X-Git-Url: https://git.tld-linux.org/?a=blobdiff_plain;f=sysctl.conf;h=a34935ba85b4811d5cdb7e573d75451c2097db90;hb=refs%2Fheads%2Fmaster;hp=d918cd56e447d241b7a9c57a28aec161ce64bab6;hpb=12e7a5b1a4ca9c8f03ee66db198426770cc84300;p=rc-scripts.git diff --git a/sysctl.conf b/sysctl.conf index d918cd5..1f4cf84 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -127,70 +127,25 @@ net.ipv4.conf.default.rp_filter = 1 # fs.file-max = 8192 # fs.inode-max = 16384 +# Sometimes (read: always) the Linux OOM killer doesn’t kill the offending +# process. Usually, this is because as the system is out of memory, it isn’t +# able to do the memory intensive task of scanning through all the processes. +# Ironic. +#vm.oom_kill_allocating_task = 1 + # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. #kernel.core_uses_pid = 1 -# Enable the magic-sysrq key +# System Request functionality of the kernel (SYNC) +# Use kernel.sysrq = 1 to allow all keys. +# See http://fedoraproject.org/wiki/QA/Sysrq for a list of values and keys. kernel.sysrq = 1 # After how many seconds reboot system after kernel panic? # 0 - never reboot system (suggested 60) #kernel.panic = 60 -# -# GRSECURITY http://www.grsecurity.org -# -# WARNING! -# These values are SET ONCE! -# -#kernel.grsecurity.linking_restrictions = 1 -#kernel.grsecurity.fifo_restrictions = 1 -#kernel.grsecurity.destroy_unused_shm = 0 -#kernel.grsecurity.chroot_caps = 0 -#kernel.grsecurity.chroot_deny_chmod = 0 -#kernel.grsecurity.chroot_deny_chroot = 1 -#kernel.grsecurity.chroot_deny_fchdir = 0 -#kernel.grsecurity.chroot_deny_mknod = 1 -#kernel.grsecurity.chroot_deny_mount = 1 -#kernel.grsecurity.chroot_deny_pivot = 1 -#kernel.grsecurity.chroot_deny_shmat = 0 -#kernel.grsecurity.chroot_deny_sysctl = 1 -#kernel.grsecurity.chroot_deny_unix = 0 -#kernel.grsecurity.chroot_enforce_chdir = 0 -#kernel.grsecurity.chroot_execlog = 0 -#kernel.grsecurity.chroot_findtask = 1 -#kernel.grsecurity.chroot_restrict_nice = 0 - -#kernel.grsecurity.exec_logging = 0 -#kernel.grsecurity.signal_logging = 1 -#kernel.grsecurity.forkfail_logging = 0 -#kernel.grsecurity.timechange_logging = 1 -#kernel.grsecurity.audit_chdir = 0 -#kernel.grsecurity.audit_gid = 65505 -#kernel.grsecurity.audit_group = 0 -#kernel.grsecurity.audit_ipc = 0 -#kernel.grsecurity.audit_mount = 0 - -#kernel.grsecurity.execve_limiting = 1 -#kernel.grsecurity.dmesg = 1 -#kernel.grsecurity.tpe = 1 -#kernel.grsecurity.tpe_gid = 65500 -#kernel.grsecurity.tpe_glibc = 0 -#kernel.grsecurity.tpe_restrict_all = 0 - -#kernel.grsecurity.rand_pids = 1 -#kernel.grsecurity.socket_all = 1 -#kernel.grsecurity.socket_all_gid = 65501 -#kernel.grsecurity.socket_client = 1 -#kernel.grsecurity.socket_client_gid = 65502 -#kernel.grsecurity.socket_server = 1 -#kernel.grsecurity.socket_server_gid = 65503 - -#kernel.grsecurity.disable_modules = 0 -#kernel.grsecurity.grsec_lock = 0 - -# kernel.randomize_va_space = 2 # 0 - Turn the process address space randomization off by default. # 1 - Conservative address space randomization makes the addresses of # mmap base and VDSO page randomized. This, among other things, @@ -204,6 +159,7 @@ kernel.sysrq = 1 # start of the brk area is randomized. There are however no known # non-legacy applications that would be broken this way, so for most # systems it is safe to choose Full randomization. +# kernel.randomize_va_space = 2 # for mplayer #dev.rtc.max-user-freq = 1024