Sysctl
Sysctl classes
| Class | Description |
|---|---|
| ipe | Integrity Policy Enforcement (IPE) settings |
| kernel | Global kernel parameters |
| net | Network parameters and tuning |
Introduction
The sysctl tool allows configuring kernel parameters or tunables. By changing related sysctl keys and their individual values, the system behavior can be changed. Several keys are related to security and can help with kernel hardening, or system hardening in general.
Files and locations
The configuration of sysctl is typically spread over multiple files and paths. Systems with systemd will have additional paths.
Files are read in order and the first match of a kernel setting is used.
- /etc/sysctl.d/*.conf
- /run/sysctl.d/*.conf
- /usr/local/lib/sysctl.d/*.conf
- /usr/lib/sysctl.d/*.conf
- /lib/sysctl.d/*.conf
- /etc/sysctl.conf
The actual kernel settings are usually available under the pseudo file system /proc. To see all all values, consult /proc/sys/.
Usage
To display all available kernel settings:
sysctl -a
To see limit the output to network class only:
sysctl --pattern '^net.'
To set a value:
sysctl --write KEY=VALUE
To make settings permanent, add them to a configuration file (e.g. /etc/sysctl.d/99-custom.conf). Then activate with sysctl -p /etc/sysctl.d/99-custom.conf.
To learn how settings are applied and with a pattern:
sysctl --system --pattern '^net.'