We follow the CIS/debian Benchmarks for hardening the Linux on the Connector Box, using publicly available scripts. The level is set to 4 out of 5. The resulting audit log file is attached - please note that it incorrectly mentions 1 failed test in the summary, which is not true as can be seen in the detailed listing.
The following exceptions are made, due to system-specific considerations. Please find the exceptions together with an explanation below:
2.1 - 2.16:
As the raspbian image is running on an SD card which is preconfigured and optimized for storage capacity, and the target size of 4GB should not be increased, additional partitions are not feasible. Furthermore, I/O operations are generally reduced to a minimum, so running out of disk space in the root partition should never occur anyway.
As the Connector Box has an ARM chipset, these optimizations can't be applied.
Neither postfix nor any other SMTP server is installed. As the audit installs postfix unwantedly, this is prevented by manually purging the package, but this check needs to be disabled.
The audit support is not implemented in the debian kernel.
We don't want to forward logs from syslogd-ng to an external host, so this needs to be disabled.
8.3.1 - 8.3.2:
We don't want to use tripwire, as the Connector Boxes are not meant to be connected to a tripwire management server yet.
The sshd service is removed completely after installation and hardening.