One final follow-up, Peter, with a corrective action.

I was preparing a patch to the securelevel(7) documentation, and as part of that I was examining /etc/rc securelevel handling in more detail. The /etc/rc.securelevel script, if it exists, is called at the time rc(8) raises the level from 0 to 1. The sysctl can be set to 2 within that script.

If you rename your /etc/rc.local file to rc.securelevel, the sysctl will only be raised a single time.

# mv /etc/rc.local /etc/rc.securelevel
