Mount proc filesystem using hidepid option (#283)

* Added task to mount proc fs using hidepid option

Signed-off-by: alessio <[email protected]>
Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Removed mount shell command due to ci problem

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Added task to create mount point before to add fstab entry

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Added check to ensure fstab exist

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Modified task title

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Fixed typo

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Fixed typo

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Fixed wrong indented lines

Signed-off-by: alegrey91 <[email protected]>
Signed-off-by: alessio <[email protected]>

* Removed useless tasks and improved variables use

Signed-off-by: alessio <[email protected]>

* removed ansible test tag

Signed-off-by: alessio <[email protected]>

* removed trailing whitespace

Signed-off-by: alessio <[email protected]>

* updated documentation

Signed-off-by: alessio <[email protected]>

* fixed typo

Signed-off-by: alessio <[email protected]>

* Update README.md

* Update vars/main.yml

Co-authored-by: Sebastian Gumprich <[email protected]>

Author: alegrey91

README.md

@@ -80,6 +80,8 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
 | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
 | `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
+| `hidepid_option` | `2` | `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. |
+| `proc_mnt_options` | `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` | Mount proc with hardenized options, including `hidepid` with variable value. |
 
 ## Packages
 

tasks/minimize_access.yml

@@ -48,3 +48,11 @@
     group: 'root'
     mode: '0750'
   when: '"change_user" not in os_security_users_allow'
+
+- name: set option hidepid for proc filesystem
+  mount:
+    path: /proc
+    src: proc
+    fstype: proc
+    opts: '{{ proc_mnt_options }}'
+    state: present

vars/main.yml

@@ -109,3 +109,6 @@ os_security_suid_sgid_system_whitelist:
 
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']
+
+hidepid_option: '2' # allowed values: 0, 1, 2
+proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'