sysctl not sticking after reboot

Question

Using Lubuntu 18.10 Cosmic Cuttlefish

Most commands do stick. However Lynis has repeatedly demonstrated four sysctl parameters are not sticking on reboot. sysctl -p does successfully apply them after the system has started.

fs.suid_dumpable=0 (still haven't figured this out)
net.ipv4.conf.all.rp_filter=1 (Wireguard VPN overruled this; see source 1 below)
net.ipv4.conf.all.log_martians=1 (/etc/ufw/sysctl.conf overruled this)
net.ipv4.conf.default.log_martians=1 (/etc/ufw/sysctl.conf overruled this)

Source 1

The one I am most concerned about is net.ipv4.conf.all.rp_filter, which should be set to 1, but is set to 0... leaving the machine vulnerable to ip spoofing. How can I ensure these are set properly upon boot? Note update: this is disabled automatically by VPN's like Wireguard (possibly openvpn/others) so not to drop legit packets, see source above for details. Disabling Wireguard VPN sysctl boot command resulted in fp_filter=1 working as intended, potentially causing issues for Wireguard. Lynis False positive, I will leave this disabled for functionality. Warning disabling Wireguard after boot does not (as of yet) revert this to the safe setting. sysctl -p required.

Location of all sysctl.conf files via find / -name '*sysctl*.conf'

/usr/share/doc/procps/examples/sysctl.conf
/snap/core/6405/etc/sysctl.conf
/snap/core/6405/etc/sysctl.d/99-sysctl.conf
/snap/core18/719/etc/sysctl.d/99-sysctl.conf
/etc/sysctl.conf
/etc/ufw/sysctl.conf
/etc/sysctl.d/99-sysctl.conf

score 12 · Answer 1 · answered Jan 19 '21 at 17:39

If your system is using systemd's systemd-sysctl.service and not sysctl for the setting at boot time then things are a little different than sysctl.

systemd-sysctl sorts all of the configuration file names, ignoring the directory name, and then loads them in that order irrespective of the directory they were in. This means that if you put your setting in /etc/sysctl.d/10-mysysctl.conf and there is another file called /usr/lib/sysctl.d/50-default.conf setting the same variable, that will override your setting.

To ensure your setting isn't overridden you should put it in a config file with a name like /etc/sysctl.d/zzz-mysysctl.conf.

Note: This behaviour was tested on Ubuntu 20.04.1 and openSUSE Leap 15.2

John Mahowald · Answer 2 · 2025-04-03T01:36:01.227

Create a file /etc/sysctl.d/local.conf containing the values you want.

fs.suid_dumpable=0
net.ipv4.conf.all.log_martians=1 
net.ipv4.conf.all.rp_filter=1     
net.ipv4.conf.default.log_martians=1

Reboot.

The scripts load any *.conf files from several directories, in file name collation order. See the sysctl --system option in the man page for the search paths.

In particular, check that any values are not already defined in /etc/sysctl.conf. Consider moving values you want to keep from it to sysctl.d, then removing that file.

Omri-odix · Answer 3 · 2021-04-25T14:42:19.127

2

I encountered the same issues during implementation of CIS benchmark.

Regarding fs.suid_dumpable, I found this post explaining the exact same issue. It seems apport was overriding the value. Disabling apport did the trick.

log_martians was overwriten by the ufw settings in /etc/ufw/sysctl.conf

edited Apr 25 '21 at 14:42

answered Apr 25 '21 at 12:44

Omri-odix

21
2

sysctl not sticking after reboot

3 Answers3

Linked