Nice guide. I used it on Stretch. I had to symlink /var/lib/sudo/ts to /tmp because it gives an error every time running sudo, then I made a systemd service to make that folder The /tmp/random-seed file does not get created at startup, even though I added the ExecStartPre line. It says success, but I can't figure out why that file isn't being created: Process: 97 ExecStartPre=/bin/echo a > /tmp/random-seed (code=exited, status=0/SUCCESS) Stretch uses systemd-timesyncd, so there's no need for ntp and it would conflict. I like the bash_logout idea to mount ro, but it fails because mount: only root can use "--options" option Fail2ban isn't working. Anybody know if it's possible to configure that to monitor the busybox ring buffer?