In the previous article I covered checking the kernel .config file. But kernel security isn’t just about compile-time options — runtime settings matter just as much.

Kernel Checker now supports sysctl checking. Checks are based on recommendations from KSPP, grsecurity, CLIP OS, and CIS Benchmark.

Sysctl — Runtime Settings

Sysctl parameters are kernel settings available at runtime. Most can be changed without recompiling, though some are read-only and depend on compile-time kernel options. Some of them directly affect security:

# Symlink/hardlink attack protection
kernel.yama.ptrace_scope = 1
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

# ASLR
kernel.randomize_va_space = 2

# Network protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

To check your settings:

sudo sysctl -a > sysctl.txt

Upload sysctl.txt to Kernel Checker under the Sysctl tab. You’ll get a list of options that deviate from the recommendations.

sudo matters — without root privileges some options won’t be visible and the check will be incomplete.

What if something is wrong?

Most parameters can be changed on the fly, without a reboot:

sudo sysctl -w kernel.yama.ptrace_scope=1

To make changes persist across reboots, add them to /etc/sysctl.d/99-hardening.conf:

kernel.yama.ptrace_scope = 1
kernel.randomize_va_space = 2
net.ipv4.conf.all.rp_filter = 1

Then load:

sudo sysctl -p /etc/sysctl.d/99-hardening.conf

Files in /etc/sysctl.d/ are loaded automatically at boot. Some distros ship their own files with basic security settings.