Security Controls

KRNL-6000 - Kernel sysctl values

Description

By means of sysctl values we can adjust kernel related parameters. Many of them are related to hardening of the network stack, how the kernel deals with processes or files. This control is a generic test with several sysctl variables (configured by the scan profile).

Group

Kernel

How to solve

The Linux kernel can be tuned with the sysctl command. It uses a list of kernel parameters, which alter how the kernel should behave within the areas of storage, network, memory management, and more.

Lynis has a default list of best practice values for sysctl. They are tested within this particular control, with a related suggestion when the actual value on the system is different than the expected value. This does not always mean the system is weakly configured. It depends on the primary goal of the system, and its focus area(s). A system with the role to be a router will have to be tuned more aggressively when it comes to the network stack. Production systems with a lot of write activity to the hard disks might need tuning when it comes to buffering.

We suggest to check each discovered key and determine the best value for your system. There is not a "one size fits all" solution here. The additional resources might be useful for further analysis. Also in our Enterprise version we have more details available to help you tuning your systems.

Additional resources


Linux and Unix System Hardening

This information is provided as part of the Lynis community project. It is related to Lynis control KRNL-6000. All information should be considered as-is, without guarantees. Any advice or snippets should be tested before implementing in production environments.

Lynis

Lynis is a technical security audit tool for systems running Linux, UNIX, *BSD, and macOS. It is open source software and free to use. The project has an active community, and can also be found on GitHub.

Lynis Enterprise

Need more advanced features, like vulnerability scanning, or reporting installed software packages? Lynis Enterprise will collect more data and present it with an easy to use web interface.

Gain additional benefits: automating security audits, reporting, and the implementation of related security measures.

Lynis Enterprise includes
  • Centralized management
  • Prioritized plans
  • Reporting
  • Dashboards
  • Integration (API)
  • Improvement snippets for tools like Ansible, Chef, Cfengine and Puppet

Take the Tour