Process hiding: hidepid capabilities of procfs

Five years ago I wrote about kernel based process hiding in Linux (see articles Simple process hiding kernel patch, Process hiding Kernel patch for 2.6.24.x, RSBAC – Kernel based process hiding). It got time to continue the story and finally present you a real solution without the hassle of a self-compiled kernel.

How can I prevent users from seeing processes that do not belong to them?

In January 2012, Vasiliy Kulikov came up with a kernel patch that solved the problem nicely by adding a hidepid mount option for procfs. The patch landed in Linux kernel 3.3.

In the meantime, this patch luckily also landed in the 3.2 kernel of Debian Wheezy (see backport request in Debian bug report #669028). This feature has been also pushed back into the kernel of Red Hat Enterprise Linux 6.3 (see RHEL 6.3 Release Notes), and from there to CentOS 6.3 and Scientific Linux 6.3. Recently, this feature was even backported to the 2.6.18 kernel in RHEL 5.9.

As Proxmox VE currently runs on a RHEL based 2.6.32 kernel, it’s also supported in my favorite OpenVZ/KVM virtualization platform. Great!

Read More

Process hiding Kernel patch for 2.6.24.x

Currently all Linux kernel security patch projects seem to be sleeping. There is no useful kernel patch that provides us with a decent patch set allowing us to strengthen the Linux kernel. Some years ago I was using Grsecurity, a wonderful solution to enforce security on 2.4.x kernels at that time. The project seems to be pretty dead by now.

During the last months I was using RSBAC, a great set of security enhancements to the 2.6.x kernels. RSBAC seems to be a great project and I like the way they provide pre-patched vanilla kernels. But again, reaction time is way too slow. Root exploits for Linux kernels seem to appear all the time and force a server administrator to react fast. The lately published vmsplice root exploit made me give up on RSBAC as it’s just always a step behind. I decided to switch back to self compiled vanilla kernels from kernel.org.

Read More

RSBAC – Kernel based process hiding

A webserver usually is the primary target to intrude into any network. If you provide web hosting services for your customers you have to provide them with a lot of features to make them happy. The main requirement for any hosting provider is PHP, probably the widest spread web scripting language out there.

Some customers only start to get happy if you give them PHP without any safe_mode restrictions, if you provide them with custom CGI scripting next to the basic good old SSI features (which in my eyes no one really needs since we got PHP) by Apache HTTP Server, if you give them FTP access and let them manage their account by themselves.

Rule Set Based Access ControlIn every feature there is always a hidden security risk. We cannot give all this to our customers without thinking about security and its consequences if a user gets hold of data which does not belong to himself or even breaks into the whole system. So, let’s start at the basics: No customer should be able to see any other running processes on the system except the ones that belong to himself. We want to hide all processes that the given customer is not allowed to see. That’s process hiding. And because on a Linux box it’s always smart to implement something from bottom up, we name it kernel based.

There is no simple solution for this problem. Some rootkits simply overwrite the ‚ps‘ command. But we want something more trustworthy, somehow deeper anchored in the system (got that?). The only kernel patch I found was the one from RSBAC.org (Rule Set Based Access Control), a full blown kernel security patch. The only feature we actually need is „CAP process hiding“.

Read More

css.php