Add dealing with debian 11

* ADD: add dockerfile for debian11 * FIX: fix crontab file not found on debian11 blank * Add workflow for debian11 * FIX: fix debian version func to manage debian11 * Add dealing with unsupported version and distro * Add 99.99 check that check if distro version is supported * Use global var for debian major and distro fix #26
2024-11-22 05:27:01 +01:00 · 2021-02-08 13:54:24 +01:00 · 2021-02-08 13:54:24 +01:00 · 6ae05f3fa2
commit 6ae05f3fa2
parent 449c695415
24 changed files with 266 additions and 39 deletions
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -18,3 +18,10 @@ jobs:
        uses: actions/checkout@v2
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/MANUAL.md
+++ b/MANUAL.md
@ -124,6 +124,11 @@ will create a timestamped backup in this directory.
    captures all output to print only one line once the check is done, formatted like :
    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 `--allow-unsupported-distribution`
    Must be specified manually in the command line to allow the run on non compatible
    version or distribution. If you want to mute the warning change the LOGLEVEL
    in /etc/hardening.cfg
 # AUTHORS
--- a/README.md
+++ b/README.md
@ -44,7 +44,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
 hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
 1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
 1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
@ -123,6 +123,10 @@ Default value is : info
 ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
 before running the audit with user secaudit, to have the rights setup well on the conf files.
 ``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
 the run on non compatible version or distribution. If you want to mute the warning change the
 LOGLEVEL in /etc/hardening.cfg
 ## :computer: Hacking
 **Getting the source**
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -27,6 +27,7 @@ SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 usage() {
    cat <<EOF
@ -108,6 +109,11 @@ OPTIONS:
        captures all output to print only one line once the check is done, formatted like :
        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
    --allow-unsupported-distribution
        Must be specified manually in the command line to allow the run on non compatible
        version or distribution. If you want to mute the warning change the LOGLEVEL
        in /etc/hardening.cfg
 EOF
    exit 0
 }
@ -163,6 +169,9 @@ while [[ $# -gt 0 ]]; do
        BATCH_MODE='--batch'
        ASK_LOGLEVEL=ok
        ;;
    --allow-unsupported-distribution)
        ALLOW_UNSUPPORTED_DISTRIBUTION=1
        ;;
    -h | --help)
        usage
        ;;
@ -188,8 +197,7 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
-# shellcheck source=../lib/constants.sh
+
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
@ -197,6 +205,45 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=../lib/constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 if [ "$DISTRIBUTION" != "debian" ]; then
    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
        echo "Exiting now"
        exit 100
    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
    fi
 else
    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    fi
 fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
--- a/bin/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.2.15_ssh_cry_kex.sh
+++ b/bin/hardening/5.2.15_ssh_cry_kex.sh
@ -73,15 +73,12 @@ apply() {
 }
 create_config() {
    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
+    if [[ 7 -le "$DEB_MAJ_VER" ]]; then
        KEX='diffie-hellman-group-exchange-sha256'
    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    else
-        KEX='diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    fi
    set -u
    cat <<EOF
@ -89,6 +86,7 @@ status=audit
 # Put your KexAlgorithms
 OPTIONS="KexAlgorithms=$KEX"
 EOF
 }
 # This function will check config parameters required
--- a/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
+++ b/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]]; then
        set -u
        crit "Cannot get Debian version. Aborting..."
        return
    fi
-    if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
        set -u
        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
        return
--- a/bin/hardening/99.99_check_distribution.sh
+++ b/bin/hardening/99.99_check_distribution.sh
@ -0,0 +1,65 @@
 #!/bin/bash
 # run-shellcheck
 #
 # OVH Security audit
 #
 #
 # 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Check the distribution and the distribution version"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$DISTRIBUTION" != "debian" ]; then
        crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
    else
        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
            crit "Your distribution is too recent and is not yet supported."
        elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
            crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
        else
            ok "Your distribution is debian and the version is supported"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
    echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/debian/cis-hardening.8
+++ b/debian/cis-hardening.8
@ -136,6 +136,12 @@ Default value is : info
 While performing system audit, this option sets LOGLEVEL to `ok' and
 captures all output to print only one line once the check is done,
 formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
 .PP
 \f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
 the command line to allow the run on non compatible version or
 distribution.
