5.3.9.3. /proc/sys/kernel/
This directory contains a variety of different configuration files that directly affect the operation of the kernel. Some of the most important files include:
acct
— Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:4 2 30
The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended. The third value sets the interval, in seconds, that the kernel polls the file system to see if logging should be suspended or resumed.cap-bound
— Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.For a valid list of values for this virtual file, refer to the following installed documentation:/lib/modules/<kernel-version>/build/include/linux/capability.h
.ctrl-alt-del
— Controls whether Ctrl+Alt+Delete gracefully restarts the computer usinginit
(0
) or forces an immediate reboot without syncing the dirty buffers to disk (1
).domainname
— Configures the system domain name, such asexample.com
.exec-shield
— Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.There are two possible values for this virtual file:0
— Disables Exec Shield.1
— Enables Exec Shield. This is the default value.
Important
If a system is running security-sensitive applications that were started while Exec Shield was disabled, these applications must be restarted when Exec Shield is enabled in order for Exec Shield to take effect.exec-shield-randomize
— Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.There are two possible values for this virtual file:0
— Disables randomization of Exec Shield. This may be useful for application debugging purposes.1
— Enables randomization of Exec Shield. This is the default value. Note: Theexec-shield
file must also be set to1
forexec-shield-randomize
to be effective.
hostname
— Configures the system hostname, such aswww.example.com
.hotplug
— Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of/sbin/hotplug
should not be changed unless testing a new program to fulfill this role.modprobe
— Sets the location of the program used to load kernel modules. The default value is/sbin/modprobe
which meanskmod
calls it to load the module when a kernel thread callskmod
.msgmax
— Sets the maximum size of any message sent from one process to another and is set to8192
bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase inmsgmax
would increase RAM requirements for the system.msgmnb
— Sets the maximum number of bytes in a single message queue. The default is16384
.msgmni
— Sets the maximum number of message queue identifiers. The default is16
.osrelease
— Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.ostype
— Displays the type of operating system. By default, this file is set toLinux
, and this value can only be changed by changing the kernel source and recompiling.overflowgid
andoverflowuid
— Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.panic
— Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to0
, which disables automatic rebooting after a panic.printk
— This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order:0
— Kernel emergency. The system is unusable.1
— Kernel alert. Action must be taken immediately.2
— Condition of the kernel is considered critical.3
— General kernel error condition.4
— General kernel warning condition.5
— Kernel notice of a normal but significant condition.6
— Kernel informational message.7
— Kernel debug-level messages.
Four values are found in theprintk
file:6 4 1 7
Each of these values defines a different rule for dealing with error messages. The first value, called the console loglevel, defines the lowest priority of messages printed to the console. (Note that, the lower the priority, the higher the loglevel number.) The second value sets the default loglevel for messages without an explicit loglevel attached to them. The third value sets the lowest possible loglevel configuration for the console loglevel. The last value sets the default value for the console loglevel.random/
directory — Lists a number of values related to generating random numbers for the kernel.rtsig-max
— Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is1024
.rtsig-nr
— Lists the current number of POSIX real-time signals queued by the kernel.sem
— Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.shmall
— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is2097152
.shmmax
— Sets the largest shared memory segment size allowed by the kernel. By default, this value is33554432
. However, the kernel supports much larger values than this.shmmni
— Sets the maximum number of shared memory segments for the whole system. By default, this value is4096
.sysrq
— Activates the System Request Key, if this value is set to anything other than zero (0
), the default.The System Request Key allows immediate input to the kernel through simple key combinations. For example, the System Request Key can be used to immediately shut down or restart a system, sync all mounted file systems, or dump important information to the console. To initiate a System Request Key, type Alt+SysRq+ <system request code> . Replace <system request code> with one of the following system request codes:r
— Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys).k
— Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned frominit
and not a Trojan copy designed to capture usernames and passwords.b
— Reboots the kernel without first unmounting file systems or syncing disks attached to the system.c
— Crashes the system without first unmounting file systems or syncing disks attached to the system.o
— Shuts off the system.s
— Attempts to sync disks attached to the system.u
— Attempts to unmount and remount all file systems as read-only.p
— Outputs all flags and registers to the console.t
— Outputs a list of processes to the console.m
— Outputs memory statistics to the console.0
through9
— Sets the log level for the console.e
— Kills all processes exceptinit
using SIGTERM.i
— Kills all processes exceptinit
using SIGKILL.l
— Kills all processes using SIGKILL (includinginit
). The system is unusable after issuing this System Request Key code.h
— Displays help text.
This feature is most beneficial when using a development kernel or when experiencing system freezes.Warning
The System Request Key feature is considered a security risk because an unattended console provides an attacker with access to the system. For this reason, it is turned off by default.Refer to/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt
for more information about the System Request Key.sysrq-key
— Defines the key code for the System Request Key (84
is the default).sysrq-sticky
— Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:0
— Alt+SysRq and the system request code must be pressed simultaneously. This is the default value.1
— Alt+SysRq must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in/proc/sys/kernel/sysrq-timer
elapses.
sysrq-timer
— Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is10
.tainted
— Indicates whether a non-GPL module is loaded.0
— No non-GPL modules are loaded.1
— At least one module without a GPL license (including modules with no license) is loaded.2
— At least one module was force-loaded with the commandinsmod -f
.
threads-max
— Sets the maximum number of threads to be used by the kernel, with a default value of2048
.version
— Displays the date and time the kernel was last compiled. The first field in this file, such as#3
, relates to the number of times a kernel was built from the source base.