Limiting the visibility of processes in Linux using hidepid:
In many Linux distributions, by default, all system users can see the contents of the /proc directory and can do so with the top, ps, and htop commands. See the processes of other users. This is not correct in terms of security
T. This means that any non-privileged user is able to read the process information of other users—including root.
This situation creates an unnecessary attack surface: an attacker with a low-privilege account can access sensitive information without having special access.
By default, Linux does not restrict this behavior. But it is possible to limit the access of non-root users to the process list with a simple parameter in mount.
Why is hiding processes (hidepid) important? Technical reasons
Prevent Process Snooping
A normal user can look at /proc/[pid]/cmdline or /proc/[pid]/environ:
Path of binaries
Program execution parameters
Tokens or API keys placed in command line parameters
Environment variables include passwords, connection strings and secrets
to extract
Such information is very valuable for an insider threat or initial penetration.
Reduction of Attack Surface
Anyone who can see the list of processes can:
Identify the version of services
Guess active ports and services
Find vulnerable or misconfigured processes
Select the target for privilege escalation
This is exactly the information that local Nmap provides—free and no access required.
Prevent the disclosure of the system behavior pattern
Information such as:
CPU consumption
RAM consumption
execution time
Status of threads
The attacker can use these for side-channel timing attacks.
Prevent users from spying on other users
For this:
mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
Quick explanation of the options:
nosuid → prevent files with SUID from being executed
nodev → prevent the creation of device files
noexec → prevent files from being executed in this mount
relatime → IO operation optimization
hidepid=2 → Complete hiding of processes for non-root users
Permanently applied in the /etc/fstab file
To make the setting permanent, add this line:
proc /proc proc defaults,nosuid,nodev,noexec,relatime,hidepid=2 0 0
Or if it already exists, just modify the options field.
Additional notes and implications
May affect tools that need to read the entire list of processes:
Some monitoring agents
Process management tools like htop (for regular users)
Some non-root security tools
If a specific group needs to have access to /proc, the gid=GROUPID parameter can be used:
mount -o remount,hidepid=2,gid=250 /proc
and then assign that group to authorized users.
Use in Enterprise and Cloud servers is standard
All hardened distributions like:
CIS Benchmark
Red Hat STIG
Ubuntu Hardening Guides
This setting is recommended.
