5.31 Ensure that the host's user namespaces are not shared

Information

You should not share the host's user namespaces with containers running on it.

User namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.

Solution

You should not share user namespaces between host and containers.

For example, you should not run the command below:

docker run --rm -it --userns=host ubuntu bash

Impact:

None

See Also

https://workbench.cisecurity.org/benchmarks/16041

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|14.1

Plugin: Unix

Control ID: f7e9b346a503e1e10acb51cdd9de9444a46a2053a835f933dea8f23bb17efac4