RSBAC – Kernel based process hiding

A webserver usually is the primary target to intrude into any network. If you provide web hosting services for your customers you have to provide them with a lot of features to make them happy. The main requirement for any hosting provider is PHP, probably the widest spread web scripting language out there.

Some customers only start to get happy if you give them PHP without any safe_mode restrictions, if you provide them with custom CGI scripting next to the basic good old SSI features (which in my eyes no one really needs since we got PHP) by Apache HTTP Server, if you give them FTP access and let them manage their account by themselves.

Rule Set Based Access ControlIn every feature there is always a hidden security risk. We cannot give all this to our customers without thinking about security and its consequences if a user gets hold of data which does not belong to himself or even breaks into the whole system. So, let’s start at the basics: No customer should be able to see any other running processes on the system except the ones that belong to himself. We want to hide all processes that the given customer is not allowed to see. That’s process hiding. And because on a Linux box it’s always smart to implement something from bottom up, we name it kernel based.

There is no simple solution for this problem. Some rootkits simply overwrite the ‹ps› command. But we want something more trustworthy, somehow deeper anchored in the system (got that?). The only kernel patch I found was the one from (Rule Set Based Access Control), a full blown kernel security patch. The only feature we actually need is «CAP process hiding».

Here’s my small kernel patch HOWTO:

1. Get vanilla kernel from

2. Get the RSBAC base archive (common) & matching kernel patch, patch the kernel:

3. We are now ready to compile the patched kernel. Configure it with ‹make menuconfig›:

4. Make sure all RSBAC features are disabled except the following:

5. Compile the kernel and install it (not documented here).

6. Configure grub to activate process hiding by adding ‹rsbac_cap_process_hiding› to your kernel parameter list, e.g.:

7. That’s it. Reboot your system and cross your fingers, have some coffee and do all the other things that a server administrator does when he is really afraid he just messed up his whole system. 🙂

As soon as the system is again up and running, type in ‹ps aux› under a regular user account and as superuser. Hope you note the difference!

One Response

  1. Amon Ott
    Jul 20, 2007 - 10:49 AM

    You should also try mod_rsbac for Apache, see

Leave a Comment