We might want to set our sysctl values in earlier boot to better defend the system against rootkits that run before systemd-sysctl is executed.
For example: rootkit executes before kptr_restrict is set -> gets access to kernel symbols -> can now use those for kernel exploits
Or, even worse: rootkit executes before kexec_load_disabled is set -> replaces the running kernel with a malicious kernel
apparmor-profile-everything will prevent the attacker from changing the sysctls themselves so that’s not a problem. The problem is if the attacker manages to launch attacks before they are changed to our safer settings.
The best approach to this would be to hard-code the sysctl values with a kernel patch and make them read-only with
__ro_after_init (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c74ba8b3480da6ddaea17df2263ec09b869ac496) so even arbitrary write kernel exploits can’t overwrite the values.
Or, we can set our sysctl values in the initramfs which is better than systemd-sysctl, but not as good as above.