{"description": "To set the runtime status of the <code>user.max_user_namespaces</code> kernel parameter,\nrun the following command:\n<pre>$ sudo sysctl -w user.max_user_namespaces=0</pre>\n\nTo make sure that the setting is persistent,\nadd the following line to a file in the directory <tt>/etc/sysctl.d</tt>:\n<pre>user.max_user_namespaces = 0</pre>\nWhen containers are deployed on the machine, the value should be set\nto large non-zero value.", "rationale": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.\nThese unnecessary capabilities or services are often overlooked and therefore may remain unsecured.\nThey increase the risk to the platform by providing additional attack vectors.\nUser namespaces are used primarily for Linux containers. The value 0\ndisallows the use of user namespaces.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "Verify that Ubuntu 22.04 disables the use of user namespaces with the following commands:\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nThe runtime status of the <code>user.max_user_namespaces</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl user.max_user_namespaces</pre>\n<code>0</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable the use of user namespace.\n\nNote: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nuser.max_user_namespaces = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must disable the use of user namespaces.", "warnings": [{"general": "This configuration baseline was created to deploy the base operating system for general purpose\nworkloads. When the operating system is configured for certain purposes, such as to host Linux Containers,\nit is expected that <tt>user.max_user_namespaces</tt> will be enabled.\n Note that this rule deliberately does not have remediations attached.\nUse the <tt>sysctl_user_max_user_namespaces</tt> if you want to utilize remediation for this rule."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable the use of user namespaces.", "vuldiscussion": "User namespaces are used primarily for Linux containers. The value \"0\" disallows the use of user namespaces.", "checktext": "Verify Ubuntu 22.04 disables the use of user namespaces with the following commands:\n\n$ sudo sysctl user.max_user_namespaces\n\nuser.max_user_namespaces = 0\n\nIf the returned line does not have a value of \"0\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F user.max_user_namespaces | tail -1\nuser.max_user_namespaces = 0\n\nIf the network parameter \"user.max_user_namespaces\" is not equal to \"0\", or nothing is returned, this is a finding.\n\nIf the use of namespaces is operationally required and documented with the information system security manager (ISSM), this is not a finding.", "fixtext": "Configure Ubuntu 22.04 to disable the use of user namespaces by adding the following line to a file, in the \"/etc/sysctl.d\" directory:\n\nuser.max_user_namespaces = 0\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_user_max_user_namespaces_no_remediation.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_user_max_user_namespaces_no_remediation.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable the use of user namespaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces_no_remediation/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "user.max_user_namespaces", "sysctlval": "0", "datatype": "int", "no_remediation": "true"}, "backends": {"bash": "off", "ansible": "off"}}}