This repository hosts an **aggressively** hardened version of `sysctl.conf`. This configuration file aims to provide better security for Linux systems and to improve system performance wherever possible. Below are some of the features this configuration file provides:
**Please review the configuration file carefully before applying it.** You are ultimately responsible for your own system. If you need some guidance understanding what each setting is for, the [sysctl-explorer](https://sysctl-explorer.net/) might come in handy. You may also find [Linux's kernel documentation](https://www.kernel.org/doc/Documentation/sysctl/) useful.
This configuration file is written with a few assumptions about your system. You can still use this configuration as a template if your system does not match these assumptions (e.g., set `net.ipv4.ip_forward` to `1` if your system also acts as a router). Making these assumptions helps in developing a configuration file that enables as many optimizations as possible for common systems.
Linux kernel runtime configuration files are typically stored in the `/etc/sysctl.d` directory, where all `.conf` files are automatically loaded by a service like `systemd-sysctl`. The exact file locations and loading behavior may vary depending on the distribution and the sysctl service in use.
Files are sorted and read by their file names in lexicographic order. **Variables read later will overwrite variables read earlier.** For example, configurations in `20-something.conf` will be read before `99-sysctl.conf`. If the same variable exists in both files, values read from `20-something.conf` will be overwritten by values read from `99-sysctl.conf`:
Also, sysctl services might load configuration files from multiple paths. For example, the `systemd-sysctl` service also discovers configuration files from these directories in addition to `/etc/sysctl.d`:
It is a good idea to verify that no other sysctl configuration files are being loaded, to ensure that your settings are not overridden by values in another file. On a system using systemd, you can check which configuration files are loaded and in what order by running:
I recommend deploying this configuration file as a template, then add your custom override values in another configuration file that will be loaded after the template file (e.g., `/etc/sysctl.d/99-sysctl.conf`). For example, I personally have this template deployed to `/etc/sysctl.d/98-k4yt3x.conf`, then added several override values in `/etc/sysctl.d/99-sysctl.conf`.
The advantage of this approach is ease of maintenance. The same template configuration file can be deployed across multiple machines, while machine-specific customizations are kept in a separate file. This way, you can upgrade the template as new versions are released without having to migrate the customized values. It also makes it easier to see which customizations are applied to a given machine. I will walk you through the deployment steps below.
Then, you can add your custom values to a configuration file that will be loaded after the template configuration file, such as `/etc/sysctl.d/99-sysctl.conf`. Here are some custom overrides I have added to one of my workstations for convenience and performance:
Be aware that values from the template may be overwritten by other configuration files. For example, on my system a file named `uhd-usrp2.conf` is loaded after `99-sysctl.conf` and overrides the values of `net.core.rmem_max` and `net.core.wmem_max` defined earlier. Package managers can add new configuration files when you install or update packages, so you need to be careful that your custom settings are not overridden by those files.
For the changes to be effective, you will have to reload the sysctl configurations. This can be achieved by either rebooting your machine or reloading the configurations using one of the following commands:
Afterwards, verify your changes by dumping live kernel parameters. Replace `your.config` in the following command with the name of the variable you would like to check:
