add hardening templating and several enhancements

2025-06-23 19:14:34 +02:00 · 2017-05-18 18:40:09 +02:00
parent 78569b5583
commit dfaf4c2093
386 changed files with 701 additions and 449 deletions
--- a/bin/hardening/1.1_install_updates.sh
+++ b/bin/hardening/1.1_install_updates.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if apt needs an update"
--- a/bin/hardening/10.1.1_set_password_exp_days.sh
+++ b/bin/hardening/10.1.1_set_password_exp_days.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGE='login'
 OPTIONS='PASS_MAX_DAYS=90'
 FILE='/etc/login.defs'
--- a/bin/hardening/10.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/10.1.2_set_password_min_days_change.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGE='login'
 OPTIONS='PASS_MIN_DAYS=7'
 FILE='/etc/login.defs'
--- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGE='login'
 OPTIONS='PASS_WARN_AGE=7'
 FILE='/etc/login.defs'
--- a/bin/hardening/10.2_disable_system_accounts.sh
+++ b/bin/hardening/10.2_disable_system_accounts.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 SHELL='/bin/false'
 FILE='/etc/passwd'
 RESULT=''
@ -70,6 +72,15 @@ apply () {
    fi
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=disabled
+# Put here your exceptions concerning admin accounts shells separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    if [ -z "$EXCEPTIONS" ]; then
--- a/bin/hardening/10.3_default_root_group.sh
+++ b/bin/hardening/10.3_default_root_group.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 USER='root'
 EXPECTED_GID='0'

--- a/bin/hardening/10.4_default_umask.sh
+++ b/bin/hardening/10.4_default_umask.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 USER='root'
 PATTERN='umask 077'
 FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
--- a/bin/hardening/10.5_lock_inactive_user_account.sh
+++ b/bin/hardening/10.5_lock_inactive_user_account.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
--- a/bin/hardening/11.1_warning_banners.sh
+++ b/bin/hardening/11.1_warning_banners.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 FILES='/etc/motd /etc/issue /etc/issue.net'
 PATTERN='(\\v|\\r|\\m|\\s)'

--- a/bin/hardening/11.3_graphical_warning_banners.sh
+++ b/bin/hardening/11.3_graphical_warning_banners.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Not implemented yet"
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are suid files"
@ -35,6 +37,15 @@ apply () {
    info "Removing suid on valid binary may seriously harm your system, report only here"
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=disabled
+# Put Here your valid suid binaries so that they do not appear during the audit
+EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    # No param for this function
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are sgid files"
@ -35,6 +37,15 @@ apply () {
    info "Removing sgid on valid binary may seriously harm your system, report only here"
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=disabled
+# Put here valid binaries with sgid enabled separated by spaces
+EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    if [ -z "$EXCEPTIONS" ]; then
--- a/bin/hardening/12.1_etc_passwd_permissions.sh
+++ b/bin/hardening/12.1_etc_passwd_permissions.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/passwd'
 PERMISSIONS='644'

--- a/bin/hardening/12.2_etc_shadow_permissions.sh
+++ b/bin/hardening/12.2_etc_shadow_permissions.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/shadow'
 PERMISSIONS='640'

--- a/bin/hardening/12.3_etc_group_permissions.sh
+++ b/bin/hardening/12.3_etc_group_permissions.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/group'
 PERMISSIONS='644'

--- a/bin/hardening/12.4_etc_passwd_ownership.sh
+++ b/bin/hardening/12.4_etc_passwd_ownership.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/passwd'
 USER='root'
 GROUP='root'
--- a/bin/hardening/12.5_etc_shadow_ownership.sh
+++ b/bin/hardening/12.5_etc_shadow_ownership.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/shadow'
 USER='root'
 GROUP='shadow'
--- a/bin/hardening/12.6_etc_group_ownership.sh
+++ b/bin/hardening/12.6_etc_group_ownership.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/group'
 USER='root'
 GROUP='root'
--- a/bin/hardening/12.7_find_world_writable_file.sh
+++ b/bin/hardening/12.7_find_world_writable_file.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are world writable files"
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 USER='root'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.10_find_user_rhosts_files.sh
+++ b/bin/hardening/13.10_find_user_rhosts_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0
 FILENAME=".rhosts"

--- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh
+++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.12_users_valid_homedir.sh
+++ b/bin/hardening/13.12_users_valid_homedir.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.13_check_user_homedir_ownership.sh
+++ b/bin/hardening/13.13_check_user_homedir_ownership.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.14_check_duplicate_uid.sh
+++ b/bin/hardening/13.14_check_duplicate_uid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.15_check_duplicate_gid.sh
+++ b/bin/hardening/13.15_check_duplicate_gid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.16_check_duplicate_username.sh
+++ b/bin/hardening/13.16_check_duplicate_username.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.17_check_duplicate_groupname.sh
+++ b/bin/hardening/13.17_check_duplicate_groupname.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.18_find_user_netrc_files.sh
+++ b/bin/hardening/13.18_find_user_netrc_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0
 FILENAME='.netrc'

--- a/bin/hardening/13.19_find_user_forward_files.sh
+++ b/bin/hardening/13.19_find_user_forward_files.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0
 FILENAME='.forward'

--- a/bin/hardening/13.1_remove_empty_password_field.sh
+++ b/bin/hardening/13.1_remove_empty_password_field.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.20_shadow_group_empty.sh
+++ b/bin/hardening/13.20_shadow_group_empty.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 ERRORS=0
 FILEGROUP='/etc/group'
 PATTERN='^shadow:x:[[:digit:]]+:'
--- a/bin/hardening/13.2_remove_legacy_passwd_entries.sh
+++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/passwd'
 RESULT=''

--- a/bin/hardening/13.3_remove_legacy_shadow_entries.sh
+++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/shadow'
 RESULT=''

--- a/bin/hardening/13.4_remove_legacy_group_entries.sh
+++ b/bin/hardening/13.4_remove_legacy_group_entries.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 FILE='/etc/group'
 RESULT=''

--- a/bin/hardening/13.5_find_0_uid_non_root_account.sh
+++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/passwd'
 RESULT=''

@ -33,7 +35,7 @@ audit () {
        crit "Some accounts have uid 0"
        crit $RESULT
    else
-        ok "No account with uid 0 apart root"
+        ok "No account with uid 0 appart from root and potential configured exceptions"
    fi
 }

@ -42,6 +44,15 @@ apply () {
    info "Removing accounts with uid 0 may seriously harm your system, report only here"
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=disabled
+# Put here valid accounts with uid 0 separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    if [ -z "$EXCEPTIONS" ]; then
--- a/bin/hardening/13.6_sanitize_root_path.sh
+++ b/bin/hardening/13.6_sanitize_root_path.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.7_check_user_dir_perm.sh
+++ b/bin/hardening/13.7_check_user_dir_perm.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
@ -86,6 +88,15 @@ apply () {
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=disabled
+# Put here user home directories exceptions, separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    if [ -z "$EXCEPTIONS" ]; then
--- a/bin/hardening/13.8_check_user_dot_file_perm.sh
+++ b/bin/hardening/13.8_check_user_dot_file_perm.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/13.9_set_perm_on_user_netrc.sh
+++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PERMISSIONS="600"
 ERRORS=0

--- a/bin/hardening/2.10_home_nodev.sh
+++ b/bin/hardening/2.10_home_nodev.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 OPTION="nodev"
--- a/bin/hardening/2.11_removable_device_nodev.sh
+++ b/bin/hardening/2.11_removable_device_nodev.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

 # Quick factoring as many script use the same logic
--- a/bin/hardening/2.12_removable_device_noexec.sh
+++ b/bin/hardening/2.12_removable_device_noexec.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

 # Quick factoring as many script use the same logic
--- a/bin/hardening/2.13_removable_device_nosuid.sh
+++ b/bin/hardening/2.13_removable_device_nosuid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

 # Quick factoring as many script use the same logic
--- a/bin/hardening/2.14_run_shm_nodev.sh
+++ b/bin/hardening/2.14_run_shm_nodev.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nodev"
--- a/bin/hardening/2.15_run_shm_nosuid.sh
+++ b/bin/hardening/2.15_run_shm_nosuid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nosuid"
--- a/bin/hardening/2.16_run_shm_noexec.sh
+++ b/bin/hardening/2.16_run_shm_noexec.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="noexec"
--- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if setuid is set on world writable Directories"
--- a/bin/hardening/2.18_disable_cramfs.sh
+++ b/bin/hardening/2.18_disable_cramfs.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="cramfs"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_CRAMFS"
+MODULE_NAME="cramfs"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.19_disable_freevxfs.sh
+++ b/bin/hardening/2.19_disable_freevxfs.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="freevxfs"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_VXFS_FS"
+MODULE_NAME="freevxfs"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.1_tmp_partition.sh
+++ b/bin/hardening/2.1_tmp_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

--- a/bin/hardening/2.20_disable_jffs2.sh
+++ b/bin/hardening/2.20_disable_jffs2.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="jffs2"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_JFFS2_FS"
+MODULE_NAME="jffs2"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.21_disable_hfs.sh
+++ b/bin/hardening/2.21_disable_hfs.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="hfs"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_HFS_FS"
+MODULE_FILE="hfs"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.22_disable_hfsplus.sh
+++ b/bin/hardening/2.22_disable_hfsplus.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="hfsplus"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_HFSPLUS_FS"
+MODULE_FILE="hfsplus"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.23_disable_squashfs.sh
+++ b/bin/hardening/2.23_disable_squashfs.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="squashfs"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_SQUASHFS"
+MODULE_FILE="squashfs"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.24_disable_udf.sh
+++ b/bin/hardening/2.24_disable_udf.sh
@ -11,13 +11,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
-KERNEL_OPTION="udf"
+HARDENING_LEVEL=2
+
+KERNEL_OPTION="CONFIG_UDF_FS"
+MODULE_FILE="udf"


 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/2.25_disable_automounting.sh
+++ b/bin/hardening/2.25_disable_automounting.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 SERVICE_NAME="autofs"

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/2.2_tmp_nodev.sh
+++ b/bin/hardening/2.2_tmp_nodev.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nodev"
--- a/bin/hardening/2.3_tmp_nosuid.sh
+++ b/bin/hardening/2.3_tmp_nosuid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nosuid"
--- a/bin/hardening/2.4_tmp_noexec.sh
+++ b/bin/hardening/2.4_tmp_noexec.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="noexec"
--- a/bin/hardening/2.5_var_partition.sh
+++ b/bin/hardening/2.5_var_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/var"

--- a/bin/hardening/2.6.1_var_tmp_partition.sh
+++ b/bin/hardening/2.6.1_var_tmp_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

--- a/bin/hardening/2.6.2_var_tmp_nodev.sh
+++ b/bin/hardening/2.6.2_var_tmp_nodev.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nodev"
--- a/bin/hardening/2.6.3_var_tmp_nosuid.sh
+++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nosuid"
--- a/bin/hardening/2.6.4_var_tmp_noexec.sh
+++ b/bin/hardening/2.6.4_var_tmp_noexec.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="noexec"
--- a/bin/hardening/2.7_var_log_partition.sh
+++ b/bin/hardening/2.7_var_log_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"

--- a/bin/hardening/2.8_var_log_audit_partition.sh
+++ b/bin/hardening/2.8_var_log_audit_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=4
+
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"

--- a/bin/hardening/2.9_home_partition.sh
+++ b/bin/hardening/2.9_home_partition.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 # Quick factoring as many script use the same logic
 PARTITION="/home"

--- a/bin/hardening/3.1_bootloader_ownership.sh
+++ b/bin/hardening/3.1_bootloader_ownership.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 # Assertion : Grub Based.

 FILE='/boot/grub/grub.cfg'
--- a/bin/hardening/3.2_bootloader_permissions.sh
+++ b/bin/hardening/3.2_bootloader_permissions.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=1
+
 # Assertion : Grub Based.

 FILE='/boot/grub/grub.cfg'
--- a/bin/hardening/3.3_bootloader_password.sh
+++ b/bin/hardening/3.3_bootloader_password.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 FILE='/boot/grub/grub.cfg'
 USER_PATTERN="^set superusers"
 PWD_PATTERN="^password_pbkdf2"
--- a/bin/hardening/3.4_root_password.sh
+++ b/bin/hardening/3.4_root_password.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"

--- a/bin/hardening/4.1_restrict_core_dumps.sh
+++ b/bin/hardening/4.1_restrict_core_dumps.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 LIMIT_FILE='/etc/security/limits.conf'
 LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
 SYSCTL_PARAM='fs.suid_dumpable'
--- a/bin/hardening/4.2_enable_nx_support.sh
+++ b/bin/hardening/4.2_enable_nx_support.sh
@ -11,13 +11,34 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'

+# Check if the NX bit is supported and noexec=off hasn't been asked
+nx_supported_and_enabled() {
+    if grep -q ' nx ' /proc/cpuinfo; then
+        # NX supported, but if noexec=off specified, it's not enabled
+        if grep -qi 'noexec=off' /proc/cmdline; then
+            FNRET=1 # supported but disabled
+        else
+            FNRET=0 # supported and enabled
+        fi
+    else
+        FNRET=1 # not supported
+    fi
+}
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    does_pattern_exist_in_dmesg $PATTERN
    if [ $FNRET != 0 ]; then
-        crit "$PATTERN is not present in dmesg"
+        nx_supported_and_enabled
+        if [ $FNRET != 0 ]; then
+            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+        else
+            ok "NX is supported and enabled"
+        fi
    else
        ok "$PATTERN is present in dmesg"
    fi
@ -27,7 +48,12 @@ audit () {
 apply () {
    does_pattern_exist_in_dmesg $PATTERN
    if [ $FNRET != 0 ]; then
-        crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
+        nx_supported_and_enabled
+        if [ $FNRET != 0 ]; then
+            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+        else
+            ok "NX is supported and enabled"
+        fi
    else
        ok "$PATTERN is present in dmesg"
    fi
--- a/bin/hardening/4.3_enable_randomized_vm_placement.sh
+++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2

--- a/bin/hardening/4.4_disable_prelink.sh
+++ b/bin/hardening/4.4_disable_prelink.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PACKAGE='prelink'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/4.5_enable_apparmor.sh
+++ b/bin/hardening/4.5_enable_apparmor.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGE='apparmor'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/5.1.1_disable_nis.sh
+++ b/bin/hardening/5.1.1_disable_nis.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGE='nis'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/5.1.2_disable_rsh.sh
+++ b/bin/hardening/5.1.2_disable_rsh.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Based on aptitude search '~Prsh-server'
 PACKAGES='rsh-server rsh-redone-server heimdal-servers'
 FILE='/etc/inetd.conf'
--- a/bin/hardening/5.1.3_disable_rsh_client.sh
+++ b/bin/hardening/5.1.3_disable_rsh_client.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'

--- a/bin/hardening/5.1.4_disable_talk.sh
+++ b/bin/hardening/5.1.4_disable_talk.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PACKAGES='inetutils-talkd talkd'
 FILE='/etc/inetd.conf'
 PATTERN='^(talk|ntalk)'
--- a/bin/hardening/5.1.5_disable_talk_client.sh
+++ b/bin/hardening/5.1.5_disable_talk_client.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PACKAGES='talk inetutils-talk'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/5.1.6_disable_telnet_server.sh
+++ b/bin/hardening/5.1.6_disable_telnet_server.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 # Based on  aptitude search '~Ptelnet-server'
 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
 FILE='/etc/inetd.conf'
--- a/bin/hardening/5.1.7_disable_tftp_server.sh
+++ b/bin/hardening/5.1.7_disable_tftp_server.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 PACKAGES='tftpd tftpd-hpa atftpd'
 FILE='/etc/inetd.conf'
 PATTERN='^tftp'
--- a/bin/hardening/5.1.8_disable_inetd.sh
+++ b/bin/hardening/5.1.8_disable_inetd.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+
 PACKAGES='openbsd-inetd xinetd rlinetd'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/5.2_disable_chargen.sh
+++ b/bin/hardening/5.2_disable_chargen.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/inetd.conf'
 PATTERN='^chargen'

--- a/bin/hardening/5.3_disable_daytime.sh
+++ b/bin/hardening/5.3_disable_daytime.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/inetd.conf'
 PATTERN='^daytime'

--- a/bin/hardening/5.4_disable_echo.sh
+++ b/bin/hardening/5.4_disable_echo.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/inetd.conf'
 PATTERN='^echo'

--- a/bin/hardening/5.5_disable_discard.sh
+++ b/bin/hardening/5.5_disable_discard.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/inetd.conf'
 PATTERN='^discard'

--- a/bin/hardening/5.6_disable_time.sh
+++ b/bin/hardening/5.6_disable_time.sh
@ -11,6 +11,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=2
+
 FILE='/etc/inetd.conf'
 PATTERN='^time'

--- a/bin/hardening/6.10_disable_http_server.sh
+++ b/bin/hardening/6.10_disable_http_server.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=http
+
 # Based on aptitude search '~Phttpd'
 PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'

--- a/bin/hardening/6.11_disable_imap_pop.sh
+++ b/bin/hardening/6.11_disable_imap_pop.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=mail
+
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
 PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'

--- a/bin/hardening/6.12_disable_samba.sh
+++ b/bin/hardening/6.12_disable_samba.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=samba
+
 PACKAGES='samba'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/6.13_disable_http_proxy.sh
+++ b/bin/hardening/6.13_disable_http_proxy.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=http
+
 PACKAGES='squid3 squid'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/6.14_disable_snmp_server.sh
+++ b/bin/hardening/6.14_disable_snmp_server.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=snmp
+
 PACKAGES='snmpd'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/6.15_mta_localhost.sh
+++ b/bin/hardening/6.15_mta_localhost.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=mail
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking netport ports opened"
--- a/bin/hardening/6.16_disable_rsync.sh
+++ b/bin/hardening/6.16_disable_rsync.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=rsync
+
 PACKAGE='rsync'
 RSYNC_DEFAULT_PATTERN='RSYNC_ENABLE=false'
 RSYNC_DEFAULT_FILE='/etc/default/rsync'
--- a/bin/hardening/6.1_disable_xwindow_system.sh
+++ b/bin/hardening/6.1_disable_xwindow_system.sh
@ -11,6 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=x11
+
 # Based on aptitude search '~Pxserver'
 PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'

--- a/Show More
+++ b/Show More