The kernel itself also comes with its own settings that can be tweaked, via customizing kernel parameters. There are a wide range of kernel level parameters that gets set during system boot up. All the kernel settings are stored in a large selection of files under the /proc/sys directory. The parameters stored in this directory are often referred to as “system parameters“. Making changes to files in this folder won’t be persistant because the entire /proc folder gets deleted and recreated during a reboot.
To view the parameter settings, you can instead use the sysctl command:
$ sysctl -a abi.vsyscall32 = 1 crypto.fips_enabled = 0 debug.exception-trace = 1 debug.kprobes-optimization = 1 dev.cdrom.autoclose = 1 dev.cdrom.autoeject = 0 . . .etc
Here, the periods are used as delimiters, which you can think of forward slashes to locate the file.
sysctl can also be used to apply non-persistnant changes to the kernel parameter settings:
$ sysctl -a | grep "ip_forward " net.ipv4.ip_forward = 1 $ sysctl net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0 $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0
This is useful to test your changes before making them persistant. To make it persistant then you need to add the setting to the /etc/sysctl.conf file:
$ cat /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5).
For example lets say we want to change the net.ipv4.ip_forward setting, which is currently set to:
$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0
We want to enable this feature (i.e. set this to “1”) and make it survive a reboot. To do this we can append the line “net.ipv6.conf.all.disable_ipv6 = 0” to /etc/sysctl.conf:
$ cat /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1
Tip: There’s also the /etc/sysctl.d folder where you can store persistant settings instead, e.g. we could do something like:
[root@target sysctl.d]# echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/01-ipv4.conf [root@target sysctl.d]# ll /etc/sysctl.d/ total 4 -rw-r--r--. 1 root root 24 Mar 31 10:51 01-ipv4.conf lrwxrwxrwx. 1 root root 14 Feb 2 13:31 99-sysctl.conf -> ../sysctl.conf
Note, you need to prefix the .conf file’s name with 2 digits followed by a hyphen. This is to do with executing the .conf files in a sequence. However the actual file name itself can be whatever you want. Now we need to test that this is persistant. You don’t need to reboot the system to test for persistant, instead yoy can use the sysctl --system to effectively mimic a reboot:
$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 $ sysctl --system * Applying /usr/lib/sysctl.d/00-system.conf ... * Applying /etc/sysctl.d/01-ipv4.conf ... net.ipv4.ip_forward = 1 * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... kernel.yama.ptrace_scope = 0 * Applying /usr/lib/sysctl.d/50-default.conf ... kernel.sysrq = 16 kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /etc/sysctl.conf ... $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
Success!
Some kernel settings should never be modified
There are some kernel that should never be modified otherwise they could end up causing unexpected side effects. They are quite easy to identify, as their file don’t have write permissions. E.g.:
[root@box1 kernel]# pwd /proc/sys/kernel [root@box1 kernel]# ll | head total 0 -rw-r--r--. 1 root root 0 Feb 22 17:34 acct -rw-r--r--. 1 root root 0 Feb 22 17:34 acpi_video_flags -rw-r--r--. 1 root root 0 Feb 22 17:34 auto_msgmni -r--r--r--. 1 root root 0 Feb 22 17:34 bootloader_type -r--r--r--. 1 root root 0 Feb 22 17:34 bootloader_version << This should not be edited. -rw-------. 1 root root 0 Feb 22 17:34 cad_pid -r--r--r--. 1 root root 0 Feb 22 17:21 cap_last_cap -rw-r--r--. 1 root root 0 Feb 22 17:34 compat-log -rw-r--r--. 1 root root 0 Feb 22 17:34 core_pattern
[post-content post_name=rhsca-quiz]
$ sysctl -a
$ sysctl net.ipv4.ip_forward
# Append the following:
"net.ipv4.ip_forward = 1"
# to the file:
/etc/sysctl.conf
# reboot the system, or run:
$ sysctl --system # this reloads all kernel settings