Sysctl
Introduction
The sysctl tool allows configuring kernel parameters or tunables. By changing related sysctl keys and their individual values, the system behavior can be changed. Several keys are related to security and can help with kernel hardening, or system hardening in general.
Files and locations
The configuration of sysctl is typically spread over multiple files and paths. Systems with systemd will have additional paths.
Files are read in order and the first match of a kernel setting is used.
- /etc/sysctl.d/*.conf
- /run/sysctl.d/*.conf
- /usr/local/lib/sysctl.d/*.conf
- /usr/lib/sysctl.d/*.conf
- /lib/sysctl.d/*.conf
- /etc/sysctl.conf
The actual kernel settings are usually available under the pseudo file system /proc. To see all all values, consult /proc/sys/.
Usage
To display all available kernel settings:
sysctl -a
To see limit the output to network class only:
sysctl --pattern '^net.'
To set a value:
sysctl --write KEY=VALUE
To make settings permanent, add them to a configuration file (e.g. /etc/sysctl.d/99-custom.conf). Then activate with sysctl -p /etc/sysctl.d/99-custom.conf
.
To learn how settings are applied and with a pattern:
sysctl --system --pattern '^net.'
Articles for sysctl
The sysctl settings starting with ipe define the configuration of IPE (Integrity Policy Enforcement) module. Learn about the settings and possible values.
The Linux kernel has a range of settings that influence the behavior of the kernel itself. Learn about sysctl settings and values related to the kernel class.
The kernel has a wide range of network settings. Learn about the sysctl command and the values related to the network class.
Relevant sysctl commands
Like to learn more about the commands used in this section? Have a look at the cheat sheets or the related command page.
- sysctl