Lynis - Look into improving file-system partitioning & usage (such as USB)

[teusink]

Lynis - Look into improving file-system partitioning & usage (such as USB)

File-system partitioning

• To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

• To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

• To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

USB-storage & Firewire

• Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/

• Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] https://cisofy.com/controls/STRG-1846/

[teusink]

I looked into this and also observed the disk-usage in these directories on my long(er) running Pi. And while partition these directory is really a good practice, it does not come by default with the standard Raspbian. And I did not want to interfere to much into the defaults.

To prevent the disk-space usage from getting out of hand, I created a topic in Maintenance to handle old-files by deleting them. More here: https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md#keep-disk-usage-in-control

[teusink]

USB is a key factor that often comes into play with hacking attacks. Especially on user-endpoints. I consider this Pi not as an end-point and, in the case of the Pi, I can come up with a multitude of uses that would require USB. Think of extra storage if you want to do more. A mitigating factor already in place is the Rootkit Hunter and the fact that you need physical access. So I keep them enabled.

[teusink]

I did not find any firewire stuff on the Pi. Perhaps a false-positive by Lynis.