Title

RHEL 9 must disable the use of user namespaces. (Cat II impact)

Discussion

User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.

Check Content

Verify RHEL 9 disables the use of user namespaces with the following commands: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. $ sudo sysctl user.max_user_namespaces user.max_user_namespaces = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F user.max_user_namespaces | tail -1 user.max_user_namespaces = 0 If the network parameter "user.max_user_namespaces" is not equal to "0", or nothing is returned, this is a finding.

Fix Text

Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is Not Applicable. user.max_user_namespaces = 0 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

Additional Identifiers

Rule ID: SV-257816r942981_rule

Vulnerability ID: V-257816

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.