Sysctl

2025

• Sysctl Hardening

  Apr 29

  /etc/sysctl.conf - hardening

  Official OpenBSD Documentation

  sysctl(8) manpage - https://man.openbsd.org/sysctl.8

  sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5

  malloc(3) manpage - https://man.openbsd.org/free

  Sysctl Parameter	Description
  ddb.panic=0	Reboot on a panic, instead of dropping into the debugger.
  ddb.console=0	Prevent entry into the kernel debugger.
  net.inet.ip.forwarding=0	Prevent inet4 forwarding for standalone workstations ( unless needed ).
  machdep.allowaperature=0	For systems that don’t run X.
  vm.malloc_conf=CFGU	Individual arguments explained below.
  C ( Cache disabled )	Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.
  F ( Free junking )	Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.
  G ( Guard pages )	Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.
  U ( Use junking )	Helps catch bugs where programs wrongly assume newly allocated memory.

  Server Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=0
  

  Firewall Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=1
  machdep.allowaperature=0
  

  Workstation Example - /etc/sysctl.conf

  ddb.panic=1
  ddb.console=1
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=1
  

  Thanks to the author of the following page for teaching me about the malloc stuff: