Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-248892 | OL08-00-040284 | SV-248892r780242_rule | Medium |
Description |
---|
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux container. The value 0 disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When containers are deployed on a system, the value should be set to a large non-zero value. The default value is 39078. |
STIG | Date |
---|---|
Oracle Linux 8 Security Technical Implementation Guide | 2021-07-21 |
Check Text ( C-52326r780240_chk ) |
---|
Verify OL 8 disables the use of user namespaces with the following commands. Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. $ sudo sysctl user.max_user_namespaces user.max_user_namespaces = 0 If the returned line does not have a value of "0" or a line is not returned, this is a finding. |
Fix Text (F-52280r780241_fix) |
---|
Configure the system to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory: user.max_user_namespaces = 0 The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system |