5.31 Ensure that the host's user namespaces are not shared

Information

You should not share the host's user namespaces with containers running on it.

Rationale:

User namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.

Impact:

None

Solution

You should not share user namespaces between host and containers.
For example, you should not run the command below:

docker run --rm -it --userns=host ubuntu bash

Default Value:

By default, the host user namespace is shared with containers unless user namespace support is enabled.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|12, CSCv7|14.1

Plugin: Unix

Control ID: f7e9b346a503e1e10acb51cdd9de9444a46a2053a835f933dea8f23bb17efac4