IMP(shellcheck): quoting harmless variables (SC2086)

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -23,8 +23,8 @@ MODULE_NAME="freevxfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -33,8 +33,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -23,8 +23,8 @@ MODULE_NAME="jffs2"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -33,8 +33,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -23,8 +23,8 @@ MODULE_FILE="hfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -33,8 +33,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -23,8 +23,8 @@ MODULE_FILE="hfsplus"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -33,8 +33,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.5_disable_udf.sh

@@ -23,8 +23,8 @@ MODULE_FILE="udf"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -33,8 +33,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.6_disable_cramfs.sh

@@ -23,8 +23,8 @@ MODULE_NAME="cramfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -34,8 +34,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.7_disable_squashfs.sh

@@ -23,8 +23,8 @@ MODULE_FILE="squashfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -34,8 +34,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.10_var_tmp_noexec.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3 
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi 
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.11_var_log_partition.sh

@@ -42,13 +42,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -41,13 +41,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -69,9 +69,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.13_home_partition.sh

@@ -42,13 +42,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.14_home_nodev.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -32,13 +32,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -51,18 +51,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -86,7 +86,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -32,13 +32,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -51,18 +51,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -86,7 +86,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -32,13 +32,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -51,18 +51,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -86,7 +86,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -33,7 +33,7 @@ audit () {
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
@@ -45,9 +45,9 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
     fi
@@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -33,7 +33,7 @@ audit () {
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
@@ -45,9 +45,9 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
     fi
@@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -33,7 +33,7 @@ audit () {
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
@@ -45,9 +45,9 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
     fi
@@ -71,9 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.22_disable_automounting.sh

@@ -22,8 +22,8 @@ SERVICE_NAME="autofs"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$SERVICE_NAME is enabled"
     else
         ok "$SERVICE_NAME is disabled"
@@ -33,8 +33,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         info "Disabling $SERVICE_NAME"
         update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
     else
@@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.2_tmp_partition.sh

@@ -42,13 +42,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -70,9 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.3_tmp_nodev.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3 
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi 
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.4_tmp_nosuid.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.5_tmp_noexec.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.6_var_partition.sh

@@ -44,13 +44,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.7_var_tmp_partition.sh

@@ -44,13 +44,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.8_var_tmp_nodev.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3 
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi 
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.9_var_tmp_nosuid.sh

@@ -31,13 +31,13 @@ audit () {
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
         if [ $FNRET -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
                 FNRET=3 
@@ -50,18 +50,18 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
         add_option_to_fstab $PARTITION $OPTION
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
     fi 
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.4.1_bootloader_ownership.sh

@@ -26,15 +26,15 @@ PERMISSIONS='400'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi 
 
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
@@ -43,20 +43,20 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         info "fixing $FILE ownership to $USER:$GROUP"
         chown $USER:$GROUP $FILE
     fi
 
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -64,22 +64,22 @@ apply () {
 check_config() {
 
     is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "Grub is not installed, not handling configuration"
         exit 128
     fi
     does_user_exist $USER
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$USER does not exist"
         exit 128
     fi
     does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
         exit 128
     fi
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         exit 128
     fi
@@ -97,9 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.4.2_bootloader_password.sh

@@ -24,13 +24,13 @@ PWD_PATTERN="^password_pbkdf2"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$USER_PATTERN not present in $FILE"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
     does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PWD_PATTERN not present in $FILE"
     else
         ok "$PWD_PATTERN is present in $FILE"
@@ -40,13 +40,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$USER_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
     does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$PWD_PATTERN is present in $FILE"
@@ -57,11 +57,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
     is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "grub-pc is not installed, not handling configuration"
         exit 128
     fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         exit 128
     fi
@@ -79,9 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.4.3_root_password.sh

@@ -23,7 +23,7 @@ PATTERN="^root:[*\!]:"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
         crit "$PATTERN is present in $FILE"
     else
         ok "$PATTERN is not present in $FILE"
@@ -33,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
         warn "$PATTERN is present in $FILE, please put a root password"
     else
         ok "$PATTERN is not present in $FILE"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.1_restrict_core_dumps.sh

@@ -35,7 +35,7 @@ audit () {
     debug "Files to search $LIMIT_FILE $LIMIT_FILES"
     for file in $LIMIT_FILE $LIMIT_FILES; do
         does_pattern_exist_in_file $file $LIMIT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             debug "$LIMIT_PATTERN not present in $file"
         else
             ok "$LIMIT_PATTERN present in $file"
@@ -47,9 +47,9 @@ audit () {
         crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -59,17 +59,17 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
         add_end_of_file $LIMIT_FILE "* hard core 0"
     else
         ok "$LIMIT_PATTERN present in $LIMIT_FILE"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
         set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -94,9 +94,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.2_enable_nx_support.sh

