{"description": "The <tt>hidepid</tt> mount option is applicable to <tt>/proc</tt> and is used to\ncontrol who can access the information in <tt>/proc/[pid]</tt> directories.\nThe option can have one of the following values:\n<pre>\n0: Everybody may access all /proc/[pid] directories.\n1: Users may not access files and subdirectories inside any /proc/[pid] directories\n   but their own. The /proc/[pid] directories themselves remain visible.\n2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other\n   users become invisible.\n</pre>\nFor example, if you choose the value 2:\nAdd the <code>hidepid=2</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/proc</code>.", "rationale": "Users should not be able to see and access directories within /proc, which are not\nrelated to their own processes in a system. Otherwise, sensitive information from\nother users could be seem.", "severity": "low", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"/proc\" file system does not have the \"hidepid=value\" option set", "ocil": "Verify the <tt>hidepid=value</tt> option is configured for the <tt>/proc</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/proc\\s'</pre>\n    <pre>. . . /proc . . . hidepid=value . . .</pre>\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"functionality": "Hiding the <tt>pid</tt> of processes may lead to problems with <tt>PolicyKit</tt> and <tt>D-Bus</tt>,\nit may also convey a false sense of security."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add hidepid Option to /proc", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_proc_hidepid/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/proc", "mountoption": "hidepid", "mountoption_arg_var": "var_mount_option_proc_hidepid", "mount_has_to_exist": "false", "filesystem": "proc", "type": "proc"}, "backends": {"anaconda": "off"}}}