set hidepid=0 on RHEL/CentOS 7

roles/os_hardening/README.md

@@ -55,6 +55,18 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
       net.ipv4.ip_forward: 1
 ```
 
+### hidepid on RHEL/CentOS 7
+
+When having `polkit-0.112-18.el7` (and later) installed and `/proc` mounted with `hidepid=2`, everytime someone uses `systemctl` the following error is displayed, but systemctl runs successfully.
+
+```
+Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)
+```
+
+We decided to set `hidepid=0` to remove the error message, if you want to use the other proposed workaround, you have to setup the user yourself and set our option to `hidepid_option: 2` via Ansible vars.
+
+For further details see [RedHat: "GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject" seen when executing systemctl command](https://access.redhat.com/solutions/5005111) or [#364: hidepid=2 gives error when running systemctl on EL7](/~https://github.com/dev-sec/ansible-collection-hardening/issues/364)
+
 ### sysctl - vm.mmap_rnd_bits
 
 We are setting this sysctl to a default of `32`, some systems only support smaller values and this will generate an error. Unfortunately we cannot determine the correct applicable maximum. If you encounter this error you have to override this sysctl in your playbook.
@@ -164,7 +176,7 @@ We know that this is the case on Raspberry Pi.
   - Default: `keep_logs`
   - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
 - `hidepid_option`
-  - Default: `2`
+  - Default: `2` (on RHEL/CentOS7 `0`, see known limitations)
   - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
 - `proc_mnt_options`
   - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`

roles/os_hardening/defaults/main.yml

@@ -280,5 +280,4 @@ os_selinux_state: enforcing
 # Set the SELinux polixy.
 os_selinux_policy: targeted
 
-hidepid_option: '2'  # allowed values: 0, 1, 2
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'

roles/os_hardening/vars/Amazon.yml

@@ -42,3 +42,5 @@ sysctl_rhel_config:
   kernel.exec-shield: 1
   # Syncookies is used to prevent SYN-flooding attacks.
   net.ipv4.tcp_syncookies: 1
+
+hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Archlinux.yml

@@ -23,3 +23,5 @@ os_auth_sys_gid_max: 999
 
 modprobe_package: 'kmod'
 auditd_package: 'audit'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Debian.yml

@@ -35,3 +35,5 @@ auditd_package: 'auditd'
 
 tally2_path: '/usr/share/pam-configs/tally2'
 passwdqc_path: '/usr/share/pam-configs/passwdqc'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Fedora.yml

@@ -33,3 +33,5 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/RedHat.yml

@@ -33,3 +33,5 @@ os_useradd_create_home: true
 
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/RedHat_7.yml

@@ -0,0 +1,37 @@
+---
+
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: '0000'
+
+os_passwd_perms:
+  owner: root
+  group: root
+  mode: '0644'
+
+os_env_umask: '077'
+
+os_auth_uid_min: 1000
+os_auth_gid_min: 1000
+os_auth_sys_uid_min: 201
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 201
+os_auth_sys_gid_max: 999
+
+# defaults for useradd
+os_useradd_mail_dir: /var/spool/mail
+os_useradd_create_home: true
+
+modprobe_package: 'module-init-tools'
+auditd_package: 'audit'
+
+hidepid_option: '0'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Suse.yml

@@ -32,3 +32,5 @@ os_useradd_create_home: false
 
 modprobe_package: 'kmod-compat'
 auditd_package: 'audit'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2