top is only showing current user processes
One possibility is /proc
mounted with either hidepid=1
or hidepid=2
. This mount option was added in latter Linux kernels and back ported sometime around CentOS 5.9 and 6.3.
Mount options
The proc filesystem supports the following mount options:
hidepid=n (since Linux 3.3)
This option controls who can access the information in
/proc/[pid] directories. The argument, n, is one of the
following values:
0 Everybody may access all /proc/[pid] directories. This is
the traditional behavior, and the default if this mount
option is not specified.
1 Users may not access files and subdirectories inside any
/proc/[pid] directories but their own (the /proc/[pid]
directories themselves remain visible). Sensitive files
such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible
to learn whether any user is running a specific program
(so long as the program doesn't otherwise reveal itself by
its behavior).
2 As for mode 1, but in addition the /proc/[pid] directories
belonging to other users become invisible. This means
that /proc/[pid] entries can no longer be used to discover
the PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be
learned by other means, for example, by "kill -0 $PID"),
but it hides a process's UID and GID, which could
otherwise be learned by employing stat(2) on a /proc/[pid]
directory. This greatly complicates an attacker's task of
gathering information about running processes (e.g.,
discovering whether some daemon is running with elevated
privileges, whether another user is running some sensitive
program, whether other users are running any program at
all, and so on).
Another possibility (found by the poster and added to this answer as reference information) is grsecurity which has a feature for hiding other users' processes from unprivileged users as part of it's file system hardening.
Hide other users' processes for unprivileged users
While the upstream kernel now provides a mount option for /proc to hide other unprivileged users' processes, grsecurity goes beyond this by hiding such information by default, hiding additional sources of sensitive information provided by the kernel in /proc, and hiding private network-related information of all users. Not only is the networking information a violation of the privacy of other users on the system, but it has also been useful in the past for TCP hijacking attacks.
Based on the information from the following posts I have identified 3 possible resolutions.
- htop shows only the processes of the user that's running it? on Unix & Linux
- https://www.centos.org/forums/viewtopic.php?f=14&t=52563
Which states grsecurty can cause the users not being able to see other users pids in /proc/
and that OVH (My hosting company) uses a custom kernel compiled with Grsecurity
$ uname -r
3.14.32-xxxx-grs-ipv6-64
possible resolutions are:
- remove grsecurity
- edit policy to permit such use
- ensure the other admins are made aware of the new security measures in place
For me educating the other admins is be best option as security comes first. Still kinda wish they would have informed us of something like this though. Thank you for all your help!