@@ -36,9 +36,9 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
         else
             ok "NX is supported and enabled"
@@ -51,9 +51,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
         else
             ok "NX is supported and enabled"
@@ -80,9 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.3_enable_randomized_vm_placement.sh

@@ -22,10 +22,10 @@ SYSCTL_EXP_RESULT=2
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -34,11 +34,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
         set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.4_disable_prelink.sh

@@ -21,8 +21,8 @@ PACKAGE='prelink'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed!"
     else
         ok "$PACKAGE is absent"
@@ -32,11 +32,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed, purging it"
         /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
         apt-get autoremove
     else
         ok "$PACKAGE is absent"
@@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -21,8 +21,8 @@ PACKAGE='apparmor'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is absent!"
     else
         ok "$PACKAGE is installed"
@@ -50,8 +50,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
     else
         ok "$PACKAGE is installed"
@@ -97,9 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.1_remove_os_info_motd.sh

@@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PATTERN is present in $FILE"
     else
         ok "$PATTERN is not present in $FILE"
@@ -33,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         warn "$PATTERN is present in $FILE"
         delete_line_in_file $FILE $PATTERN
     else
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.2_remove_os_info_issue.sh

@@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PATTERN is present in $FILE"
     else
         ok "$PATTERN is not present in $FILE"
@@ -33,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         warn "$PATTERN is present in $FILE"
         delete_line_in_file $FILE $PATTERN
     else
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.3_remove_os_info_issue_net.sh

@@ -23,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PATTERN is present in $FILE"
     else
         ok "$PATTERN is not present in $FILE"
@@ -33,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         warn "$PATTERN is present in $FILE"
         delete_line_in_file $FILE $PATTERN
     else
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.4_motd_perms.sh

@@ -25,18 +25,18 @@ FILE='/etc/motd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         continue
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
@@ -46,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch $FILE
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         warn "fixing $FILE ownership to $USER:$GROUP"
         chown $USER:$GROUP $FILE
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.5_etc_issue_perms.sh

@@ -25,18 +25,18 @@ FILE='/etc/issue'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         continue
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
@@ -46,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch $FILE
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         warn "fixing $FILE ownership to $USER:$GROUP"
         chown $USER:$GROUP $FILE
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.1.6_etc_issue_net_perms.sh

@@ -25,18 +25,18 @@ FILE='/etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         continue
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
@@ -46,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch $FILE
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         warn "fixing $FILE ownership to $USER:$GROUP"
         chown $USER:$GROUP $FILE
     fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.7.2_graphical_warning_banners.sh

@@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.8_install_updates.sh

@@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.1.1_disable_xinetd.sh

@@ -21,8 +21,8 @@ PACKAGE='xinetd'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed"
     else
         ok "$PACKAGE is absent"
@@ -31,10 +31,10 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         warn "$PACKAGE is installed, purging"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
         apt-get autoremove
     else
         ok "$PACKAGE is absent"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.1.2_disable_bsd_inetd.sh

@@ -22,8 +22,8 @@ PACKAGES='openbsd-inetd inetutils-inetd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -34,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -23,8 +23,8 @@ PACKAGES="ntp chrony"
 audit () {
     FOUND=false
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             ok "Time synchronization is available through $PACKAGE"
             FOUND=true
         fi
@@ -57,9 +57,9 @@ fi
 
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.1.2_configure_ntp.sh

@@ -27,19 +27,19 @@ NTP_INIT_FILE='/etc/init.d/ntp'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed, checking configuration"
         does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
         else
             ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
         fi
         does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
         else
             ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
@@ -49,8 +49,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             ok "$PACKAGE is installed"
         else
             crit "$PACKAGE is absent, installing it"
@@ -58,7 +58,7 @@ apply () {
             info "Checking $PACKAGE configuration"
         fi
         does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
             backup_file $NTP_CONF_FILE
             add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
@@ -66,7 +66,7 @@ apply () {
             ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
         fi
         does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
             backup_file $NTP_INIT_FILE
             add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" 
@@ -92,9 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -25,13 +25,13 @@ CONF_FILE='/etc/chrony/chrony.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed, checking configuration"
         does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
         else
             ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
@@ -61,9 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.10_disable_http_server.sh

@@ -25,8 +25,8 @@ PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -37,10 +37,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -25,8 +25,8 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -37,10 +37,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.12_disable_samba.sh

@@ -25,15 +25,15 @@ SERVICE='smbd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
         fi
     done
     is_service_enabled $SERVICE
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "Service $SERVICE is enabled!"
     else
         ok "Service $SERVICE is disabled"
@@ -43,17 +43,17 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
     done
     is_service_enabled $SERVICE
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "Service $SERVICE is enabled!"
         systemctl disable $SERVICE
     else
@@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -24,8 +24,8 @@ PACKAGES='squid3 squid'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -24,8 +24,8 @@ PACKAGES='snmpd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.15_mta_localhost.sh

