I have another suggestion: I noticed that the sysctl config /etc/sysctl.d was better in ubuntu maté.
I then added the conf files from Ubuntu in my system.
I suggest to add them in the default config if it is relevant (I mean it may be set as default in kernel compil parameters which I don't know)
[root sysctl.d]$for i in *; do echo -n "========="; echo "$i:"; cat $i; done ========= 100-manjaro.conf: # https://archived.forum.manjaro.org/t/encrypted-swap-partition-system-freeze/6993 #vm.swappiness = 1 vm.swappiness = 60 # Enable the SysRq key kernel.sysrq = 1 ========= 10-kernel-hardening.conf: # These settings are specific to hardening the kernel itself from attack # from userspace, rather than protecting userspace from other malicious # userspace things. # # # When an attacker is trying to exploit the local kernel, it is often # helpful to be able to examine where in memory the kernel, modules, # and data structures live. As such, kernel addresses should be treated # as sensitive information. # # Many files and interfaces contain these addresses (e.g. /proc/kallsyms, # /proc/modules, etc), and this setting can censor the addresses. A value # of "0" allows all users to see the kernel addresses. A value of "1" # limits visibility to the root user, and "2" blocks even the root user. kernel.kptr_restrict = 1 ========= 10-link-restrictions.conf: # These settings eliminate an entire class of security vulnerability: # time-of-check-time-of-use cross-privilege attacks using guessable # filenames (generally seen as "/tmp file race" vulnerabilities). fs.protected_hardlinks = 1 fs.protected_symlinks = 1 ========= 10-network-security.conf: # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss # of TCP functionality/features under normal conditions. When flood # protections kick in under high unanswered-SYN load, the system # should remain more stable, with a trade off of some loss of TCP # functionality/features (e.g. TCP Window scaling). net.ipv4.tcp_syncookies=1 ========= 10-zeropage.conf: # Protect the zero page of memory from userspace mmap to prevent kernel # NULL-dereference attacks against potential future kernel security # vulnerabilities. (Added in kernel 2.6.23.) # # While this default is built into the Ubuntu kernel, there is no way to # restore the kernel default if the value is changed during runtime; for # example via package removal (e.g. wine, dosemu). Therefore, this value # is reset to the secure default each time the sysctl values are loaded. vm.mmap_min_addr = 65536 ========= 99-sysctl.conf: kernel.sysrq=1 fs.inotify.max_user_watches = 524288