{"description": "To set the runtime status of the <code>user.max_user_namespaces</code> kernel parameter,\nrun the following command:\n<pre>$ sudo sysctl -w user.max_user_namespaces=0</pre>\n\nTo make sure that the setting is persistent,\nadd the following line to a file in the directory <tt>/etc/sysctl.d</tt>:\n<pre>user.max_user_namespaces = 0</pre>\nWhen containers are deployed on the machine, the value should be set\nto large non-zero value.", "rationale": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.\nThese unnecessary capabilities or services are often overlooked and therefore may remain unsecured.\nThey increase the risk to the platform by providing additional attack vectors.\nUser namespaces are used primarily for Linux containers. The value 0\ndisallows the use of user namespaces.", "severity": "medium", "references": {"nist": ["SC-39", "CM-6(a)"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "Verify that Ubuntu 22.04 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nThe runtime status of the <code>user.max_user_namespaces</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl user.max_user_namespaces</pre>\n<code>0</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable the use of user namespace.\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nuser.max_user_namespaces = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must disable the use of user namespaces.", "warnings": [{"functionality": "Remediation of this rule might impair or prevent functionality of certain applications.\nThis stands especially for general container usage and for certain desktop applications.\nThere is an alternative rule which performs the same check but it intentionally lacks the remediation part.\nIf needed, you can use the rule <tt>sysctl_user_max_user_namespaces_no_remediation</tt>.\nIn that case, ensure that such use case is properly documented."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_user_max_user_namespaces.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_user_max_user_namespaces.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable the use of user namespaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "user.max_user_namespaces", "sysctlval": "0", "datatype": "int"}, "backends": {}}}