Kernel

Kernel version inspection, runtime tuning with sysctl, and boot parameter configuration.

Kernel Identity

Running kernel version — architecture and build info
uname -r
Full kernel version string — hostname, build date, arch
uname -a
Kernel version from /proc — same info, different source
cat /proc/version
Kernel command line — parameters passed by bootloader at boot
cat /proc/cmdline

Kernel Modules (Essentials)

List all loaded modules — name, size, use count, dependents
lsmod
Filter loaded modules by name — check if a specific module is active
lsmod | awk '/btrfs/'
Show module details — description, author, parameters, dependencies
modinfo btrfs
Load a module — resolves dependencies automatically
sudo modprobe br_netfilter
Remove a module — fails if in use, unloads dependencies if possible
sudo modprobe -r br_netfilter
Force-remove a module — dangerous, bypasses use count check
sudo rmmod -f br_netfilter

Module Configuration

Blacklist a module — prevent it from loading at boot
echo 'blacklist nouveau' | sudo tee /etc/modprobe.d/blacklist-nouveau.conf
Blacklist with install override — prevents manual loading too
printf 'blacklist nouveau\ninstall nouveau /bin/false\n' | sudo tee /etc/modprobe.d/blacklist-nouveau.conf
Set module parameters persistently — applied on every modprobe
echo 'options snd_hda_intel power_save=1' | sudo tee /etc/modprobe.d/snd-hda-intel.conf
Load a module at boot — ensure it is always present
echo 'br_netfilter' | sudo tee /etc/modules-load.d/br_netfilter.conf

Sysctl — Runtime Kernel Parameters

Show all current kernel parameters — thousands of tunables
sudo sysctl -a
Read a specific parameter — current runtime value
sudo sysctl net.ipv4.ip_forward
Set a parameter at runtime — takes effect immediately, lost on reboot
sudo sysctl -w net.ipv4.ip_forward=1
Make a parameter persistent — survives reboot
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-ip-forward.conf
sudo sysctl --system
Reload all sysctl configs — apply changes from /etc/sysctl.d/
sudo sysctl --system

/proc/sys Filesystem

/proc/sys maps directly to sysctl — dots become slashes
cat /proc/sys/net/ipv4/ip_forward
Write directly to /proc/sys — equivalent to sysctl -w, also runtime only
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Security-Relevant Parameters

Disable ICMP redirects — prevents MITM route manipulation
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
Enable SYN cookies — protect against SYN flood attacks
sudo sysctl -w net.ipv4.tcp_syncookies=1
Restrict kernel pointer exposure — harden against info leaks
sudo sysctl -w kernel.kptr_restrict=2
Restrict dmesg access — non-root users cannot read kernel log
sudo sysctl -w kernel.dmesg_restrict=1
Disable kernel module loading at runtime — lock down after boot
sudo sysctl -w kernel.modules_disabled=1
Once modules_disabled=1 is set, it cannot be unset without reboot. No modules can be loaded — including USB drivers.

Boot Parameters

Add kernel parameter via GRUB — edit /etc/default/grub
# In GRUB_CMDLINE_LINUX_DEFAULT, add parameters:
# "quiet loglevel=3 apparmor=1 security=apparmor"
sudo grub-mkconfig -o /boot/grub/grub.cfg
Add kernel parameter via systemd-boot — edit loader entry
# /boot/loader/entries/arch.conf
# options cryptdevice=UUID=<uuid>:cryptroot root=/dev/mapper/cryptroot rw quiet
Check if a parameter was passed at boot — grep cmdline
awk '/apparmor/' /proc/cmdline

RHCSA Patterns

Verify a module loads correctly — before, load, after
lsmod | awk '/br_netfilter/' ; sudo modprobe br_netfilter ; lsmod | awk '/br_netfilter/'
Persistent sysctl change — write, apply, verify
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-forward.conf
sudo sysctl --system
sudo sysctl net.ipv4.ip_forward

See Also

  • Modules — loadable kernel module management

  • Boot — boot parameters passed to the kernel