You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As this file can usually be found shipped with Linux distribution, it may not be good to replace it.
As kernel configuration files are loaded in dictionary order, we can write our kernel harden configuration to file like z_kernel-hardening_by_k4yt3x.conf.
P.S. I would use sysctl --system rather than sysctl -p to load kernel configuration.
Usage:
sysctl [options] [variable[=value] ...]
Options:
-a, --all display all variables
-A alias of -a
-X alias of -a
--deprecated include deprecated parameters to listing
-b, --binary print value without new line
-e, --ignore ignore unknown variables errors
-N, --names print variable names without values
-n, --values print only values of the given variable(s)
-p, --load[=<file>] read values from file
-f alias of -p
--system read values from all system directories
-r, --pattern <expression>
select setting that match expression
-q, --quiet do not echo variable set
-w, --write enable writing a value to variable
-o does nothing
-x does nothing
-d alias of -h
-h, --help display this help and exit
-V, --version output version information and exit
For more details see sysctl(8).
The text was updated successfully, but these errors were encountered:
I spent some time thinking about this problem. I'm still not sure whether to recommend putting this configuration before 99-sysctl.conf or after it. One of the ways to use this configuration file is to make this configuration file static and name it something like 98-k4yt3x.conf. The user can then edit /etc/sysctl.conf to overwrite any of the rules. When the hardened profile gets an update, the new file can be dropped in without too many modifications.
However, according to this quote from README.sysctl, either the developer of procps-ng or Linus suggests to name the local configuration such that it's read after 99-sysctl.conf. This method could be more suitable for those that only want to take this file as a reference, then make their changes of the highest priority permanently.
My personal preference would be for local system settings to go into
/etc/sysctl.d/local.conf but as long as you follow the rules for the names
of the file, anything will work. See sysctl.conf(8) man page for details
of the format.
I think this topic is still debatable, and we can always include all three solutions.
As for loading the configuration file, the README.sysctl file says the following:
After making any changes, please run "service procps reload" (or, from
a Debian package maintainer script "deb-systemd-invoke restart procps.service").
In summary, the effect of sysctl --system, systemctl restart procps and systemctl restart systemd-sysctl should be equivalent. They all reload the kernel configuration from all configuration directories. sysctl -p on the other hand, only loads from /etc/sysctl.conf. For a more consistent result, I think preferring sysctl --system or systemctl restart procps would be more ideal like you said. I'll add that shortly.
As this file can usually be found shipped with Linux distribution, it may not be good to replace it.
As kernel configuration files are loaded in dictionary order, we can write our kernel harden configuration to file like
z_kernel-hardening_by_k4yt3x.conf
.P.S. I would use
sysctl --system
rather thansysctl -p
to load kernel configuration.The text was updated successfully, but these errors were encountered: