Linux Security

# Resource limits imposed on login sessions via pam_limits
session  required
# /etc/security/limits.conf
#<domain>       <type>  <item>          <value>

1000:           hard    nproc           32
1000:           soft    nofile          4096
1000:           hard    nofile          32768
1000:           hard    maxlogins       8
1000:           soft    priority        2
1000:           hard    priority        1
# End of file

remount /proc with -o hidepid

hidepid=0 The old behavior – anybody may read all world-readable /proc/PID/* files (default).
hidepid=1 It means users may not access any /proc/<pid>/ directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.
hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
sudo mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=1 /proc


  • Last modified: 2020-08-29 16:45