Skip to content

sysctl

Intro

sysctl - enables privileged processes to examine and modify the kernel parameters.

Description

The sysctl() system call is used by privileged processes to examine and modify kernel parameters. It is primarily used by system daemons, such as syslogd(8) and sshd(8), as well as by programs such as top(1) and ps(1).

The first argument of sysctl() is a structure of type __sysctl_args, which consists of a list of integers that identify a particular kernel variable, and a string (or more accurately, an array of binary bytes) that is used to set the value for that variable. All kernel variables accessible via sysctl() can be prefixed using a period delimited sequence of integers.

The kernel variables are divided in to two classes; read only and read/write. Making sysctl() calls to read/write variables requires the caller to either possess the CAP_SYS_ADMIN capability or be running as root. Making sysctl() calls to read only variables requires the caller to either possess the CAP_SYS_RAWIO capability or be running as root.

Arguments

  • args:struct __sysctl_args*[K] - pointer to a structure of type __sysctl_args which contains the kernel variable information.

Available Tags

  • K - Originated from kernel-space.

Hooks

sysctl

Type

Kprobe + Kretprobe

Purpose

To hook the syscall to call a certain function (with certain args) on every call, with both entry and exit full stack.

Example Use Case

An example use case for sysctl would be to monitor changes to kernel settings. For example, an application might be developed to increase the security of the system by monitoring system settings and alerting administrators if settings are changed outside of the expected range.

Issues

One of the issues with using sysctl is that it is vulnerable to time-of-check-time-of-use (TOCTOU) attacks. If a malicious user is able to cause a race condition between the check and set operations on a sysctl variable, they may be able to modify a system setting without authorization.

  • getrlimit
  • setrlimit

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.