Sysctl Hardening
hardeningopenbsdsecuritysysctlsysctl.conf
192 words - estimated time to read 52 Seconds
2025-04-29 08:41 +0200
/etc/sysctl.conf - hardening
Official OpenBSD Documentation
sysctl(8) manpage - https://man.openbsd.org/sysctl.8
sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5
malloc(3) manpage - https://man.openbsd.org/free
| Sysctl Parameter | Description |
|---|---|
ddb.panic=0 |
Reboot on a panic, instead of dropping into the debugger. |
ddb.console=0 |
Prevent entry into the kernel debugger. |
net.inet.ip.forwarding=0 |
Prevent inet4 forwarding for standalone workstations ( unless needed ). |
machdep.allowaperature=0 |
For systems that don’t run X. |
vm.malloc_conf=CFGU |
Individual arguments explained below. |
| C ( Cache disabled ) | Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed. |
| F ( Free junking ) | Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused. |
| G ( Guard pages ) | Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds. |
| U ( Use junking ) | Helps catch bugs where programs wrongly assume newly allocated memory. |
Server Example - /etc/sysctl.conf
ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=0
Firewall Example - /etc/sysctl.conf
ddb.panic=0
ddb.console=0
vm.malloc_conf=CFGU
net.inet.ip.forwarding=1
machdep.allowaperature=0
Workstation Example - /etc/sysctl.conf
ddb.panic=1
ddb.console=1
vm.malloc_conf=CFGU
net.inet.ip.forwarding=0
machdep.allowaperature=1
Thanks to the authors of the following page for teaching me about the malloc stuff: