Disable the use of user namespaces
An XCCDF Rule
Description
To set the runtime status of the user.max_user_namespaces
kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
:
user.max_user_namespaces = 0When containers are deployed on the machine, the value should be set to large non-zero value.
warning alert: Warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that
user.max_user_namespaces
will be enabled.Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do