diff --git a/test/scenarios/default.py b/test/scenarios/default.py
index 19375a1..0d6c4c3 100644
--- a/test/scenarios/default.py
+++ b/test/scenarios/default.py
@@ -51,6 +51,13 @@ assert_matches("curl -L localhost/store", "tshirt")
 machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
 assert_no_failure("bitcoind-import-banlist")
 
+# test that `systemctl status` can't leak credentials
+assert_matches(
+    "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
+    "Failed to dump process list for 'clightning.service', ignoring: Access denied",
+)
+machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+
 ### Additional tests
 
 # Current time in µs
diff --git a/test/scenarios/withnetns.py b/test/scenarios/withnetns.py
index 99d8d73..d07480b 100644
--- a/test/scenarios/withnetns.py
+++ b/test/scenarios/withnetns.py
@@ -113,6 +113,13 @@ assert_matches_exactly(
 # test that netns-exec can not be executed by users that are not operator
 machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
 
+# test that `systemctl status` can't leak credentials
+assert_matches(
+    "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
+    "Failed to dump process list for 'clightning.service', ignoring: Access denied",
+)
+machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+
 ### Additional tests
 
 # Current time in µs