I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
Hello Trevor,
this feature would be nice to have and it can be definitely implemented in SSG. I would suggest to have a rule for it but I would not include it into any profile by default as this option currently causes issues with other components (see https://wiki.archlinux.org/index.php/security#hidepid). This way we can provide a possibility for users to include it into their profiles using tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
Hi Matus,
The workaround for X seems reasonable (and honestly, I haven't seen any issues with X when running in this mode).
The systemd problems are problems with systemd and need to be fixed. I shouldn't have to disable security mechanisms because of systemd.
Note: I've also not seen any issues with DBus operations in with this enabled but maybe I wasn't trying the right operations. Granted, I can't manage other people's processes but that's...good, right?
Trevor
On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka mmarhefk@redhat.com wrote:
Hello Trevor,
this feature would be nice to have and it can be definitely implemented in SSG. I would suggest to have a rule for it but I would not include it into any profile by default as this option currently causes issues with other components (see https://wiki.archlinux.org/index.php/security#hidepid). This way we can provide a possibility for users to include it into their profiles using tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
As some related info, I was curious and this feature was added in 2011 with specific security-relevant justification.
http://www.openwall.com/lists/kernel-hardening/2011/11/15/3
The biggest issue that I know of (that would probably solve a lot of the issues referenced) is the ability to allow multiple groups access to the information. If this were added, everything should be able to very easily "just work".
Trevor
On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Hi Matus,
The workaround for X seems reasonable (and honestly, I haven't seen any issues with X when running in this mode).
The systemd problems are problems with systemd and need to be fixed. I shouldn't have to disable security mechanisms because of systemd.
Note: I've also not seen any issues with DBus operations in with this enabled but maybe I wasn't trying the right operations. Granted, I can't manage other people's processes but that's...good, right?
Trevor
On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka mmarhefk@redhat.com wrote:
Hello Trevor,
this feature would be nice to have and it can be definitely implemented in SSG. I would suggest to have a rule for it but I would not include it into any profile by default as this option currently causes issues with other components (see https://wiki.archlinux.org/index.php/security#hidepid). This way we can provide a possibility for users to include it into their profiles using tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
You are mentioning the original ticket with the systemd and hidepid groups issue in the https://github.com/ComplianceAsCode/content/issues/1648 Can you provide a link to that?
Thanks, Matus
On Wed, Sep 5, 2018 at 4:59 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
As some related info, I was curious and this feature was added in 2011 with specific security-relevant justification.
http://www.openwall.com/lists/kernel-hardening/2011/11/15/3
The biggest issue that I know of (that would probably solve a lot of the issues referenced) is the ability to allow multiple groups access to the information. If this were added, everything should be able to very easily "just work".
Trevor
On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Hi Matus,
The workaround for X seems reasonable (and honestly, I haven't seen any issues with X when running in this mode).
The systemd problems are problems with systemd and need to be fixed. I shouldn't have to disable security mechanisms because of systemd.
Note: I've also not seen any issues with DBus operations in with this enabled but maybe I wasn't trying the right operations. Granted, I can't manage other people's processes but that's...good, right?
Trevor
On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka mmarhefk@redhat.com wrote:
Hello Trevor,
this feature would be nice to have and it can be definitely implemented in SSG. I would suggest to have a rule for it but I would not include it into any profile by default as this option currently causes issues with other components (see https://wiki.archlinux.org/ index.php/security#hidepid). This way we can provide a possibility for users to include it into their profiles using tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
On Wednesday, September 5, 2018 10:59:42 AM EDT Trevor Vaughan wrote:
As some related info, I was curious and this feature was added in 2011 with specific security-relevant justification.
http://www.openwall.com/lists/kernel-hardening/2011/11/15/3
The biggest issue that I know of (that would probably solve a lot of the issues referenced) is the ability to allow multiple groups access to the information. If this were added, everything should be able to very easily "just work".
Note that even hidepid=1 is enough to cause problems.
Sep 7 08:22:17 NetworkManager[1034]: <warn> [1536322937.2986] error requesting auth for org.freedesktop.NetworkManager.network-control: Authorization check failed: Failed to open file “/proc/2332/status”: Operation not permitted Sep 7 08:22:17 NetworkManager[1034]: <info> [1536322937.2988] audit: op="connection-activate" uuid="f281b867-85e1-4979-8adf-ad9fac216a7c" pid=2332 uid=4325 result="fail" reason="Not authorized to control networking."
