Add the 'debops.proc_hidepid' role

parent d62b5059
......@@ -947,6 +947,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.preseed/.*'
JANE_LOG_PATTERN: '\[debops\.preseed\]'
'proc_hidepid role':
<<: *test_role_no_deps
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/proc_hidepid.yml'
JANE_INVENTORY_GROUPS: 'debops_service_proc_hidepid'
JANE_DIFF_PATTERN: '.*/debops.proc_hidepid/.*'
JANE_LOG_PATTERN: '\[debops\.proc_hidepid\]'
# --- r --- [[[2
......@@ -40,6 +40,8 @@ Added
- :ref:`debops.machine`: manage the :file:`/etc/machine-info` file,
the :file:`/etc/issue` file and a dynamic MOTD.
- :ref:`debops.proc_hidepid`: configure the ``/proc`` ``hidepid=`` options.
- You can now :ref:`use Vagrant <quick_start__vagrant>` to create an Ansible
Controller based on Debian Stretch and use it to manage itself or other hosts
over the network.
- name: Manage /proc hidepid= configuration
hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
debops.proc_hidepid - Configure /proc hidepid= options
Copyright (C) 2018 Maciej Delmanowski <>
Copyright (C) 2018 DebOps
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.proc_hidepid default variables
# =====================================
# .. envvar:: proc_hidepid__enabled [[[
# Enable or disable support for managing the ``/proc`` ``hidepid=`` option
# using Ansible.
proc_hidepid__enabled: '{{ True
if ((ansible_system_capabilities_enforced|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not ansible_system_capabilities_enforced|bool)
else False }}'
# ]]]
# .. envvar:: proc_hidepid__level [[[
# Specify what level of protection for the ``/proc`` files to configure:
# - ``0``: no protection, files are world-readable
# - ``1``: the ``/proc`` contents are protected using UNIX permissions, file
# owners can access their own files
# - ``2``: the ``/proc`` contents are invisible to non-owners, only ``root``
# and users in the specific UNIX system group can see everything
proc_hidepid__level: '2'
# ]]]
# .. envvar:: proc_hidepid__group [[[
# Name of the UNIX system group which will have unrestricted access to the
# ``/proc`` filesystem.
proc_hidepid__group: 'procadmins'
# ]]]
# .. envvar:: proc_hidepid__gid [[[
# The GID used by the UNIX system group. If not specified, it will be selected
# automatically. It might be best not to change existing GID once set.
proc_hidepid__gid: ''
# ]]]
# ]]]
dependencies: []
author: 'Maciej Delmanowski'
description: 'Configure /proc hidepid= options'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
- name: Ubuntu
- precise
- trusty
- xenial
- name: Debian
- wheezy
- jessie
- stretch
- system
- security
- hidepid
- name: Ensure that UNIX system group with /proc access exists
name: '{{ proc_hidepid__group }}'
gid: '{{ proc_hidepid__gid if proc_hidepid__gid|d() else omit }}'
state: 'present'
system: True
when: proc_hidepid__enabled|bool
- name: Configure /proc with hidepid= option in /etc/fstab
name: '/proc'
src: 'proc'
fstype: 'proc'
opts: 'defaults,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }}'
state: 'mounted'
when: proc_hidepid__enabled|bool
# This is a workaround for Ubuntu bug:
- name: Remount /proc from rc.local when needed
dest: '/etc/rc.local'
regexp: '^mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
line: 'mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
insertbefore: 'exit 0'
state: 'present'
when: (proc_hidepid__enabled|bool and
(ansible_distribution in [ 'Ubuntu' ] and
ansible_distribution_release in [ 'trusty' ]))
- name: Create the systemd-logind configuration directory
path: '/etc/systemd/system/systemd-logind.service.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Ensure that logind is exempt from hidepid
src: 'etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2'
dest: '/etc/systemd/system/systemd-logind.service.d/hidepid.conf'
owner: 'root'
group: 'root'
mode: '0644'
register: proc_hidepid__register_logind
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Reload systemd daemons
command: systemctl daemon-reload
when: proc_hidepid__register_logind|changed
- name: Make sure that Ansible local facts directory exists
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save proc_hidepid local facts
src: 'etc/ansible/facts.d/proc_hidepid.fact.j2'
dest: '/etc/ansible/facts.d/proc_hidepid.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: proc_hidepid__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: proc_hidepid__register_facts|changed
# {{ ansible_managed }}
# Gather information about /proc related to hidepid
set -o nounset -o pipefail -o errexit
if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
# Find the hidepid value
hidepid_level="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid gid
hidepid_gid="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /gid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid group
if [ -n "${hidepid_gid}" ]; then
hidepid_group="$(getent group ${hidepid_gid} | cut -d: -f1)"
output="{\"configured\": \"${hidepid_configured}\", \"enabled\": \"${hidepid_enabled}\", \"level\": \"${hidepid_level}\", \"gid\": \"${hidepid_gid}\", \"group\": \"${hidepid_group}\"}"
printf "${output}\n"
# {{ ansible_managed }}
# Based on
SupplementaryGroups={{ proc_hidepid__group }}
......@@ -124,6 +124,7 @@ other hosts.
- :ref:`debops.nfs`
- :ref:`debops.nfs_server`
- :ref:`debops.persistent_paths`
- :ref:`debops.proc_hidepid`
- :ref:`debops.tftpd`
- :ref:`debops.tgt`
- ``debops.samba``
......@@ -181,6 +182,7 @@ Monitoring
- :ref:`debops.librenms`
- :ref:`debops.monit`
- :ref:`debops.proc_hidepid`
- :ref:`debops.snmpd`
- ``debops.smstools``
......@@ -222,6 +224,7 @@ Security
- :ref:`debops.authorized_keys`
- :ref:`debops.fail2ban`
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
Getting started
.. contents::
Ansible local facts
The ``debops.proc_hidepid`` role provides a set of Ansible local facts
available in the ``ansible_local.proc_hidepid.*`` hierarchy. You can use the
facts to add application UNIX accounts to the correct UNIX system group that
allows them access to the ``/proc`` filesystem.
Example inventory
The ``debops.proc_hidepid`` role is included by default in the ``common.yml``
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.proc_hidepid`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/proc_hidepid.yml
:language: yaml
Ansible tags
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
.. _debops.proc_hidepid:
This role will ensure that the ``/proc`` filesystem is mounted with the
``hidepid=`` option enabled. `The 'hidepid=' option`__ can be used to hide
processes that don't belong to a particular user account.
.. __:
.. toctree::
:maxdepth: 2
.. literalinclude:: ../../../../ansible/roles/debops.proc_hidepid/COPYRIGHT
Local Variables:
mode: rst
ispell-local-dictionary: "american"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment