• Blogs
• Works
• About

On FreeBSD there's an option to limit what processes a user can see, which increases the difficulty for intruders to analyse the system. Being a paranoid sysadmin, I, ofcourse need such method to protect my computer.

From man 5 procfs, the hidepid mount option is used for controlling who can access the information in /proc/pid directories:

hidepid=n (since Linux 3.3)
      This  option  controls  who  can  access  the  information   in
      /proc/pid  directories.  The argument, n, is one of the follow‐
      ing values:

      0   Everybody may access all /proc/pid  directories.   This  is
          the traditional behavior, and the default if this mount op‐
          tion is not specified.

      1   Users  may  not  access files and subdirectories inside any
          /proc/pid directories but their own (the /proc/pid directo‐
          ries themselves remain visible).  Sensitive files  such  as
          /proc/pid/cmdline  and  /proc/pid/status  are now protected
          against other users.  This makes  it  impossible  to  learn
          whether  any user is running a specific program (so long as
          the program doesn’t otherwise reveal itself by  its  behav‐
          ior).

      2   As  for  mode  1, but in addition the /proc/pid directories
          belonging to other users become invisible.  This means that
          /proc/pid entries can no longer be  used  to  discover  the
          PIDs  on  the  system.   This  doesn’t hide the fact that a
          process with a specific PID value exists (it can be learned
          by other means, for example, by "kill  -0  $PID"),  but  it
          hides  a  process’s  UID  and GID, which could otherwise be
          learned by employing  stat(2)  on  a  /proc/pid  directory.
          This  greatly  complicates  an attacker’s task of gathering
          information  about  running  processes  (e.g.,  discovering
          whether  some  daemon  is running with elevated privileges,
          whether another user is  running  some  sensitive  program,
          whether  other users are running any program at all, and so
          on).

To test this option in run-time, remount /proc using the following command:

mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc

After remounting, you can verify that you can't see other user's programs with htop.

As noted by the manual page above, you can still check what program is running, by executing kill -0 $PID, or using systemctl status, but gathering any more information is more difficult now.

To make the change persistent, append the following line to /etc/fstab:

# Protect visibility against others
proc    /proc    proc    defaults,nosuid,nodev,noexec,relatime,hidepid=2     0     0