This directory contains a variety of different configuration files that directly affect the operation of the kernel. Some of the most important files include:
acct— Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:
4 2 30The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended. The third value sets the interval, in seconds, that the kernel polls the file system to see if logging should be suspended or resumed.
cap-bound— Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.For a valid list of values for this virtual file, refer to the following installed documentation:
ctrl-alt-del— Controls whether Ctrl+Alt+Delete gracefully restarts the computer using
0) or forces an immediate reboot without syncing the dirty buffers to disk (
domainname— Configures the system domain name, such as
exec-shield— Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.There are two possible values for this virtual file:
0— Disables Exec Shield.
1— Enables Exec Shield. This is the default value.
ImportantIf a system is running security-sensitive applications that were started while Exec Shield was disabled, these applications must be restarted when Exec Shield is enabled in order for Exec Shield to take effect.
exec-shield-randomize— Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.There are two possible values for this virtual file:
0— Disables randomization of Exec Shield. This may be useful for application debugging purposes.
1— Enables randomization of Exec Shield. This is the default value. Note: The
exec-shieldfile must also be set to
exec-shield-randomizeto be effective.
hostname— Configures the system hostname, such as
hotplug— Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of
/sbin/hotplugshould not be changed unless testing a new program to fulfill this role.
modprobe— Sets the location of the program used to load kernel modules. The default value is
kmodcalls it to load the module when a kernel thread calls
msgmax— Sets the maximum size of any message sent from one process to another and is set to
8192bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in
msgmaxwould increase RAM requirements for the system.
msgmnb— Sets the maximum number of bytes in a single message queue. The default is
msgmni— Sets the maximum number of message queue identifiers. The default is
osrelease— Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
ostype— Displays the type of operating system. By default, this file is set to
Linux, and this value can only be changed by changing the kernel source and recompiling.
overflowuid— Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.
panic— Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to
0, which disables automatic rebooting after a panic.
printk— This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order:
Four values are found in the
0— Kernel emergency. The system is unusable.
1— Kernel alert. Action must be taken immediately.
2— Condition of the kernel is considered critical.
3— General kernel error condition.
4— General kernel warning condition.
5— Kernel notice of a normal but significant condition.
6— Kernel informational message.
7— Kernel debug-level messages.
6 4 1 7Each of these values defines a different rule for dealing with error messages. The first value, called the console loglevel, defines the lowest priority of messages printed to the console. (Note that, the lower the priority, the higher the loglevel number.) The second value sets the default loglevel for messages without an explicit loglevel attached to them. The third value sets the lowest possible loglevel configuration for the console loglevel. The last value sets the default value for the console loglevel.
random/directory — Lists a number of values related to generating random numbers for the kernel.
rtsig-max— Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is
rtsig-nr— Lists the current number of POSIX real-time signals queued by the kernel.
sem— Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.
shmall— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is
shmmax— Sets the largest shared memory segment size allowed by the kernel. By default, this value is
33554432. However, the kernel supports much larger values than this.
shmmni— Sets the maximum number of shared memory segments for the whole system. By default, this value is
sysrq— Activates the System Request Key, if this value is set to anything other than zero (
0), the default.The System Request Key allows immediate input to the kernel through simple key combinations. For example, the System Request Key can be used to immediately shut down or restart a system, sync all mounted file systems, or dump important information to the console. To initiate a System Request Key, type Alt+SysRq+ <system request code> . Replace <system request code> with one of the following system request codes:
This feature is most beneficial when using a development kernel or when experiencing system freezes.
r— Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys).
k— Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from
initand not a Trojan copy designed to capture usernames and passwords.
b— Reboots the kernel without first unmounting file systems or syncing disks attached to the system.
c— Crashes the system without first unmounting file systems or syncing disks attached to the system.
o— Shuts off the system.
s— Attempts to sync disks attached to the system.
u— Attempts to unmount and remount all file systems as read-only.
p— Outputs all flags and registers to the console.
t— Outputs a list of processes to the console.
m— Outputs memory statistics to the console.
9— Sets the log level for the console.
e— Kills all processes except
i— Kills all processes except
l— Kills all processes using SIGKILL (including
init). The system is unusable after issuing this System Request Key code.
h— Displays help text.
WarningThe System Request Key feature is considered a security risk because an unattended console provides an attacker with access to the system. For this reason, it is turned off by default.Refer to
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txtfor more information about the System Request Key.
sysrq-key— Defines the key code for the System Request Key (
84is the default).
sysrq-sticky— Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:
0— Alt+SysRq and the system request code must be pressed simultaneously. This is the default value.
1— Alt+SysRq must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in
sysrq-timer— Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is
tainted— Indicates whether a non-GPL module is loaded.
0— No non-GPL modules are loaded.
1— At least one module without a GPL license (including modules with no license) is loaded.
2— At least one module was force-loaded with the command
threads-max— Sets the maximum number of threads to be used by the kernel, with a default value of
version— Displays the date and time the kernel was last compiled. The first field in this file, such as
#3, relates to the number of times a kernel was built from the source base.