Linux – sysctl not sticking after reboot

linuxSecuritysysctlUbuntu

Using Lubuntu 18.10 Cosmic Cuttlefish

Most commands do stick. However Lynis has repeatedly demonstrated four sysctl
parameters are not sticking on reboot. sysctl -p does successfully apply them after the system has started.

fs.suid_dumpable=0 (still haven't figured this out)
net.ipv4.conf.all.rp_filter=1 (Wireguard VPN overruled this; see source 1 below)
net.ipv4.conf.all.log_martians=1 (/etc/ufw/sysctl.conf overruled this)
net.ipv4.conf.default.log_martians=1 (/etc/ufw/sysctl.conf overruled this)

Source 1

The one I am most concerned about is net.ipv4.conf.all.rp_filter, which should be set to 1, but is set to 0… leaving the machine vulnerable to ip spoofing. How can I ensure these are set properly upon boot? Note update: this is disabled automatically by VPN's like Wireguard (possibly openvpn/others) so not to drop legit packets, see source above for details. Disabling Wireguard VPN sysctl boot command resulted in fp_filter=1 working as intended, potentially causing issues for Wireguard. Lynis False positive, I will leave this disabled for functionality. Warning disabling Wireguard after boot does not (as of yet) revert this to the safe setting. sysctl -p required.

Location of all sysctl.conf files via find / -name '*sysctl*.conf'

/usr/share/doc/procps/examples/sysctl.conf
/snap/core/6405/etc/sysctl.conf
/snap/core/6405/etc/sysctl.d/99-sysctl.conf
/snap/core18/719/etc/sysctl.d/99-sysctl.conf
/etc/sysctl.conf
/etc/ufw/sysctl.conf
/etc/sysctl.d/99-sysctl.conf

Best Answer

If your system is using systemd's systemd-sysctl.service and not sysctl for the setting at boot time then things are a little different than sysctl.

systemd-sysctl sorts all of the configuration file names, ignoring the directory name, and then loads them in that order irrespective of the directory they were in. This means that if you put your setting in /etc/sysctl.d/10-mysysctl.conf and there is another file called /usr/lib/sysctl.d/50-default.conf setting the same variable, that will override your setting.

To ensure your setting isn't overridden you should put it in a config file with a name like /etc/sysctl.d/zzz-mysysctl.conf.

Note: This behaviour was tested on Ubuntu 20.04.1 and openSUSE Leap 15.2

Related Topic