Have you ever wanted to restrict what processes users can see?
Restricting what files and directories users can access is simple, just run chmod 700 on a directory and no one but the owner can access it.
Now you can restrict processes in a similar way, by changing the file /etc/security/policy.conf, and replace the line #PRIV_DEFAULT=basic with
PRIV_DEFAULT=basic,!proc_info. This will remove the proc_info privilege from all users, and only allow them to view their own processes.
This is how the process list looks after the change
$ ps -ef
UID PID PPID C STIME TTY TIME CMD
test 8605 8568 0 10:44:01 pts/2 0:00 -sh
test 8609 8605 0 10:44:03 pts/2 0:00 ps -ef
Note that this might break any process monitoring scripts you have running as a unprivileged user. To fix this you have to assign the profile Process Management to the user, or create your own profile, as Process Management also gives the user the possibility to stop any process.
Another way to do this is to create an entry in /etc/user_attr for each user who should be restricted, and set the
default privilege for the user to basic,!proc_info. This can be done using the usermod program, e.g.
usermod -K defaultpriv='basic,!proc_info' test
