> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-17-system-administration/di-17.7-jie-sysctl-gong-ju.md). # 17.7 The sysctl Utility The sysctl(8) utility is used to retrieve and set the kernel state of a currently running FreeBSD system. This section covers sysctl command usage and sysctl.conf configuration methods. The sysctl(8) tool can retrieve kernel state and set kernel state for processes with appropriate privileges. ## Reading Kernel State Variables The sysctl command supports reading and writing kernel state variables. To view all readable variables: ```sh $ sysctl -a ``` The output is similar to the following: ```sh kern.ostype: FreeBSD kern.osrelease: 16.0-CURRENT kern.osrevision: 199506 kern.version: FreeBSD 16.0-CURRENT #0 main-n285005-e9fc0c538264: Mon Apr 13 12:44:54 UTC 2026 root@releng3.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC kern.maxvnodes: 184403 kern.maxproc: 9428 kern.maxfiles: 129441 kern.argmax: 524288 kern.securelevel: -1 kern.hostname: ykla kern.hostid: 4270621168 kern.clockrate: { hz = 100, tick = 10000, profhz = 8128, stathz = 127 } ……other output omitted…… ``` To read a specific variable, specify its name: ```sh $ sysctl kern.maxproc ``` The output is similar to the following: ```sh kern.maxproc: 9428 ``` ### Reading Kernel State Variables Using the Management Information Base Table sysctl uses Management Information Base (MIB)-style ASCII names as identifiers. **Management Information Base Table** | sysctl | Description | | --------- | --------------------------------- | | kern | Kernel functionality and features | | vm | Virtual memory | | vfs | File system | | net | Network | | debug | Debug parameters | | hw | Hardware | | machdep | Machine-dependent | | user | User space | | p1003\_1b | POSIX 1003.1B | The Management Information Base (MIB) is hierarchical, so specifying a particular prefix will list all nodes below it: ```sh $ sysctl net ``` The output is similar to the following: ```sh net.local.stream.recvspace: 65536 net.local.stream.sendspace: 65536 net.local.dgram.recvspace: 16384 net.local.dgram.maxdgram: 8192 net.local.seqpacket.recvspace: 65536 net.local.seqpacket.maxseqpacket: 65536 net.local.sockcount: 19 net.local.taskcount: 9 ……other output omitted…… ``` ## sysctl Tool Related File Structure ```sh / └── etc/ ├── rc.d/ │ ├── sysctl # rc(8) script, processes sysctl.conf, executed early during system transition to multi-user mode │ └── sysctl_lastload # rc(8) script, processes sysctl.conf, executed when the system is near multi-user mode ├── sysctl.conf # Initial settings for sysctl(8) ├── sysctl.conf.local # Machine-specific settings, for locations that share /etc/sysctl.conf (does not exist by default) └── sysctl.kld.d/ # Kernel module-specific settings, for modules loaded via rc.subr(8) (empty directory by default) ``` At system startup, the **/etc/rc.d/sysctl** script loads the **/etc/sysctl.conf** file. The default source code for sysctl is at [/sbin/sysctl/](https://github.com/freebsd/freebsd-src/tree/main/sbin/sysctl). The source code for sysctl.conf is at [/sbin/sysctl/sysctl.conf](https://github.com/freebsd/freebsd-src/blob/main/sbin/sysctl/sysctl.conf). > **Tip** > > It is not recommended to directly modify the **/etc/sysctl.conf** file. If custom configuration is needed, use the **/etc/sysctl.conf.local** file to extend local configuration, avoiding configuration being overwritten during system updates. ## Configuration File The **/etc/sysctl.conf** file is read when the system enters multi-user mode and is used to set the kernel's default configuration. The format is similar to **/etc/rc.conf**. The default **/etc/sysctl.conf** file in the base system is essentially empty: ```sh # This file is read when the system enters multi-user mode, its contents are piped through sysctl to adjust kernel values # See man 5 sysctl.conf for details # Uncomment this line to prevent users from viewing process information run by other UIDs #security.bsd.see_other_uids=0 ``` Comments in the file still use `#`. Therefore, all the above lines are comments and none are in effect. > **Tip** > > It is recommended to enable `security.bsd.see_other_uids=0` and `security.bsd.see_other_gids=0` configurations, which can restrict users from viewing process information of other users. > **Warning** > > Although the **/etc/sysctl.conf** file is essentially empty, this does not mean the system's default sysctl parameters are empty. They are injected into the system through different macros (such as `SYSCTL_INT`). Use the command `sysctl -a` to list all current default parameter values on the system. ## Setting Kernel State Variables To set a specific variable, use the syntax **variable**=**value**. ```ini sysctl_mib_identifier=value ``` Example: ```sh # sysctl kern.maxfiles=9500 ``` > **Note** > > The specified value will be set after the system enters multi-user mode. Not all variables can be set in this mode. The output is similar to the following: ```sh kern.maxfiles: 9428 -> 9500 ``` > **Note** > > To persist the configuration across reboots, these variables must be added to the **/etc/sysctl.conf** file. For example, to disable logging of fatal signal exits and prevent users from viewing processes started by other users, you can set the following parameters in the **/etc/sysctl.conf** file: ```ini # Do not log fatal signal exits (e.g., sig 11) kern.logsigexit=0 # Prevent users from viewing process information started by other UIDs. security.bsd.see_other_uids=0 ``` ## References * FreeBSD Project. sysctl(8)\[EB/OL]. \[2026-04-17]. . Kernel state query and setting tool manual page. * FreeBSD Project. sysctl.conf(5)\[EB/OL]. \[2026-04-17]. . sysctl configuration file manual page. ## Exercises 1. Create a **/etc/sysctl.conf.local** file and set several custom sysctl parameters, verify whether they override system default values, and analyze the loading order of sysctl configuration files. 2. Review the source code implementation of a sysctl parameter (such as one defined through the `SYSCTL_INT` macro), and analyze its read/write permission control and value range validation mechanism. 3. Enable `security.bsd.see_other_uids=0` and `security.bsd.see_other_gids=0`, compare the differences in process information visible to regular users before and after enabling, and analyze the implementation principle of this security policy at the process visibility control level. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-17-system-administration/di-17.7-jie-sysctl-gong-ju.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.