feat: add new checks for debian12

systemd_timesyncd_is_enabled_and_running.sh	-> 2.3.2.2
rpcbind_is_disabled.sh				-> 2.1.12
ftp_client_not_installed.sh			-> 2.2.6
chrony_with_chrony_user.sh			-> 2.3.3.2
ipv6_is_enabled.sh				-> 3.1.1

bin/hardening/chrony_with_chrony_user.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure chrony is running as user _chrony (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure chrony is running as user _chrony"
+FILE='/etc/chrony/chrony.conf'
+CHRONY_USER="_chrony"
+USER_PATTERN="^user"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    CHRONY_USER_VALID=0
+
+    local running_user=""
+    running_user=$($SUDO_CMD ps -ef | awk '/[c]hronyd/ { print $1 }')
+    if [ -z "$running_user" ]; then
+        CHRONY_USER_VALID=1
+        crit "chrony is not running"
+    elif [[ "$running_user" != "$CHRONY_USER" ]]; then
+        CHRONY_USER_VALID=1
+        crit "chrony is running as root"
+    else
+        ok "chrony is running as $CHRONY_USER"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+
+    if [ "$CHRONY_USER_VALID" -ne 0 ]; then
+        does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+        if [ "$FNRET" -eq 0 ]; then
+            sed -i '/'$USER_PATTERN'/d' "$FILE"
+        fi
+
+        add_end_of_file "$FILE" "user $CHRONY_USER"
+        info "$FILE modified, please restart the service"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_nfs_rpc.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 
-PACKAGES='rpcbind nfs-kernel-server'
+PACKAGES='nfs-kernel-server'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/ftp_client_not_installed.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ftp client is not installed (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure ftp client is not installed"
+PACKAGE='ftp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        # var will be reused in 'apply'
+        PACKAGE_INSTALLED=0
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is not installed"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$PACKAGE_INSTALLED" -eq 0 ]; then
+        apt remove -y "$PACKAGE"
+        apt purge -y "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ipv6_is_enabled.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure IPv6 status is identified (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure IPv6 status is identified"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ]; then
+        ok "ipv6 is enabled"
+    else
+        crit "ipv6 is disabled"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    info "Enable or disable manually IPv6 in accordance with system requirements and local site policy"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/network_services_listening.sh

@@ -24,20 +24,22 @@ EXCEPTIONS=""
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    local is_valid=0
+    # shellcheck disable=2162
     while read i; do
         socket=$(echo "$i" | awk '{print $5}')
         proc=$(echo "$i" | awk '{print $7}' | awk -F ',' '{print $1}' | sed 's/users:((//')
-        [ -n "$socket" ] && info -e "$proc listening on \t$socket"
+        if [ -n "$socket" ]; then
+            info -e "$proc listening on \t$socket"
 
-        # output example :
-        # "ntpd" listening on 	127.0.0.1:123
-        # "ntpd" listening on 	0.0.0.0:123
+            # output example :
+            # "ntpd" listening on 	127.0.0.1:123
+            # "ntpd" listening on 	0.0.0.0:123
 
-        if grep -w "$socket" <<<"$EXCEPTIONS" >/dev/null; then
-            debug "$socket" is an exception
-        else
-            crit "$socket" is not an exception
+            if grep -w "$socket" <<<"$EXCEPTIONS" >/dev/null; then
+                debug "$socket" is an exception
+            else
+                crit "$socket" is not an exception
+            fi
         fi
 
     done <<<"$($SUDO_CMD ss -plntuH)"

bin/hardening/rpcbind_is_disabled.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure rpcbind services are not in use (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure rpcbind services are not in use."
+PACKAGE='rpcbind'
+SERVICE="rpcbind.service"
+SOCKET="rpcbind.socket"
+
+# 2 scenario here:
+# - rcpbind is a dependency for another package -> disable the service, disable the socket
+# - rpcbind is not a dependency for another package -> remove the package
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+    PACKAGE_IS_DEPENDENCY=1
+    SERVICE_ENABLED=1
+    SOCKET_ENABLED=1
+
+    is_pkg_installed "$PACKAGE"
+    [ "$FNRET" = 0 ] && PACKAGE_INSTALLED=0 # 0 means true in bash
+
+    is_pkg_a_dependency "$PACKAGE"
+    # dnsmasq is installed with dnsmasq-base, which
+    [ "$FNRET" = 0 ] && PACKAGE_IS_DEPENDENCY=0
+
+    is_service_enabled "$SERVICE"
+    [ "$FNRET" = 0 ] && SERVICE_ENABLED=0
+
+    is_socket_enabled "$SOCKET"
+    [ "$FNRET" = 0 ] && SOCKET_ENABLED=0
+
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency"
+
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        local active=1
+        [ "$SERVICE_ENABLED" -eq 0 ] && active=0 && crit "$SERVICE is enabled" && active=0
+        [ "$SOCKET_ENABLED" -eq 0 ] && active=0 && crit "$SOCKET_ENABLED is enabled"
+
+        [ "$active" -eq 1 ] && ok "$PACKAGE is not used"
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency, removing it"
+        apt_remove "$PACKAGE" -y
+        apt-get autoremove -y
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        if [ "$SERVICE_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SERVICE"
+            systemctl stop "$SERVICE"
+            systemctl mask "$SERVICE"
+        fi
+
+        if [ "$SOCKET_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SOCKET"
+            systemctl stop "$SOCKET"
+            systemctl mask "$SOCKET"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/systemd_timesyncd_is_enabled_and_running.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure chrony is enabled and running (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure chrony is enabled and running."
+PACKAGE="systemd-timesyncd"
+SERVICE="systemd-timesyncd.service"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    TIMESYNCD_INSTALLED=0
+    TIMESYNCD_ENABLED=0
+    TIMESYNCD_RUNNING=0
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_INSTALLED=1
+        crit "$PACKAGE is not installed"
+    fi
+    # no package, no need to check further
+    return
+
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_ENABLED=1
+        crit "$SERVICE is not enabled"
+    fi
+
+    is_service_active "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_RUNNING=1
+        crit "$SERVICE is not running"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$TIMESYNCD_INSTALLED" -eq 1 ]; then
+        warn "Please install $PACKAGE manually to ensure only one time synchronization system is installed"
+    fi
+
+    if [ "$TIMESYNCD_ENABLED" -eq 1 ]; then
+        info "Enabling $SERVICE service"
+        manage_service "enable" "$SERVICE"
+    fi
+
+    if [ "$TIMESYNCD_RUNNING" -eq 1 ]; then
+        info "Starting $SERVICE service"
+        manage_service "start" "$SERVICE"
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/use_time_sync.sh

@@ -25,7 +25,7 @@ audit() {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" -eq 0 ]; then
-            let count=$((count + 1))
+            count=$(("$count" + 1))
         fi
     done
     if [ "$count" -eq 0 ]; then