KRNL-6000 - Kernel sysctl values

(Kernel)

This information is provided as part of the Lynis community project. It is related to Lynis control KRNL-6000 and should be considered as-is and without guarantees. Any advice and commands should be tested before implementing them in production environments.

Description

By means of sysctl values we can adjust kernel related parameters. Many of them are related to hardening of the network stack, how the kernel deals with processes or files. This control is a generic test with several sysctl variables (configured by the scan profile).

How to solve

The Linux kernel can be tuned with the sysctl command. It uses a list of kernel parameters, which alter how the kernel should behave within the areas of storage, network, memory management, and more.

Lynis has a default list of best practice values for sysctl. They are tested within this particular control, with a related suggestion when the actual value on the system is different than the expected value. This does not always mean the system is weakly configured. It depends on the primary goal of the system, and its focus area(s). A system with the role to be a router will have to be tuned more aggressively when it comes to the network stack. Production systems with a lot of write activity to the hard disks might need tuning when it comes to buffering.

We suggest to check each discovered key and determine the best value for your system. There is not a "one size fits all" solution here. The additional resources might be useful for further analysis. Also in our Enterprise version we have more details available to help you tuning your systems.

Additional resources

Need more details?

Consider an upgrade to Lynis Enterprise to receive more guidance. The Enterprise version helps to you with daily health checks of your environment, learn in-depth system hardening, and resources to protect your systems better.

See demo

About

Lynis is a technical security auditing tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. Typical usage include system hardening, compliance testing, and vulnerability scanning. The project has an active community, including development via GitHub.

Lynis Enterprise

Do you need to collect data from multiple systems or compliance reporting? Lynis Enterprise uses Lynis to collect the data and make your work easier.

Benefits: automate security audits, detailed reporting, compliance testing.

  • Centralized management
  • Improvement plan with priorities
  • Reporting
  • Dashboards
  • Predefined policies
  • Integration (API)
  • Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack
Take the Tour