diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
index 6c05b5e01a..95d3054bca 100644
--- a/install_files/ansible-base/roles/common/defaults/main.yml
+++ b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -5,36 +5,6 @@ disabled_kernel_modules:
   - iwlmvm
   - iwlwifi
 
-sysctl_flags:
-  - name: "net.ipv4.tcp_max_syn_backlog"
-    value: "4096"
-  - name: "net.ipv4.tcp_syncookies"
-    value: "1"
-  - name: "net.ipv4.conf.all.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.all.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.all.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.all.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.default.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.default.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.icmp_echo_ignore_broadcasts"
-    value: "1"
-  - name: "net.ipv4.ip_forward"
-    value: "0"
-  - name: "net.ipv4.conf.all.send_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.send_redirects"
-    value: "0"
-
 unused_packages:
   - libiw30
   - wireless-tools
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
index c5a68f650d..bd7a5f5e0c 100644
--- a/install_files/ansible-base/roles/common/tasks/main.yml
+++ b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -22,8 +22,6 @@
 
 - include_tasks: remove_unused_packages.yml
 
-- include_tasks: sysctl.yml
-
 - include_tasks: disable_swap.yml
 
 - include_tasks: remove_kernel_modules.yml
diff --git a/install_files/ansible-base/roles/common/tasks/sysctl.yml b/install_files/ansible-base/roles/common/tasks/sysctl.yml
deleted file mode 100644
index e05adc5415..0000000000
--- a/install_files/ansible-base/roles/common/tasks/sysctl.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-  # These are not the same sysctl flags as
-  # {{ grsec_sysctl_flags }}, thus the separate task.
-- name: Set sysctl flags for net.ipv4 config.
-  sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    sysctl_set: yes
-    state: present
-    reload: yes
-  with_items: "{{ sysctl_flags }}"
-  tags:
-    - sysctl
-    - hardening
diff --git a/install_files/ansible-base/roles/grsecurity/defaults/main.yml b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
index 4d245bdcff..18d21c61bc 100644
--- a/install_files/ansible-base/roles/grsecurity/defaults/main.yml
+++ b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
@@ -6,8 +6,3 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-    # Stack clash mitigation, increasing main stack gap to 1MB.
-    # Storing as part of grsecurity vars, because sysctl option won't
-    # exist otherwise.
-  - name: "vm.heap_stack_gap"
-    value: "1048576"
diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py
index 83d17f58eb..a8431a1aa4 100644
--- a/molecule/testinfra/common/test_grsecurity.py
+++ b/molecule/testinfra/common/test_grsecurity.py
@@ -81,7 +81,6 @@ def test_grsecurity_kernel_is_running(host):
     [
         ("kernel.grsecurity.grsec_lock", 1),
         ("kernel.grsecurity.rwxmap_logging", 0),
-        ("vm.heap_stack_gap", 1048576),
     ],
 )
 def test_grsecurity_sysctl_options(host, sysctl_opt):
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
index 9f01dffed7..39df8b1822 100644
--- a/molecule/testinfra/common/test_system_hardening.py
+++ b/molecule/testinfra/common/test_system_hardening.py
@@ -7,34 +7,6 @@
 testinfra_hosts = [sdvars.app_hostname, sdvars.monitor_hostname]
 
 
-@pytest.mark.parametrize(
-    "sysctl_opt",
-    [
-        ("net.ipv4.conf.all.accept_redirects", 0),
-        ("net.ipv4.conf.all.accept_source_route", 0),
-        ("net.ipv4.conf.all.rp_filter", 1),
-        ("net.ipv4.conf.all.secure_redirects", 0),
-        ("net.ipv4.conf.all.send_redirects", 0),
-        ("net.ipv4.conf.default.accept_redirects", 0),
-        ("net.ipv4.conf.default.accept_source_route", 0),
-        ("net.ipv4.conf.default.rp_filter", 1),
-        ("net.ipv4.conf.default.secure_redirects", 0),
-        ("net.ipv4.conf.default.send_redirects", 0),
-        ("net.ipv4.icmp_echo_ignore_broadcasts", 1),
-        ("net.ipv4.ip_forward", 0),
-        ("net.ipv4.tcp_max_syn_backlog", 4096),
-        ("net.ipv4.tcp_syncookies", 1),
-    ],
-)
-def test_sysctl_options(host, sysctl_opt):
-    """
-    Ensure sysctl flags are set correctly. Most of these checks
-    are hardening IPv4, which is appropriate due to the heavy use of Tor.
-    """
-    with host.sudo():
-        assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]
-
-
 def test_dns_setting(host):
     """
     Ensure DNS service is hard-coded in resolv.conf config.