Hardening a Raspberry Pi

…to prevent potential filesystem issues.

A Raspberry Pi can easily end up with a broken filesystem. This is because it continuesly writes data to /tmp and /var/log (SD cards don’t like that), and hard power offs / reboots aren’t unlikely (the filesystem doesn’t like these). There are three measures to prevent that:

1) Use a good, industrial grade SD card. 2) Move /tmp and /var/log into RAM. 3) Enable full journaling on the filesystem.

Move /tmp and /var/log into RAM

Create a /log directory and add this to your /etc/fstab:

tmpfs   /tmp    tmpfs   nodev,nosuid,noatime,size=256M  0   0
tmpfs   /log    tmpfs   nodev,nosuid,noatime,size=256M  0   0

This creates two temporary RAM based filesystems /tmp and /log with 256Mb. Delete /tmp, reboot, then you can also delete /var/log and ln -s /log /var/log (reboot again)

Note: You’ll loose 512Mb of RAM but for a current 4Gb Raspberry Pi 4 that’s acceptable. Also the logs will be lost after each reboot/crash. If you need them for debugging, remove the softlink /var/log again and create the /var/log directory again.

Enable full journaling on the filesystem

For any other than the root partition it’s enough to add the data=journal option to /etc/fstab. But for the root parition you have to set it as default using tune2fs first:

tune2fs -o journal_data /dev/sda1

(given that /dev/sda1 mounted as /)

Then you add data=journal to /etc/fstab:

/dev/sda1  /               ext4    defaults,noatime,data=journal  0       1