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
Edit /etc/fstab using a text editor such as nano command/vim command, enter:
# vi /etc/fstab
Update/append/modify proc entry as follows so that protection get enabled automatically at server boot-time:
## append the following line ## proc /proc proc defaults,nosuid,nodev,noexec,relatime,hidepid=2 0 0
Save and close the file. Where security mount options are as follows:
- nosuid : Do not allow set-user-ID or set-group-ID bits to take effect.
- nodev : Do not interpret character or block special devices on the file system.
- noexec : Do not permit direct execution of any binaries on the mounted filesystem.
- hidepid: Option defines how much info about processes hidden.
Linux demo: Prevent users from seeing processes that do not belong to them
In this example, I’m login as vivek@cbz-test:
$ ssh vivek@cbz-test
$ ps -ef
$ sudo -s
# mount -o remount,rw,hidepid=2 /proc
$ ps -ef
Tip: Dealing with apps that breaks when you implement this technique
You need to use gid=VALUE_HERE option:
gid=XXX defines a group that will be able to gather all processes’ info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
So add the user called monapp to group (say admin) that want to see process information and mount /proc as follows in /etc/fstab:
proc /proc proc defaults,hidepid=2,gid=admin 0 0
Now you know how to hide Linux processes from other users and commands like ps, top, htop and others. For more information see the following URLs:
|Category||List of Unix and Linux commands|
|Firewall||CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|