To disable RHEL user namespaces

Purpose

Current and future RHEL OS vulnerabilities may be mitigated by disabling namespaces for RHEL users.

Note: Disabling RHEL namespaces is described in a STIG recommendation.

For greater OS security, perform the following steps to disable the use of namespaces by any RHEL user on any NSP station.

Steps
 

Log in as the root user on the station that hosts the OS.


Open a console window.


Enter the following to display the current namespace setting:

cat /proc/sys/user/max_user_namespaces ↵

A numeric value is displayed.


RHEL namespaces are enabled if the value is greater than zero.

If RHEL namespaces are enabled, perform the following steps.

  1. Enter the following:

    echo user.max_user_namespaces=0 >/etc/sysctl.d/97-nsp-rhel-oem.conf ↵

  2. Enter the following:

    cat /etc/sysctl.d/97-nsp-rhel-oem.conf ↵

    The /etc/sysctl.d/97-nsp-rhel-oem.conf file content is listed.

  3. If the file content is anything other than the following, return to substep 1 to correct any input error and recreate the file.

    user.max_user_namespaces=0

  4. Enter the following:

    sudo sysctl --system ↵

    Namespace usage is disabled.


Enter the following to verify that namespaces are disabled:

cat /proc/sys/user/max_user_namespaces ↵

A numeric value is displayed.


If the value is not 0, contact technical support for assistance.


Close the console window.

End of steps