IMP(shellcheck): quote variables (SC2086)

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -57,7 +57,7 @@ apply() {
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
         remount_partition "$PARTITION"
     elif [ "$FNRET" = 3 ]; then

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -57,7 +57,7 @@ apply() {
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
         remount_partition "$PARTITION"
     elif [ "$FNRET" = 3 ]; then

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -57,7 +57,7 @@ apply() {
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
         remount_partition "$PARTITION"
     elif [ "$FNRET" = 3 ]; then

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PARTITION is correctly set"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
     fi
 }
 

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PARTITION is correctly set"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
     fi
 }
 

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PARTITION is correctly set"
     elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
     fi
 }
 

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -24,7 +24,7 @@ audit() {
     RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
         ok "All world writable directories have a sticky bit"

bin/hardening/1.4.3_root_password.sh

@@ -22,7 +22,7 @@ PATTERN="^root:[*\!]:"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
     if [ "$FNRET" != 1 ]; then
         crit "$PATTERN is present in $FILE"
     else
@@ -32,7 +32,7 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
     if [ "$FNRET" != 1 ]; then
         warn "$PATTERN is present in $FILE, please put a root password"
     else

bin/hardening/1.5.1_restrict_core_dumps.sh

@@ -27,14 +27,14 @@ SYSCTL_EXP_RESULT=0
 audit() {
     SEARCH_RES=0
     LIMIT_FILES=""
-    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
         for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
             LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
         done
     fi
     debug "Files to search $LIMIT_FILE $LIMIT_FILES"
     for file in $LIMIT_FILE $LIMIT_FILES; do
-        does_pattern_exist_in_file $file $LIMIT_PATTERN
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
         if [ "$FNRET" != 0 ]; then
             debug "$LIMIT_PATTERN not present in $file"
         else
@@ -58,7 +58,7 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
         add_end_of_file $LIMIT_FILE "* hard core 0"

bin/hardening/1.5.2_enable_nx_support.sh

@@ -35,7 +35,7 @@ nx_supported_and_enabled() {
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
     if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
         if [ "$FNRET" != 0 ]; then
@@ -50,7 +50,7 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
     if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
         if [ "$FNRET" != 0 ]; then

bin/hardening/2.2.1.2_configure_ntp.sh

@@ -32,13 +32,13 @@ audit() {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
+        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
         if [ "$FNRET" != 0 ]; then
             crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
         else
             ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
         fi
-        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
+        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
         if [ "$FNRET" != 0 ]; then
             crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
         else
@@ -54,10 +54,10 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
         info "Checking $PACKAGE configuration"
     fi
-    does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
         backup_file $NTP_CONF_FILE

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -45,7 +45,7 @@ apply() {
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.1.2_disable_send_packet_redirects.sh

@@ -24,8 +24,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_red
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -41,13 +41,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.1_disable_source_routed_packets.sh

@@ -23,9 +23,9 @@ SYSCTL_PARAMS=''
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
-        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
@@ -42,13 +42,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.2_disable_icmp_redirect.sh

@@ -24,8 +24,8 @@ audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
         if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
 
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
@@ -43,13 +43,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.3_disable_secure_icmp_redirect.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.4_log_martian_packets.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martia
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.5_ignore_broadcast_requests.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.6_enable_bad_error_message_protection.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -45,7 +45,7 @@ apply() {
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.7_enable_source_route_validation.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.8_enable_tcp_syn_cookies.sh

@@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
@@ -45,7 +45,7 @@ apply() {
         has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
         if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             sysctl -w net.ipv4.route.flush=1 >/dev/null
         elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh

@@ -26,8 +26,8 @@ audit() {
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
@@ -48,13 +48,13 @@ apply() {
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
                 warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
                 sysctl -w net.ipv4.route.flush=1 >/dev/null
             elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/3.3.1_install_tcp_wrapper.sh

@@ -36,7 +36,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
 }
 

bin/hardening/3.5_enable_firewall.sh

@@ -39,7 +39,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
 }
 

bin/hardening/3.7_disable_ipv6.sh

@@ -26,8 +26,8 @@ audit() {
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
@@ -48,13 +48,13 @@ apply() {
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
                 warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
                 warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
             elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"

bin/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -28,8 +28,8 @@ audit() {
     else
         ok "$FILE exists, checking configuration"
         for AUDIT_OPTION in $OPTIONS; do
-            AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+            AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-            AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+            AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
             PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
             debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"

bin/hardening/4.1.2_enable_auditd.sh

@@ -43,7 +43,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         warn "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     is_service_enabled "$SERVICE_NAME"
     if [ "$FNRET" = 0 ]; then

bin/hardening/4.1.3_audit_bootloader.sh

@@ -28,11 +28,11 @@ audit() {
     else
         ok "$FILE exists, checking configuration"
         for GRUB_OPTION in $OPTIONS; do
-            GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
-            GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
             PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
             debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 crit "$PATTERN is not present in $FILE"
             else
@@ -47,25 +47,25 @@ apply() {
     does_file_exist $FILE
     if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
-        touch $FILE
+        touch "$FILE"
     else
         ok "$FILE exists"
     fi
     for GRUB_OPTION in $OPTIONS; do
-        GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
-        GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
         debug "$GRUB_PARAM should be set to $GRUB_VALUE"
         PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$GRUB_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
             else
                 info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
             fi
         else
             ok "$PATTERN is present in $FILE"

bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh

@@ -136,7 +136,7 @@ check_config() {
         crit "$USER does not exist"
         exit 128
     fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
     if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
         exit 128

bin/hardening/4.2.3_install_syslog-ng.sh

@@ -37,7 +37,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
 }
 

bin/hardening/5.1.1_enable_cron.sh

@@ -43,7 +43,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
         is_service_enabled "$SERVICE_NAME"
         if [ "$FNRET" != 0 ]; then
             info "Enabling $SERVICE_NAME"

bin/hardening/5.1.8_cron_users.sh

@@ -26,7 +26,7 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for FILE in $FILES_ABSENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" = 0 ]; then
             crit "$FILE exists"
         else
@@ -34,7 +34,7 @@ audit() {
         fi
     done
     for FILE in $FILES_PRESENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
             crit "$FILE is absent"
         else
@@ -57,19 +57,19 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for FILE in $FILES_ABSENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" = 0 ]; then
             warn "$FILE exists"
-            rm $FILE
+            rm "$FILE"
         else
             ok "$FILE is absent"
         fi
     done
     for FILE in $FILES_PRESENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
             warn "$FILE is absent"
-            touch $FILE
+            touch "$FILE"
         fi
         has_file_correct_ownership "$FILE" "$USER" "$GROUP"
         if [ "$FNRET" = 0 ]; then

bin/hardening/5.2.10_disable_root_login.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.14_ssh_cry_mac.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file_nocase $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload >/dev/null 2>&1
         fi

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file_nocase $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload >/dev/null 2>&1
         fi
@@ -76,9 +76,9 @@ create_config() {
     get_debian_major_version
     set +u
     debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]] || [[ 7 -eq $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
         KEX='diffie-hellman-group-exchange-sha256'
-    elif [[ 8 -eq $DEB_MAJ_VER ]] || [[ 9 -eq $DEB_MAJ_VER ]]; then
+    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
         KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     else
         KEX='diffie-hellman-group-exchange-sha256'

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -30,10 +30,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -50,23 +50,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -29,8 +29,8 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.18_sshd_limit_access.sh

@@ -29,9 +29,9 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-            SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE)
+            SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -50,24 +50,24 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-        SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE)
+        SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi
@@ -89,19 +89,19 @@ EOF
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $ALLOWED_USERS ]; then
+    if [ -z "$ALLOWED_USERS" ]; then
         info "ALLOWED_USERS is not set, defaults to wildcard"
         ALLOWED_USERS="*"
     fi
-    if [ -z $ALLOWED_GROUPS ]; then
+    if [ -z "$ALLOWED_GROUPS" ]; then
         info "ALLOWED_GROUPS is not set, defaults to wildcard"
         ALLOWED_GROUPS="*"
     fi
-    if [ -z $DENIED_USERS ]; then
+    if [ -z "$DENIED_USERS" ]; then
         info "DENIED_USERS is not set, defaults to nobody"
         DENIED_USERS="nobody"
     fi
-    if [ -z $DENIED_GROUPS ]; then
+    if [ -z "$DENIED_GROUPS" ]; then
         info "DENIED_GROUPS is not set, defaults to nobody"
         DENIED_GROUPS="nobody"
     fi

bin/hardening/5.2.19_ssh_banner.sh

@@ -29,7 +29,7 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             PATTERN="^${SSH_PARAM}[[:space:]]*"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -48,20 +48,20 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present and activated"
             fi

bin/hardening/5.2.4_sshd_protocol.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload >/dev/null 2>&1
         fi

bin/hardening/5.2.5_sshd_loglevel.sh

@@ -30,8 +30,8 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
             does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
@@ -50,23 +50,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS_TO_APPLY; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file_nocase $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload >/dev/null 2>&1
         fi

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload >/dev/null 2>&1
         fi

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -29,10 +29,10 @@ audit() {
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -49,23 +49,23 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.3.1_enable_pwquality.sh

@@ -60,7 +60,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
     if [ "$FNRET" = 0 ]; then

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -52,7 +52,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
     if [ "$FNRET" = 0 ]; then

bin/hardening/5.3.3_limit_password_reuse.sh

@@ -44,7 +44,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     does_pattern_exist_in_file $FILE "$PATTERN"
     if [ "$FNRET" = 0 ]; then

bin/hardening/5.4.1.1_set_password_exp_days.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
         SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)

bin/hardening/5.4.1.2_set_password_min_days_change.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
         SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)

bin/hardening/5.4.1.3_set_password_exp_warning_days.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SHADOW_OPTION in $OPTIONS; do
         SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)

bin/hardening/5.4.3_default_root_group.sh

@@ -22,7 +22,7 @@ EXPECTED_GID='0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
+    if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then
         ok "Root group has GID $EXPECTED_GID"
     else
         crit "Root group GID should be $EXPECTED_GID"
@@ -31,7 +31,7 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
+    if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then
         ok "Root group GID is $EXPECTED_GID"
     else
         warn "Root group GID is not $EXPECTED_GID -- Fixing"

bin/hardening/5.6_restrict_su.sh

@@ -44,7 +44,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     does_pattern_exist_in_file $FILE $PATTERN
     if [ "$FNRET" = 0 ]; then

bin/hardening/6.2.10_check_user_dot_file_perm.sh

@@ -23,14 +23,14 @@ ERRORS=0
 audit() {
     for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $DIR"
-        for FILE in $DIR/.[A-Za-z0-9]*; do
+        for FILE in "$DIR"/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
+                FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                     crit "Group Write permission set on FILE $FILE"
                     ERRORS=$((ERRORS + 1))
                 fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
                     crit "Other Write permission set on FILE $FILE"
                     ERRORS=$((ERRORS + 1))
                 fi
@@ -46,14 +46,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-        for FILE in $DIR/.[A-Za-z0-9]*; do
+        for FILE in "$DIR"/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
+                FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                     warn "Group Write permission set on FILE $FILE"
                     chmod g-w "$FILE" 
                 fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
                     warn "Other Write permission set on FILE $FILE"
                     chmod o-w "$FILE"
                 fi

bin/hardening/6.2.6_sanitize_root_path.sh

@@ -25,32 +25,32 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    if [ "$(echo $path | grep ::)" != "" ]; then
+    if [ "$(echo "$path" | grep ::)" != "" ]; then
         crit "Empty Directory in PATH (::)"
         ERRORS=$((ERRORS + 1))
     fi
-    if [ "$(echo $path | grep :$)" != "" ]; then
+    if [ "$(echo "$path" | grep :$)" != "" ]; then
         crit "Trailing : in PATH $path"
         ERRORS=$((ERRORS + 1))
     fi
-    FORMATTED_PATH=$(echo $path | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
+    FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
     set -- $FORMATTED_PATH
     while [ "${1:-}" != "" ]; do
         if [ "$1" = "." ]; then
             crit "PATH contains ."
             ERRORS=$((ERRORS + 1))
         else
-            if [ -d $1 ]; then
+            if [ -d "$1" ]; then
-                dirperm=$(ls -ldH $1 | cut -f1 -d" ")
+                dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
-                if [ $(echo $dirperm | cut -c6) != "-" ]; then
+                if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                     crit "Group Write permission set on directory $1"
                     ERRORS=$((ERRORS + 1))
                 fi
-                if [ $(echo $dirperm | cut -c9) != "-" ]; then
+                if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                     crit "Other Write permission set on directory $1"
                     ERRORS=$((ERRORS + 1))
                 fi
-                dirown=$(ls -ldH $1 | awk '{print $3}')
+                dirown=$(ls -ldH "$1" | awk '{print $3}')
                 if [ "$dirown" != "root" ]; then
                     crit "$1 is not owned by root"
                     ERRORS=$((ERRORS + 1))

bin/hardening/6.2.8_check_user_dir_perm.sh

@@ -25,27 +25,27 @@ audit() {
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
-        if echo "$EXCEPTIONS" | grep -q $dir; then
+        if echo "$EXCEPTIONS" | grep -q "$dir"; then
             debug "$dir is confirmed as an exception"
             RESULT=$(sed "s!$dir!!" <<<"$RESULT")
         else
             debug "$dir not found in exceptions"
         fi
-        if [ -d $dir ]; then
+        if [ -d "$dir" ]; then
-            dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
+            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
-            if [ $(echo $dirperm | cut -c6) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                 crit "Group Write permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c8) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                 crit "Other Read permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c9) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                 crit "Other Write permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c10) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                 crit "Other Execute permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
@@ -64,27 +64,27 @@ apply() {
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
-        if echo "$EXCEPTIONS" | grep -q $dir; then
+        if echo "$EXCEPTIONS" | grep -q "$dir"; then
             debug "$dir is confirmed as an exception"
             RESULT=$(sed "s!$dir!!" <<<"$RESULT")
         else
             debug "$dir not found in exceptions"
         fi
-        if [ -d $dir ]; then
+        if [ -d "$dir" ]; then
-            dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
+            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
-            if [ $(echo $dirperm | cut -c6) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                 warn "Group Write permission set on directory $dir"
                 chmod g-w "$dir"
             fi
-            if [ $(echo $dirperm | cut -c8) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                 warn "Other Read permission set on directory $dir"
                 chmod o-r "$dir"
             fi
-            if [ $(echo $dirperm | cut -c9) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                 warn "Other Write permission set on directory $dir"
                 chmod o-w "$dir"
             fi
-            if [ $(echo $dirperm | cut -c10) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                 warn "Other Execute permission set on directory $dir"
                 chmod o-x "$dir"
             fi

bin/hardening/8.3.1_install_tripwire.sh

@@ -37,7 +37,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
         info "Tripwire is now installed but not fully functionnal, please see readme to go further"
     fi
 }

bin/hardening/99.5.1_ssh_auth_pubk_only.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)

bin/hardening/99.5.2.3_ssh_cry_rekey.sh

@@ -64,7 +64,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)

bin/hardening/99.5.3_ssh_disable_features.sh

@@ -48,7 +48,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)

bin/hardening/99.5.5_ssh_strict_modes.sh

@@ -47,7 +47,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)

bin/hardening/99.5.6_ssh_sys_accept_env.sh

@@ -44,7 +44,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     does_pattern_exist_in_file_nocase $FILE "$PATTERN"
     if [ "$FNRET" = 0 ]; then

bin/hardening/99.5.8_ssh_sys_sandbox.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)

bin/hardening/99.5.9_ssh_loglevel.sh

@@ -49,7 +49,7 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
     fi
     for SSH_OPTION in $OPTIONS; do
         SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)

bin/postinstall/tripwire.sh

@@ -10,7 +10,7 @@
 echo "Generating Site key file..."
 twadmin -m G -S /etc/tripwire/site.key # Generates Site key file
 echo "Generating Local key file..."
-twadmin -m G -S /etc/tripwire/$(hostname -f)-local.key # Generate local key file
+twadmin -m G -S /etc/tripwire/"$(hostname -f)"-local.key # Generate local key file
 echo "Generating encrypted policy..."
 twadmin -m P /etc/tripwire/twpol.txt # Apply new policy with generated site key file
 echo "Generating Local database with newly created key..."