overcommit_memory = 1 sysctl vm.overcommit_memory • Ve r i f y vm.panic_on_oom = 0 sysctl vm.panic_on_oom • Ve r i f y kernel.panic = 10 sysctl kernel.panic • Ve r i f y kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops panic_on_oops • Ve r i f y kernel.keys.root_maxkeys = 1000000 sysctl kernel.keys.root_maxkeys • Ve r i f y kernel.keys.root_maxbytes = 25000000 sysctl kernel.keys.root_maxbytes R e m e d i at i on • S e t t t h e f ol l ow i n g p ar am e t e r s i n /etc/sysctl.d/90-kubelet.conf on al l n od e s : 3 vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxkeys=1000000

Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and kubernetes. #cloud-config packages: - curl - jq runcmd: - sysctl -w vm.overcommit_memory=1 - sysctl -w kernel.panic=10 - sysctl -w kernel.panic_on_oops=1 - curl https://releases.rancher.c

Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and #cloud-config packages: - curl - jq runcmd: - sysctl -w vm.overcommit_memory=1 - sysctl -w kernel.panic=10 Hardening Guide v2.4 21 - sysctl -w kernel.panic_on_oops=1 - curl https://releases

. . . . . 42 7.15 /proc/sys/ & sysctl command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 7.16 Enabling IP forward with sysctl . . . . . . . . . . . . . . . . . each CPU, so for the modern systems, this value can be more than the first value. 7.15 /proc/sys/ & sysctl command This directory is a special one for system administrators. This not only provides information kernel features. We use the sysctl command to view or edit the values for /proc/sys/. If you want to see all the different settings, use the following command. $ sudo sysctl -a [sudo] password for kdas:

directory /proc/cpuinfo /proc/cmdline /proc/meminfo /proc/uptime /proc/sys/ & sysctl command Enabling IP forward with sysctl Linux Services What is a service? What is a daemon? What is the init system for each CPU, so for the modern systems, this value can be more than the first value. /proc/sys/ & sysctl command This directory is a special one for system administrators. This not only provides information kernel features. We use the sysctl command to view or edit the values for /proc/sys/. If you want to see all the different settings, use the following command. $ sudo sysctl -a [sudo] password for kdas:

configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl settings to match what the kubelet Audit Verify vm.overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel.panic = 10 sysctl kernel.panic Verify kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops Remediation Set the the following parameters in /etc/sysctl.conf on all nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider

kdump-config show. This will display something like this: DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 KDUMP_COREDIR: /var/crash crashkernel addr: /var/lib/kdump/vmlinuz kdump protocol: kdump-config show Whose output appears like this: DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 KDUMP_COREDIR: /var/crash crashkernel addr: 0x2c000000 /var/lib/kdump/vmlinuz: : kdump-config show Which produces an output like this: DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 141 KDUMP_COREDIR: /var/crash crashkernel addr: 0x2c000000 /var/lib/kdump/vmlinuz:

profile eBPF programs? CI variance tracking Tools kernel.bpf_stats_enabled kernel.bpf_stats_enabled sysctl – Added in kernel v5.1 (off by default) – Turns on stats collection for all eBPF programs – exposes stats sysctl procfs Three ways to access kernel eBPF stats bpftool prog show bpf syscall BPF_OBJ_GET_INFO_BY_FD procfs BPF_ENABLE_STATS Added in kernel v5.8 FD-based alternative to sysctl Handles

to use the SSH protocol : kdump-config show DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 KDUMP_COREDIR: /var/crash crashkernel addr: 0x2c000000 /var/lib/kdump/vmlinuz: protocol : 23 Installation kdump-config show DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 KDUMP_COREDIR: /var/crash crashkernel addr: 0x2c000000 /var/lib/kdump/vmlinuz: kdump-tools configuration : kdump-config show DUMP_MODE: kdump USE_KDUMP: 1 KDUMP_SYSCTL: kernel.panic_on_oops=1 KDUMP_COREDIR: /var/crash crashkernel addr: 0x2c000000 /var/lib/kdump/vmlinuz:

Returns the CPU info gathered from /var/run/dmesg.boot. _get_cpu_info_from_sysctl() Returns the CPU info gathered from sysctl. _get_cpu_info_from_sysinfo() Returns the CPU info gathered from sysinfo. has_dmesg() static has_var_run_dmesg_boot() static has_cpufreq_info() static has_sestatus() static has_sysctl() static has_isainfo() static has_kstat() static has_sysinfo() static has_lscpu() static has_ibm_pa_features() Release 23.10.1.dev3 static sestatus_b() static dmesg_a() static cat_var_run_dmesg_boot() static sysctl_machdep_cpu_hw_cpufrequency() static isainfo_vb() static kstat_m_cpu_info() static sysinfo_cpu()