 If you want to mute the warning change the LOGLEVEL in
 /etc/hardening.cfg
 .SH AUTHORS
 .IP \[bu] 2
 Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
--- a/lib/common.sh
+++ b/lib/common.sh
@ -113,31 +113,6 @@ sudo_wrapper() {
    fi
 }
 #
 # detect if container based on cgroup detection
 #
 is_running_in_container() {
    awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
 }
 CONTAINER_TYPE=""
 IS_CONTAINER=0
 if [ "$(is_running_in_container "docker")" != "" ]; then
    CONTAINER_TYPE="docker"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "lxc")" != "" ]; then
    CONTAINER_TYPE="lxc"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "kubepods")" != "" ]; then
    # shellcheck disable=SC2034
    CONTAINER_TYPE="kubepods"
    # shellcheck disable=SC2034
    IS_CONTAINER=1
 fi
 #
 # Math functions
 #
--- a/lib/constants.sh
+++ b/lib/constants.sh
@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
 BYELLOW='\033[1;33m' # Yellow
 # shellcheck disable=2034
 BWHITE='\033[1;37m' # White
 # Debian version variables
 CONTAINER_TYPE=""
 IS_CONTAINER=0
 if [ "$(is_running_in_container "docker")" != "" ]; then
    CONTAINER_TYPE="docker"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "lxc")" != "" ]; then
    CONTAINER_TYPE="lxc"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "kubepods")" != "" ]; then
    # shellcheck disable=SC2034
    CONTAINER_TYPE="kubepods"
    # shellcheck disable=SC2034
    IS_CONTAINER=1
 fi
 get_distribution
 get_debian_major_version
 # shellcheck disable=SC2034
 SMALLEST_SUPPORTED_DEBIAN_VERSION=9
 # shellcheck disable=SC2034
 HIGHEST_SUPPORTED_DEBIAN_VERSION=10
--- a/lib/main.sh
+++ b/lib/main.sh
@ -10,14 +10,15 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
-# shellcheck source=constants.sh
+
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -538,9 +538,33 @@ get_debian_major_version() {
    DEB_MAJ_VER=""
    does_file_exist /etc/debian_version
    if [ "$FNRET" = 0 ]; then
        if grep -q "sid" /etc/debian_version; then
            DEB_MAJ_VER="sid"
        else
            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
        fi
    else
        # shellcheck disable=2034
        DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
    fi
 }
 # Returns the distribution
 get_distribution() {
    DISTRIBUTION=""
    if [ -f /etc/os-release ]; then
        # shellcheck disable=2034
        DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
        FNRET=0
    else
        debug "Distribution not found !"
        FNRET=127
    fi
 }
 # Detect if container based on cgroup detection
 is_running_in_container() {
    awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
 }
--- a/tests/docker/Dockerfile.debian11
+++ b/tests/docker/Dockerfile.debian11
@ -0,0 +1,21 @@
 FROM debian:bullseye
 LABEL vendor="OVH"
 LABEL project="debian-cis"
 LABEL url="https://github.com/ovh/debian-cis"
 LABEL description="This image is used to run tests"
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
 COPY --chown=500:500 . /opt/debian-cis/
 COPY debian/default /etc/default/cis-hardening
 RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
 COPY cisharden.sudoers /etc/sudoers.d/secaudit
 RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
 ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
--- a/tests/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/tests/hardening/5.1.2_crontab_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabduser"
    local test_file="/etc/crontab"
    touch "$test_file"
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.hourly"
    touch "$test_file"
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.daily"
    touch "$test_file"
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.weekly"
    touch "$test_file"
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -10,6 +10,8 @@ test_audit() {
    local test_user="testcrontabuser"
    local test_file="/etc/cron.monthly"
    touch "$test_file"
    describe Tests purposely failing
    chmod 777 "$test_file"
    register_test retvalshouldbe 1
--- a/tests/hardening/99.99_check_distribution.sh
+++ b/tests/hardening/99.99_check_distribution.sh
@ -0,0 +1,16 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }