Sysctl

Sysctl classes

ClassDescription
kernelGlobal kernel parameters
netNetwork parameters and tuning

Introduction

The sysctl tool allows configuring kernel parameters or tunables. By changing related sysctl keys and their individual values, the system behavior can be changed. Several keys are related to security and can help with kernel hardening, or system hardening in general.

Files and locations

The configuration of sysctl is typically spread over multiple files and paths. Systems with systemd will have additional paths.

Files are read in order and the first match of a kernel setting is used.

  • /etc/sysctl.d/*.conf
  • /run/sysctl.d/*.conf
  • /usr/local/lib/sysctl.d/*.conf
  • /usr/lib/sysctl.d/*.conf
  • /lib/sysctl.d/*.conf
  • /etc/sysctl.conf

The actual kernel settings are usually available under the pseudo file system /proc. To see all all values, consult /proc/sys/.

Usage

To display all available kernel settings:

sysctl -a

To see limit the output to network class only:

sysctl --pattern '^net.'

To set a value:

sysctl --write KEY=VALUE

To make settings permanent, add them to a configuration file (e.g. /etc/sysctl.d/99-custom.conf). Then activate with sysctl -p /etc/sysctl.d/99-custom.conf.

To learn how settings are applied and with a pattern:

sysctl --system --pattern '^net.'