Hey all, does anyone have more detailed information on the CIS Hardening guides Host level requirements? https://docs.rke2.io/security/hardening_guide. The documentation says its required but doesnt really say why they are required. The kernel parameters that are required for CIS with RKE2 are:

# /usr/local/share/rke2/rke2-cis-sysctl.conf
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1

The

vm.overcommit_memory

seems questionable to me. The kernel docs (https://www.kernel.org/doc/Documentation/sysctl/vm.txt) call out:

overcommit_memory:

This value contains a flag that enables memory overcommitment.

When this flag is 0, the kernel attempts to estimate the amount
of free memory left when userspace requests more memory.

When this flag is 1, the kernel pretends there is always enough
memory until it actually runs out.

When this flag is 2, the kernel uses a "never overcommit"
policy that attempts to prevent any overcommit of memory.
Note that user_reserve_kbytes affects this policy.

This feature can be very useful because there are a lot of
programs that malloc() huge amounts of memory "just-in-case"
and don't use much of it.

The default value is 0.

Does anyone know what this has to do with CIS controls? Also why is this the default parameter? Memory seems like one of those things that you do not want to overcommit imo. Any thoughts or info would be appreciated.

They are required because CIS requires them. The CIS benchmarks are developed by an industry group and published to members. Our guides reference those benchmarks. The reasoning WHY something is required is usually covered in the full publication.

Thanks for the fast response, Brandon! I will take a look at those docs