Protect your Raspberry PI SD card, use Read-Only filesystem

  • We need to put the system into Read Write Mode before changing the crontab
    If you followed this tuto should be something like that

    sudo mount -o remount,rw /

    Then edit your crontab

    sudo crontab -e

    put pack in Read Only or reboot

    sudo mount -o remount,ro /

  • Charles you are going wrong. crontab -e give us file on /tmp which has been deleted on boot. We need to go this way:
    sudo su
    nano /etc/crontab (dont forget to add user) example below:

            • root /usr/bin/ > /dev/null 2>&1

  • Hello Charles,
    I was wondering if I don't have entry about /tmp being a mount entry point for tmpfs neither in fstab nor mtab, what would be the point in moving things there? Am I missing something or?
    I am playing with Raspberry PI-2 and Raspbian Jessie.

  • This post is deleted!

  • Great article, thanx! To be able to use sudo i did have to add this line to /etc/fstab as well:

    tmpfs /var/lib/sudo/ts tmpfs nosuid,nodev 0 0

  • Has this tutorial worked for anyone? The 1st error is saw was under Move files to temp filesystem after running:

    touch /tmp/dhcpcd.resolv.conf; ln -s /tmp/dhcpcd.resolv.conf /etc/resolv.conf

    Failed to create symbolic link ‘etc/resolv.conf’ file exists. Next after reboot see errors regarding “a start job is running for dhcpd on all interfaces..." The raspi fails to boot and see pi@raspberrypi: prompt. Thanks in advance for any insights!

  • I don't seem to be able to copy/paste from your crayon syntax highlighter widgets? The copy button doesn't work, nor does the button to expand the code.

  • OK, nice tutorial. But where (I mean about file) I have to place:

    rm -rf /var/lib/dhcp/ /var/lib/dhcpcd5 /var/run /var/spool /var/lock /etc/resolv.conf
    ln -s /tmp /var/lib/dhcp
    ln -s /tmp /var/lib/dhcpcd5
    ln -s /tmp /var/run
    ln -s /tmp /var/spool
    ln -s /tmp /var/lock
    touch /tmp/dhcpcd.resolv.conf; ln -s /tmp/dhcpcd.resolv.conf /etc/resolv.conf

  • Nice guide. I used it on Stretch.

    • I had to symlink /var/lib/sudo/ts to /tmp because it gives an error every time running sudo, then I made a systemd service to make that folder
    • The /tmp/random-seed file does not get created at startup, even though I added the ExecStartPre line. It says success, but I can't figure out why that file isn't being created:
      Process: 97 ExecStartPre=/bin/echo a > /tmp/random-seed (code=exited, status=0/SUCCESS)
    • Stretch uses systemd-timesyncd, so there's no need for ntp and it would conflict.
    • I like the bash_logout idea to mount ro, but it fails because mount: only root can use "--options" option
    • Fail2ban isn't working. Anybody know if it's possible to configure that to monitor the busybox ring buffer?

  • I am following this article in order avoid any/every write to /var/log/ (for example /var/log/wtmp, /var/log/last.log etc.
    Is it possible?

    Note that by disabling rsyslog.service, I could suppress write to messages and syslog files.

    Using systemd mask operation I could mask systemd-update-utmp.service and systemd-update-utmp-runlevel.service. However the wtmp and lastlog files are still updated.

    Please advise.