@@ -73,9 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.16_disable_rsync.sh

@@ -26,13 +26,13 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed"
     else
         ok "$PACKAGE is installed, checking configuration"
         does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
         else
             ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@@ -42,13 +42,13 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed"
     else
         ok "$PACKAGE is installed, checking configuration"
         does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
             backup_file $RSYNC_DEFAULT_FILE
             replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
@@ -75,9 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.18_disable_telnet_server.sh

@@ -27,15 +27,15 @@ PATTERN='^telnet'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, checking configuration"
             does_file_exist $FILE
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 ok "$FILE does not exist"
             else
                 does_pattern_exist_in_file $FILE $PATTERN
-                if [ $FNRET = 0 ]; then
+                if [ "$FNRET" = 0 ]; then
                     crit "$PATTERN exists, $PACKAGE services are enabled!"
                 else
                     ok "$PATTERN is not present in $FILE"
@@ -50,21 +50,21 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
         fi
         does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             ok "$FILE does not exist"
         else
             info "$FILE exists, checking patterns"
             does_pattern_exist_in_file $FILE $PATTERN
-            if [ $FNRET = 0 ]; then
+            if [ "$FNRET" = 0 ]; then
                 warn "$PATTERN is present in $FILE, purging it"
                 backup_file $FILE
                 ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
@@ -93,9 +93,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -25,8 +25,8 @@ PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -37,10 +37,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -22,8 +22,8 @@ PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -34,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.4_disable_print_server.sh

@@ -24,8 +24,8 @@ PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-comm
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.5_disable_dhcp.sh

@@ -24,8 +24,8 @@ PACKAGES='udhcpd isc-dhcp-server'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.6_disable_ldap.sh

@@ -24,8 +24,8 @@ PACKAGES='slapd'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -24,8 +24,8 @@ PACKAGES='rpcbind nfs-kernel-server'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.8_disable_dns_server.sh

@@ -24,8 +24,8 @@ PACKAGES='bind9 unbound'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -36,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -64,9 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.9_disable_ftp.sh

@@ -25,8 +25,8 @@ PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd prof
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -37,10 +37,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -65,9 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.1_disable_nis.sh

@@ -21,8 +21,8 @@ PACKAGE='nis'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed!"
     else
         ok "$PACKAGE is absent"
@@ -32,10 +32,10 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
         apt-get autoremove -y
     else
         ok "$PACKAGE is absent"
@@ -59,9 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -23,8 +23,8 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -35,10 +35,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -63,9 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.3_disable_talk_client.sh

@@ -22,8 +22,8 @@ PACKAGES='talk inetutils-talk'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -34,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -22,8 +22,8 @@ PACKAGES='telnet'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -34,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -22,8 +22,8 @@ PACKAGES='ldap-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -34,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
@@ -62,9 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -26,11 +26,11 @@ SYSCTL_EXP_RESULT=0
 audit () {
     for SYSCTL_PARAM in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     for SYSCTL_PARAM in $SYSCTL_PARAMS; do
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.1.2_disable_send_packet_redirects.sh

@@ -27,10 +27,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -44,12 +44,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -74,9 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.1_disable_source_routed_packets.sh

@@ -23,14 +23,14 @@ SYSCTL_PARAMS=''
 audit () {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -45,12 +45,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -83,9 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.2_disable_icmp_redirect.sh

@@ -23,15 +23,15 @@ SYSCTL_PARAMS=''
 audit () {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -46,12 +46,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -84,9 +84,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.3_disable_secure_icmp_redirect.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.4_log_martian_packets.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.5_ignore_broadcast_requests.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist --Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.6_enable_bad_error_message_protection.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.7_enable_source_route_validation.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.8_enable_tcp_syn_cookies.sh

@@ -25,10 +25,10 @@ audit () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -42,12 +42,12 @@ apply () {
         SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
         SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
             set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh

@@ -22,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -44,19 +44,19 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
                 set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
                 sysctl -w net.ipv4.route.flush=1 > /dev/null
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -82,9 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.3.1_install_tcp_wrapper.sh

@@ -21,8 +21,8 @@ PACKAGE='tcpd'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
@@ -31,8 +31,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             ok "$PACKAGE is installed"
         else
             crit "$PACKAGE is absent, installing it"
@@ -57,9 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.3.2_hosts_allow.sh

@@ -22,7 +22,7 @@ FILE='/etc/hosts.allow'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exist"
@@ -32,7 +32,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
         warn "You may want to fill it with allowed networks"
@@ -58,9 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.3.3_hosts_deny.sh

