On Sunday, January 22, 2017 6:31:43 PM EST Shawn Wells wrote:
On 1/21/17 4:16 PM, Trevor Vaughan wrote:
> While that's a good point, you could say the same thing for a few of
> the options in here.
>
> IPTables, SELinux, etc...
>
> They *all* say: "do this but turn it off if it doesn't work for you".
>
> In the hidepid case, you can add the gid= option to allow monitoring
> systems access to the proc table which has worked around all issues
> that I've seen so far.
>
> If you decide to do this on EL7, be aware that you'll need to start
> mcstransd (if you're using it) with the group that you specify in the
> gid= option.
>
> If you have specific cases where the risk of arbitrary user process
> enumeration outweighs the benefits, I would be most interested to hear
> them. Fundamentally, this is antithetical to the container approach to
> the world that is being pushed by so many.
>
> I have seen some issues with poorly written software and have filed
> bugs with those vendors since they are asking for privileges which
> they do not require.
>
> Thanks,
We can add it to the catalog, allowing people to enable in tailored
profiles
There is a good chance that this breaks existing functionality. Anything that
walks the /proc/<pid > listing could have problems, inclusing openscap. I did
recommend some sysctls privately that can help with the worst problems in /
proc, which is the possibility of working out ASLR addresses. Maybe that is
enough for most people?
-Steve