How to solve
The Linux kernel can be tuned with the sysctl command. It uses a list of kernel parameters, which alter how the kernel should behave within the areas of storage, network, memory management, and more.
Lynis has a default list of best practice values for sysctl. They are tested within this particular control, with a related suggestion when the actual value on the system is different than the expected value. This does not always mean the system is weakly configured. It depends on the primary goal of the system, and its focus area(s). A system with the role to be a router will have to be tuned more aggressively when it comes to the network stack. Production systems with a lot of write activity to the hard disks might need tuning when it comes to buffering.
We suggest to check each discovered key and determine the best value for your system. There is not a "one size fits all" solution here. The additional resources might be useful for further analysis. Also in our Enterprise version we have more details available to help you tuning your systems.
- Linux sysctl keys and descriptions (Describes the available keys and what they do, or how they impact the system)
Need more details?
Consider the upgrade to Lynis Enterprise to receive additional details and guidance. The Enterprise version helps to you with daily health checks of your environment, learn in-depth system hardening, and resources to protect your systems better.See demo
Lynis is a technical security auditing tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. Typical usage include system hardening, compliance testing, and vulnerability scanning. The project has an active community, including development via GitHub.
Do you need to collect data from multiple systems or compliance reporting? Lynis Enterprise uses Lynis to collect the data and make your work easier.
Benefits: automate security audits, detailed reporting, compliance testing.
- Centralized management
- Improvement plan with priorities
- Predefined policies
- Integration (API)
- Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack