Puppet Class: cis_security_hardening::rules::user_namespaces

Defined in:

manifests/rules/user_namespaces.pp

Summary

Ensure the operating system disables the use of user namespaces

Overview

The operating system must disable the use of user namespaces.

Rationale: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

User namespaces are used primarily for Linux container. The value 0 disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When containers are deployed on a system, the value should be set to a large non-zero value. The default value is 7182.

Examples:

class { 'cis_security_hardening::rules::user_namespaces':
  enforce => true,
}

Parameters:

• enforce (Boolean) (defaults to: false) —

  Enforce the rule.

# File 'manifests/rules/user_namespaces.pp', line 24

class cis_security_hardening::rules::user_namespaces (
  Boolean $enforce = false,
) {
  if $enforce {
    sysctl {
      'user.max_user_namespaces':
        ensure    => present,
        permanent => 'yes',
        value     => 0,
        notify    => Exec['reload-sysctl-system'],
    }
  }
}