Linuxカーãƒãƒ«ã® Changelog ã‚’æ–œã‚èªã¿ã—ã¦ã„ãŸã‚‰ hidepid オプションãªã‚‹ã‚‚ã®ãŒå‡ºã¦ã„ãŸã®ã‚’知りã¾ã—ãŸã€‚ ps ã‚„ top ç‰ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’使ã†ã¨ä»–ユーザã®ãƒ—ãƒã‚»ã‚¹åã‚„ãã®ä»–ã®æƒ…å ±ã‚’ procfs (/proc) を通ã—ã¦ã„ã„æ„Ÿã˜ã«å‚ç…§ã§ãã¾ã™ãŒã€procfsã®ä»•çµ„ã¿ã¨ã—ã¦ã“ã®å‚照を制é™ã™ã‚‹ä»•çµ„ã¿ã®ã‚ˆã†ã§ã™
本エントリã¯ä¸‹è¨˜ã‚’å‚考ã«æ›¸ã„ãŸã‚‚ã®ã«ãªã‚Šã¾ã™
- hidepid capabilities of procfs
- Hide process information for other users
- procのhidepidオプション - Linuxの備忘録とか・・・
環境
- Vagrant
- 2.6.32-279.el6.x86_64
- Scientific Linux release 6.3 (Carbon)
ã§ã–ã£ãã‚Šã¨æ¤œè¨¼ã—ãŸå†…容を記ã—ã¦ãŠãã¾ã™
hidepid=1 を有効ã«ã™ã‚‹
sudo mount -oremount,hidepid=1 proc
[vagrant@local ~]$ ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND vagrant 11877 0.1 0.1 108296 1924 pts/1 Ss 14:56 0:00 -bash vagrant 11937 0.0 0.1 110188 1064 pts/1 R+ 14:58 0:00 \_ ps auxf vagrant 2492 0.0 0.1 108296 1904 pts/0 Ss+ 12:30 0:00 -bash
vagrantユーザ (uid:500, gid:500) 以外ã®ãƒ—ãƒã‚»ã‚¹ãŒå‚ç…§ã§ããªããªã‚Šã¾ã—ãŸ
/proc/
[vagrant@local ~]$ ls -hal /proc total 4.0K dr-xr-xr-x 105 root root 0 Oct 7 15:18 . dr-xr-xr-x 23 root root 4.0K Oct 7 15:18 .. dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 10 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1009 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1028 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 11 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1106 dr-xr-xr-x. 7 postfix postfix 0 Oct 10 14:57 1114 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1116 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1129 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1131 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1133 dr-xr-xr-x. 7 root root 0 Oct 10 14:57 1135
[vagrant@local ~]$ ls -hal /proc/1 ls: cannot open directory /proc/1: Operation not permitted
hidepid=2 を有効ã«ã™ã‚‹
sudo mount -oremount,hidepid=2 proc
[vagrant@local ~]$ ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND vagrant 11877 0.1 0.1 108296 1924 pts/1 Ss 14:56 0:00 -bash vagrant 11942 0.0 0.1 110188 1056 pts/1 R+ 15:00 0:00 \_ ps auxf vagrant 2492 0.0 0.1 108296 1904 pts/0 Ss+ 12:30 0:00 -bash
hidepid=1 ã®æ™‚ã¨åŒæ§˜ã« vagrantユーザ (uid:500, gid:500) 以外ã®ãƒ—ãƒã‚»ã‚¹ã¯å‚ç…§ã§ãã¾ã›ã‚“
/proc/
[vagrant@local ~]$ ls -hal /proc/ total 4.0K dr-xr-xr-x 105 root root 0 Oct 7 15:18 . dr-xr-xr-x 23 root root 4.0K Oct 7 15:18 .. dr-xr-xr-x. 7 vagrant vagrant 0 Oct 10 15:00 11877 dr-xr-xr-x. 7 vagrant vagrant 0 Oct 10 15:01 11948 dr-xr-xr-x. 7 vagrant vagrant 0 Oct 10 15:00 2492
gid オプションを足ã™
gid ã‚ªãƒ—ã‚·ãƒ§ãƒ³ã‚’è¿½åŠ ã™ã‚‹ã¨ã€æŒ‡å®šã—㟠gid ã‚’æŒã¤ãƒ¦ãƒ¼ã‚¶ã¯åˆ¶é™ãŒè§£é™¤ã•ã‚Œã¾ã™ ( 全部見ãˆã‚‹ )
sudo mount -oremount,hidepid=2,gid=500 proc
[vagrant@local ~]$ ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2 0.0 0.0 0 0 ? S 12:27 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 12:27 0:00 \_ [migration/0] root 4 0.0 0.0 0 0 ? S 12:27 0:04 \_ [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S 12:27 0:00 \_ [migration/0] root 6 0.0 0.0 0 0 ? S 12:27 0:00 \_ [watchdog/0] root 7 0.0 0.0 0 0 ? S 12:27 0:00 \_ [migration/1] root 8 0.0 0.0 0 0 ? S 12:27 0:00 \_ [migration/1] root 9 0.0 0.0 0 0 ? S 12:27 0:04 \_ [ksoftirqd/1] root 10 0.0 0.0 0 0 ? S 12:27 0:00 \_ [watchdog/1] root 11 0.0 0.0 0 0 ? S 12:27 0:02 \_ [events/0] root 12 0.0 0.0 0 0 ? S 12:27 0:05 \_ [events/1] root 13 0.0 0.0 0 0 ? S 12:27 0:00 \_ [cgroup] root 14 0.0 0.0 0 0 ? S 12:27 0:00 \_ [khelper] root 15 0.0 0.0 0 0 ? S 12:27 0:00 \_ [netns] root 16 0.0 0.0 0 0 ? S 12:27 0:00 \_ [async/mgr] ...
Nagiosã€Zabbix(よã知らãªã„) ã®ã‚ˆã†ãªç›£è¦–エージェントや munin ãªã©ã®ãƒªã‚½ãƒ¼ã‚¹ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ã®ãƒ—ãƒã‚»ã‚¹ã«ã¯ç‰¹åˆ¥ãªgid を割り当ã¦ã¦ã€ gidオプションをè¨å®šã—ã¦ãŠãã¨è‰¯ã„ã§ã—ょã†ã€‚
感想
grsecurity patch ã§ã‚‚åŒæ§˜ã®æ©Ÿèƒ½ã‚’æä¾›ã—ã¦ã„ã¾ã—ãŸãŒã€ã‚«ãƒ¼ãƒãƒ«ã«ãƒ‘ッãƒã‚’当ã¦ãšã«ã¤ã‹ãˆã‚‹ã¨ãªã‚‹ã¨åˆ©ç”¨ã—ã‚„ã™ã„ã§ã™ã