The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures. It is commonly mounted at /proc. Most of it is read-only, but some files allow kernel variables to be changed.
The proc filesystem supports the following mount options:
hidepid=n (since Linux 3.3)
This option controls who can access the information in /proc/[pid] directories. The argument, n, is one of the following values:
0 Everybody may access all /proc/[pid] directories. This is the traditional behavior, and the default if this mount option is not specified. 1 Users may not access files and subdirectories inside any /proc/[pid] directories but their own (the /proc/[pid] directories themselves remain visible). Sensitive files such as /proc/[pid]/cmdline and /proc/[pid]/status are now protected against other users. This makes it impossible to learn whether any user is running a specific program (so long as the program doesn't otherwise reveal itself by its behaviour). 2 As for mode 1, but in addition the /proc/[pid] directories belonging to other users become invisible. This means that /proc/[pid] entries can no longer be used to discover the PIDs on the system. This doesn't hide the fact that a process with a specific PID value exists (it can be learned by other means, for example, by "kill -0 $PID"), but it hides a process's UID and GID, which could otherwise, be learned by employing stat(2) on a /proc/[pid] directory. This greatly complicates an attacker's task of gathering information about running processes (e.g., discovering whether some daemon is running with elevated privileges, whether another user is running some sensitive program, whether other users are running any program at all, and so on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorised to learn process information otherwise prohibited by hidepid (i.e., users in this group behave as though /proc was mounted with hidepid=0). This group should be used instead of approaches such as putting nonroot users into the sudoers(5) file.
Remounting proc with hidepid option:
mount -o remount,hidepid=2 /proc
root@ns:~# mount -o remount,hidepid=2 /proc root@ns:~# su - marian marian@ns:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND marian 48399 1.0 0.0 28696 4904 pts/0 S 22:14 0:00 -su marian 48404 0.0 0.0 24584 2620 pts/0 R+ 22:14 0:00 ps aux marian@ns:~$
Also, you can add on fstab to ensure this protection is enabled by default:
echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
– man 5 proc