Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-230548 | RHEL-08-040284 | SV-230548r627750_rule | Medium |
Description |
---|
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux container. The value 0 disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When containers are deployed on a system, the value should be set to a large non-zero value. The default value is 7182. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 8 Security Technical Implementation Guide | 2021-03-04 |
Check Text ( C-33217r568390_chk ) |
---|
Verify RHEL 8 disables the use of user namespaces with the following commands: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. $ sudo sysctl user.max_user_namespaces user.max_user_namespaces = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. |
Fix Text (F-33192r568391_fix) |
---|
Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. user.max_user_namespaces = 0 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system |