@@ -23,12 +23,12 @@ PATTERN='ALL: ALL'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
         does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in $FILE, we have to deny everything"
         else
             ok "$PATTERN is present in $FILE"
@@ -39,14 +39,14 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
     else
         ok "$FILE exists"
     fi
     does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PATTERN is not present in $FILE, we have to deny everything"
         add_end_of_file $FILE "$PATTERN"
         warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.3.4_hosts_allow_permissions.sh

@@ -24,14 +24,14 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
@@ -40,12 +40,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -66,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.3.5_hosts_deny_permissions.sh

@@ -24,14 +24,14 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
     fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         crit "$FILE ownership was not set to $USER:$GROUP"
@@ -40,12 +40,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
         info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
     fi
 }
 
@@ -66,9 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.4.1_disable_dccp.sh

@@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.4.2_disable_sctp.sh

@@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.4.3_disable_rds.sh

@@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.4.4_disable_tipc.sh

@@ -44,9 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh

@@ -23,7 +23,7 @@ FW_POLICY="DROP"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
@@ -73,7 +73,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.5_enable_firewall.sh

@@ -24,8 +24,8 @@ PACKAGE='iptables'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
@@ -34,8 +34,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             ok "$PACKAGE is installed"
         else
             crit "$PACKAGE is absent, installing it"
@@ -60,9 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.6_disable_wireless.sh

@@ -56,9 +56,9 @@ fi
 #fi 
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.7_disable_ipv6.sh

@@ -22,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -44,19 +44,19 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
                 set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
                 warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                 warn "$SYSCTL_PARAM does not exist -- Typo?"
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -82,9 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.1.1_audit_log_storage.sh

@@ -24,12 +24,12 @@ VALUE=5
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
         does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in $FILE"
         else
             ok "$PATTERN is present in $FILE"
@@ -40,14 +40,14 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
     else
         ok "$FILE exists"
     fi
     does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$PATTERN is not present in $FILE, adding it"
         add_end_of_file $FILE "$PATTERN = $VALUE"
     else
@@ -72,9 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -23,7 +23,7 @@ OPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
@@ -33,7 +33,7 @@ audit () {
         PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
         debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in $FILE"
         else
             ok "$PATTERN is present in $FILE"
@@ -45,7 +45,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
     else
@@ -57,10 +57,10 @@ apply () {
         debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
         PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
                 add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
             else
@@ -99,9 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.1.3_keep_all_audit_logs.sh

@@ -23,7 +23,7 @@ OPTIONS='max_log_file_action=keep_logs'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
@@ -33,7 +33,7 @@ audit () {
         PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
         debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in $FILE"
         else
             ok "$PATTERN is present in $FILE"
@@ -45,7 +45,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
     else
@@ -57,10 +57,10 @@ apply () {
         debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
         PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
         does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                 info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" 
                 add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
             else
@@ -90,9 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.10_record_dac_edit.sh

@@ -36,7 +36,7 @@ audit () {
         IFS=$d_IFS
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
         IFS=$c_IFS
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$AUDIT_VALUE is not in file $FILE"
         else
             ok "$AUDIT_VALUE is present in $FILE"
@@ -51,7 +51,7 @@ apply () {
     for AUDIT_VALUE in $AUDIT_PARAMS; do
         debug "$AUDIT_VALUE should be in file $FILE"
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$AUDIT_VALUE is not in file $FILE, adding it"
             add_end_of_file $FILE $AUDIT_VALUE
             eval $(pkill -HUP -P 1 auditd)
@@ -78,9 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.11_record_failed_access_file.sh

@@ -34,7 +34,7 @@ audit () {
         IFS=$d_IFS
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
         IFS=$c_IFS
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$AUDIT_VALUE is not in file $FILE"
         else
             ok "$AUDIT_VALUE is present in $FILE"
@@ -49,7 +49,7 @@ apply () {
     for AUDIT_VALUE in $AUDIT_PARAMS; do
         debug "$AUDIT_VALUE should be in file $FILE"
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$AUDIT_VALUE is not in file $FILE, adding it"
             add_end_of_file $FILE $AUDIT_VALUE
             eval $(pkill -HUP -P 1 auditd)
@@ -76,9 +76,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/4.1.12_record_privileged_commands.sh

@@ -35,7 +35,7 @@ audit () {
         IFS=$d_IFS
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
         IFS=$c_IFS
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$AUDIT_VALUE is not in file $FILE"
         else
             ok "$AUDIT_VALUE is present in $FILE"
@@ -50,7 +50,7 @@ apply () {
     for AUDIT_VALUE in $AUDIT_PARAMS; do
         debug "$AUDIT_VALUE should be in file $FILE"
         does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             warn "$AUDIT_VALUE is not in file $FILE, adding it"
             add_end_of_file $FILE $AUDIT_VALUE
             eval $(pkill -HUP -P 1 auditd)
@@ -77,9 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
 # shellcheck source=../../lib/main.sh
-    . $CIS_ROOT_DIR/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128