diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb
new file mode 100644
index 0000000000000000000000000000000000000000..fab1522c87f2063deb521da8fbda311292587b02
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+SUMMARY = "Oniro project specific sysctl settings"
+SECTION = "base"
+DESCTIPTION = "This recipes provides a set of Oniro Project specific settings for the kernel hardening."
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+SRC_URI = 	" 				\
+		file://oniro-bpf.conf 		\
+		file://oniro-general.conf 	\
+		file://oniro-net-ipv4.conf 	\
+		file://oniro-net-ipv6.conf 	\
+		"
+inherit allarch
+
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+	install -d "${D}/${sysconfdir}/sysctl.d"
+	install -m 0644 "${WORKDIR}/oniro-general.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv4.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv6.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-bpf.conf" "${D}${sysconfdir}/sysctl.d/"
+}
+
+FILES_${PN} += "${sysconfdir}/sysctl.d/oniro-*"
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ab92b31582c7f9729a567a927750c8606e3ce9ec
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf
new file mode 100644
index 0000000000000000000000000000000000000000..45f71df5f27477ee919a7f3a9540117de56a7bd9
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Try to keep kernel address exposures out of various /proc files 
+# (kallsyms, modules, etc). (There is no CONFIG for the changing the initial value.)
+kernel.kptr_restrict = 2
+
+# Block non-uid-0 profiling (needs distro patch, otherwise this is the same as "= 2")
+# https://lwn.net/Articles/696264/
+kernel.perf_event_paranoid = 3
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
+user.max_user_namespaces = 0
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf
new file mode 100644
index 0000000000000000000000000000000000000000..800dba2ce885f8bde1b2e83f4cad4d5f5539e97a
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf
@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Reverse Path Filtering
+net.ipv4.conf.all.rp_filter = 1
+
+# Do not accept ICMP redirect messages
+net.ipv4.conf.default.accept_redirects = 0
+
+# Do not accept packets with SRR option.
+net.ipv4.conf.default.accept_source_route = 0
+
+# Log packets with impossible addresses to kernel log
+net.ipv4.config.default.log_martians = 1
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf
new file mode 100644
index 0000000000000000000000000000000000000000..43def55d0c0947415d87ba4f93bbb7e6761eff06
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Do not accept redirects
+net.ipv6.conf.all.accept_redirects  = 0
+net.ipv6.conf.default.accept_redirects = 0
diff --git a/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb b/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
index 12961f350888566300fa13c7b57822fc2b042964..808f5e2f48be4d2d79c64e3ca63a5be3508bf3ba 100644
--- a/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
+++ b/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
@@ -10,4 +10,5 @@ PACKAGES = "packagegroup-oniro-core"
 
 RDEPENDS_packagegroup-oniro-core = "\
 	oniro-mounts \
+	oniro-sysctl \
 	"