Sep 7 08:26:38 gnome-session[1665]: gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login. Sep 7 08:26:38 gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login.
Agree that having multiple groups might help. But that does not exist and I don't think its planned.
-Steve
On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan tvaughan@onyxpoint.com
wrote:
Hi Matus,
The workaround for X seems reasonable (and honestly, I haven't seen any issues with X when running in this mode).
The systemd problems are problems with systemd and need to be fixed. I shouldn't have to disable security mechanisms because of systemd.
Note: I've also not seen any issues with DBus operations in with this enabled but maybe I wasn't trying the right operations. Granted, I can't manage other people's processes but that's...good, right?
Trevor
On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka mmarhefk@redhat.com
wrote:
Hello Trevor,
this feature would be nice to have and it can be definitely implemented in SSG. I would suggest to have a rule for it but I would not include it into any profile by default as this option currently causes issues with other components (see https://wiki.archlinux.org/index.php/security#hidepid). This way we can provide a possibility for users to include it into their profiles using tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan tvaughan@onyxpoint.com
wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648 suggesting that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. fedorahosted.org>>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.f edorahosted.org>
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
IIRC, the current guide says not to configure a GUI unless necessary.
So, if you don't need a GUI (most servers), then hidepid=2. If you do need a GUI, then note that some things might not work unless hidepid is set to 0 and here's the security risk that you are accepting.
Users shouldn't be messing with the network in locked down systems in general either.
Thanks,
Trevor
On Fri, Sep 7, 2018 at 10:14 AM Steve Grubb sgrubb@redhat.com wrote:
On Wednesday, September 5, 2018 10:59:42 AM EDT Trevor Vaughan wrote:
As some related info, I was curious and this feature was added in 2011
with
specific security-relevant justification.
http://www.openwall.com/lists/kernel-hardening/2011/11/15/3
The biggest issue that I know of (that would probably solve a lot of the issues referenced) is the ability to allow multiple groups access to the information. If this were added, everything should be able to very easily "just work".
Note that even hidepid=1 is enough to cause problems.
Sep 7 08:22:17 NetworkManager[1034]: <warn> [1536322937.2986] error requesting auth for org.freedesktop.NetworkManager.network-control: Authorization check failed: Failed to open file “/proc/2332/status”: Operation not permitted Sep 7 08:22:17 NetworkManager[1034]: <info> [1536322937.2988] audit: op="connection-activate" uuid="f281b867-85e1-4979-8adf-ad9fac216a7c" pid=2332 uid=4325 result="fail" reason="Not authorized to control networking."
Sep 7 08:26:38 gnome-session[1665]: gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login. Sep 7 08:26:38 gnome-session-binary[1665]: WARNING: Could not get session path for session. Check that logind is properly installed and pam_systemd is getting used at login.
Agree that having multiple groups might help. But that does not exist and I don't think its planned.
-Steve
On Wed, Sep 5, 2018 at 10:52 AM Trevor Vaughan tvaughan@onyxpoint.com
wrote:
Hi Matus,
The workaround for X seems reasonable (and honestly, I haven't seen any issues with X when running in this mode).
The systemd problems are problems with systemd and need to be fixed. I shouldn't have to disable security mechanisms because of systemd.
Note: I've also not seen any issues with DBus operations in with this enabled but maybe I wasn't trying the right operations. Granted, I
can't
manage other people's processes but that's...good, right?
Trevor
On Wed, Sep 5, 2018 at 5:01 AM Matus Marhefka mmarhefk@redhat.com
wrote:
Hello Trevor,
this feature would be nice to have and it can be definitely
implemented
in SSG. I would suggest to have a rule for it but I would not include
it
into any profile by default as this option currently causes issues
with
other components (see https://wiki.archlinux.org/index.php/security#hidepid). This way we
can
provide a possibility for users to include it into their profiles
using
tailoring if they really want to.
Regards, Matus Marhefka
On Tue, Sep 4, 2018 at 4:41 PM, Trevor Vaughan <
tvaughan@onyxpoint.com>
wrote:
I've had this feature request open for a while at https://github.com/OpenSCAP/scap-security-guide/issues/1648
suggesting
that hidepid=2 be added to /proc to help meet the AC-3 and AC-6 controls.
As we approach EL8 (I think), I'd like to have this discussion since this capability has shown to be valuable in a practical way on multi-user systems.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information
--
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.
fedorahosted.org>>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.f
edorahosted.org>
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide@lists.fedorahosted.org
-
Matus Marhefka -
Steve Grubb -
Trevor Vaughan