Grsecurity/Runtime Configuration

From Wikibooks, open books for an open world
Jump to navigation Jump to search
Additional Utilities Runtime Configuration Troubleshooting

The sysctl Interface

[edit | edit source]

The sysctl command provides an interface for modifying kernel parameters at runtime. There is an option in the grsecurity kernel configuration to enable support for this interface (see Configuring grsecurity). In Linux, sysctl is simply a wrapper around filesystem routines that read and write contents of files in the /proc directory. This means that you can also set parameters by echoing values to files in /proc. See the Appendix for a list of all available sysctl options for grsecurity.


[edit | edit source]

The sysctl command takes a list of variables or variable=value pairs and sets or reads their value. Variable is a path to a file in /proc/sys separated by periods or forward slashes. The value depends on the parameter in question. Most of grsecurity's options are either 1 (enabled) or 0 (disabled).

Sysctl's man page is available online at


[edit | edit source]

If you want to know every available runtime option for grsecurity, list the contents of /proc/sys/kernel/grsecurity.

To enable mount auditing and disable chdir auditing in a single sysctl command, run:

# sysctl kernel.grsecurity.audit_mount=1 kernel.grsecurity.audit_chdir=0
kernel.grsecurity.audit_mount = 1
kernel.grsecurity.audit_chdir = 0

You can achieve the same result by echoing:

# echo 1 > /proc/sys/kernel/grsecurity/audit_mount
# echo 0 > /proc/sys/kernel/grsecurity/audit_chdir
Next Page: Troubleshooting | Previous Page: Additional Utilities
Home: Grsecurity