Information
User namespaces should be disabled unless required.
Note that user namespaces can be necessary in environments where containers running as unprivileged users are meant to run other containers. These are often referred to as 'rootless' containers.
Rationale:
If user namespaces are enabled, then an unprivileged user can create a new user namespace where their processes have capabilities such as CAP_SYS_ADMIN. This opens a large attack surface within the kernel that would otherwise be unreachable.
Solution
Run the following command to set the active kernel parameter and persist the setting:
# apiclient apply <<EOF
[settings.kernel.sysctl]
"user.max_user_namespaces" = "0"
EOF
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: b0e7d403f8ba629abd486934a5ff251b33583b101c91f545e4f1e5e38f6ea7cd