Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
anyone know the *must change* systune parameters?
#1
anyone know the *must change* systune parameters?
I recall some discussion years ago about doing some good system tuning via "systune" parameters, but many of those discussions were over my head at the time (and frankly still over my head grrrrrr)

Here is what I consider a "must change" parameter - ncargs

It appears we want this to be the max possible value - I wasn't able to list contents of a dir and I also wasn't able to compile openssl because I was getting an error from the shell "argument list to long".  Modifying this value to its max value helps this problem go away.

Anyone knows of any other very favorable systunes?  It might be good to start compiling a list...






I came across this site http://mi.eng.cam.ac.uk/~rwp/stradx7.3/systune.html, but here are the contents because its also basically a guide to use systune:

Raising the maxlkmem limit
This is something your System Administrator will need to do. We recommend following these instructions to raise maxlkmem to the maximum possible value.
Become root
Type "systune -i"
Type "maxlkmem". It should tell you the current value of maxlkmem in pages. By default it's usually 2000.
Type "maxlkmem 100000", where 100000 pages should be more than the amount of RAM on your machine (a page is usually either 4K or 16K). When asked to confirm, type "y".
The change will fail, but when you type "maxlkmem" again, you will see that the number of pages has increased to approximately three quarters of the RAM installed in the computer. Remember this number of pages, call it N.
Type "maxlkmem N", where N is the number recorded above. Again type "y" when asked to confirm. This time the change will succeed.
Type "maxlkmem" just to make sure!
Type "quit" to exit systune.
Check that the new value of maxlkmem has been correctly recorded in /var/sysgen/stune.
Check that nobody is doing anything on your machine, then reboot your machine by typing "/etc/reboot". This will move /unix.install to /unix and start you running on the new kernel.
For further information read the introduction to Section 2 of the manual (type "man 2 intro"). Alternatively, look in the book on "IRIX Admin: System Configuration and Operation", which is part of the Insight Guide (type "insight"). The relevant sections are titled System Performance Tuning and IRIX Kernel Tunable Parameters.
(This post was last modified: 09-08-2018, 05:22 AM by gijoe77.)
gijoe77 Offline
Tezro

Posts: 354
Threads: 23
Joined: Jun 2018
Find Reply
09-08-2018, 05:20 AM
#2
RE: anyone know the *must change* systune parameters?
Some come to mind for security reasons:
Code:
restricted_chown = 1
The restricted_chown parameter specifies whether the default SGI line disciplines are used. I switch allows you to decide whether you want to use a BSD UNIX style chown(2) system call or the System V style. Under the BSD version, only the superuser can use the chown system call to give away a file—to change the ownership to another user. Under the System V version, any user can give away a file or directory. If the value of the switch is 0, System V chown is enabled. If the value is not zero, BSD chown is enabled.
Code:
tcpiss_md5 = 1
This will utilize RFC1948 sequence number generation techniques to ensure that the initial sequence number for a given TCP socket is very difficult to guess. This tactic makes IP spoofing significantly more difficult to accomplish.

I also enable ipv6 for software development reasons, and it's just nice to have:
Code:
ip6_enable = 1
dexter1 Offline
Global Moderator
******

Posts: 131
Threads: 8
Joined: May 2018
Find Reply
09-08-2018, 08:14 AM
#3
RE: anyone know the *must change* systune parameters?
where did you find those descriptions for systune parameters? I've been digging around with various man commands trying to find something like that...

edit: I do recall the tcp sequence number shizm being one of those parameters that was recommended to change, I just couldn't remember which one it was..
(This post was last modified: 09-08-2018, 08:28 AM by gijoe77.)
gijoe77 Offline
Tezro

Posts: 354
Threads: 23
Joined: Jun 2018
Find Reply
09-08-2018, 08:25 AM
#4
RE: anyone know the *must change* systune parameters?
(09-08-2018, 08:25 AM)gijoe77 Wrote: where did you find those descriptions for systune parameters?  I've been digging around with various man commands trying to find something like that...

edit:  I do recall the tcp sequence number shizm being one of those parameters that was recommended to change, I just couldn't remember which one it was..

Below is an extract of the Customising Irix installation Wiki entry found on Nekochan, it's what I generally apply given my lack of knowledge on these matters, most seem sensible...ish. Don't recall the author...


Quote:Systune Kernel Parameters
systune is a tool that enables you to examine and configure your tunable kernel parameters. Systune can adjust some parameters in real time and informs you if you need to reboot your system after reconfiguration.
Core dumps are generally world readable. Hackers can cause them to be generated and then read data such as the "/etc/shadow" file from them. They can also be used in denial of service attacks. The rlimit_core_max kernel parameter specifies the maximum size of a core file and is set to a large value by default. Setting this value to 0 will restrict the generation of core files. This is only a small inconvenience to developers who can still use tools such as CaseVision Tools and Insure++ for debugging.

fuel # systune rlimit_core_max 0

By default the kernel parameter restricted_chown is set to 0, which allows users to giveaway file ownership in System V style. This is a security risk that has resulted in several recent exploits. Change this value to 1 to enforce the BSD style chown, which only allows root to give away files.

fuel # systune restricted_chown 1

Disable ipforwarding to prevent broadcasting of sensitive system information.
fuel # systune ipforwarding 0

Disable ipsendredirects
fuel # systune ipsendredirects 0

Disable ipdirected_broadcast
fuel # systune ipdirected_broadcast 0

Increase the size of arguments
fuel # systune ncargs 131072

Enable the use of ipv6
fuel # systune ip6_enable 1

Reconfigure the kernel and reboot the machine to make the changes take effect.
fuel # /etc/autoconfig
fuel # /etc/reboot

Note: Some of these modifacation are already set if you used the EZsetup wizzard earlier.
Octane  1x 400Mhz R12k, 1Gb, V8, 6.5.30m

O2 300Mhz R12K (R10K upgrade mod),  384Mb, 6.5.30m, FPA  with  1600SW (Original R5K chassis, mobo and cpu in storage)
JacquesT Offline
Octane

Posts: 196
Threads: 25
Joined: May 2018
Find Reply
09-08-2018, 08:43 AM
#5
RE: anyone know the *must change* systune parameters?
(09-08-2018, 08:25 AM)gijoe77 Wrote: where did you find those descriptions for systune parameters? I've been digging around with various man commands trying to find something like that...

The restricted-chown is mentioned in the IRIX ® Admin: System Configuration and Operation techpub document 007-2859-021 (Thanks to Jan-Jaap)

The tcpiss_md5 i remembered from the security bulletins in my admin days and googled up a document describing the various unix implementation of the mentioned RFC.
dexter1 Offline
Global Moderator
******

Posts: 131
Threads: 8
Joined: May 2018
Find Reply
09-08-2018, 11:16 PM


Forum Jump:


Users browsing this thread: 1 Guest(s)