====== Linux Hardening Guide - hidepid ======

**/proc** is a pseudo-filesystem that contains information about all processes currently running on the system.

  * By default, this is accessible to all users, which can allow an attacker to spy on other processes.
  * To permit users to only see their own processes and not those of other users, you must mount /proc with the **hidepid=2,gid=proc** mount options.
    * **gid=proc** exempts the proc group from this feature so you can whitelist specific users or processes.
  * One way to add these mount options is to edit **/etc/fstab** and add:

<file bash /etc/fstab>
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0
</file>

**systemd-logind** still needs to see other users' processes, so for user sessions to work correctly on a systemd system, you must create **/etc/systemd/system/systemd-logind.service.d/hidepid.conf** and add:

<file bash /etc/systemd/system/systemd-logind.service.d/hidepid.conf>
[Service]
SupplementaryGroups=proc
</file>

----