kernel

settings.kernel.lockdown

Sets the mode for the lockdown Linux security module.

Default: integrity except for nvidia and dev variant flavours which use none

• confidentiality : blocks most methods of reading kernel memory from userspace. Tools that rely on reading kernel memory may not work in this mode.
• integrity : blocks most methods for overwriting kernel memory or modifying kernel code. This mode prevents unsigned kernel modules from loading.
• none : disables protection by the Lockdown security module.

• kernel_lockdown Linux Manual Page
• Bottlerocket Security Gudiance on GitHub
• Linux kernel lockdown, integrity, and confidentiality

settings.kernel.modules.<name>.allowed

Allows (true) or disallows (false) the loading of kernel module <name>.

• true
• false

• TOML
• apiclient

[settings.kernel.modules.sctp]
allowed = false

[settings.kernel.modules.udf]
allowed = true

apiclient set settings.kernel.modules.sctp.allowed=false

apiclient set settings.kernel.modules.udf.allowed=true

• settings.boot.kernel-parameters

settings.kernel.modules.<name>.autoload

If true, the kernel <name> module loads automatically on boot.

• true
• false

• TOML
• apiclient

[settings.kernel.modules.ip_vs_lc]
allowed = true
autoload = true

apiclient set settings.kernel.modules.ip_vs_lc.allowed=true settings.kernel.modules.ip_vs_lc.autoload=true

• settings.boot.kernel-parameters

settings.kernel.sysctl

Sets kernel parameters.

• TOML

[settings.kernel.sysctl]
"user.max_user_namespaces" = "16384"
"vm.max_map_count" = "262144"

• sysctl Linux Manual Page