From 43bd01a374a8f5ce06c3761cd291bfc840ecc410 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <a.miroshnichenko@rbk.money>
Date: Mon, 15 Jul 2019 16:28:07 +0300
Subject: [PATCH 1/2] mount /proc with hidepid=2 option

---
 sls/gentoo/hardening.sls | 27 +++++++++++++++++++++++++++
 sls/gentoo/init.sls      |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 sls/gentoo/hardening.sls

diff --git a/sls/gentoo/hardening.sls b/sls/gentoo/hardening.sls
new file mode 100644
index 0000000..53d3a65
--- /dev/null
+++ b/sls/gentoo/hardening.sls
@@ -0,0 +1,27 @@
+proc_view:
+  group.present:
+    - gid: 391
+    - system: True
+  {%- if salt['cmd.retcode']('id polkitd') == 0 %}
+    - addusers:
+      - polkitd
+  {%- endif %}
+
+/proc:
+  mount.mounted:
+    - device: proc
+    - fstype: proc
+    - dump: 0 
+    - pass_num: 0
+    - persist: True
+    - mkmnt: True
+    - opts:
+      - defaults
+      - nosuid
+      - nodev
+      - noexec
+      - relatime
+      - hidepid=2
+      - gid=391
+    - require:
+      - group: proc_view
diff --git a/sls/gentoo/init.sls b/sls/gentoo/init.sls
index 0259ec4..8996770 100644
--- a/sls/gentoo/init.sls
+++ b/sls/gentoo/init.sls
@@ -4,4 +4,5 @@ include:
   - gentoo.repos.gentoo
   - gentoo.profile
   - gentoo.makeconf
+  - gentoo.hardening
 

From 6a92d7c37e9afd8ca65a135b1b1cce9d562e6212 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <a.miroshnichenko@rbk.money>
Date: Mon, 15 Jul 2019 16:37:17 +0300
Subject: [PATCH 2/2] remove from highstate /proc with hidepid=2

---
 sls/gentoo/init.sls | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sls/gentoo/init.sls b/sls/gentoo/init.sls
index 8996770..0259ec4 100644
--- a/sls/gentoo/init.sls
+++ b/sls/gentoo/init.sls
@@ -4,5 +4,4 @@ include:
   - gentoo.repos.gentoo
   - gentoo.profile
   - gentoo.makeconf
-  - gentoo.hardening