Renumber special purpose services 6.x

new file:   bin/hardening/2.2.1.1_use_time_sync.sh
	renamed:    bin/hardening/6.5_configure_ntp.sh -> bin/hardening/2.2.1.2_configure_ntp.sh
	new file:   bin/hardening/2.2.1.3_configure_chrony.sh
	renamed:    bin/hardening/6.10_disable_http_server.sh -> bin/hardening/2.2.10_disable_http_server.sh
	renamed:    bin/hardening/6.11_disable_imap_pop.sh -> bin/hardening/2.2.11_disable_imap_pop.sh
	renamed:    bin/hardening/6.12_disable_samba.sh -> bin/hardening/2.2.12_disable_samba.sh
	renamed:    bin/hardening/6.13_disable_http_proxy.sh -> bin/hardening/2.2.13_disable_http_proxy.sh
	renamed:    bin/hardening/6.14_disable_snmp_server.sh -> bin/hardening/2.2.14_disable_snmp_server.sh
	renamed:    bin/hardening/6.15_mta_localhost.sh -> bin/hardening/2.2.15_mta_localhost.sh
	renamed:    bin/hardening/6.16_disable_rsync.sh -> bin/hardening/2.2.16_disable_rsync.sh
	renamed:    bin/hardening/6.1_disable_xwindow_system.sh -> bin/hardening/2.2.2_disable_xwindow_system.sh
	renamed:    bin/hardening/6.2_disable_avahi_server.sh -> bin/hardening/2.2.3_disable_avahi_server.sh
	renamed:    bin/hardening/6.4_disable_dhcp.sh -> bin/hardening/2.2.5_disable_dhcp.sh
	renamed:    bin/hardening/6.6_disable_ldap.sh -> bin/hardening/2.2.6_disable_ldap.sh
	renamed:    bin/hardening/6.7_disable_nfs_rpc.sh -> bin/hardening/2.2.7_disable_nfs_rpc.sh
	renamed:    bin/hardening/6.8_disable_dns_server.sh -> bin/hardening/2.2.8_disable_dns_server.sh
	renamed:    bin/hardening/6.9_disable_ftp.sh -> bin/hardening/2.2.9_disable_ftp.sh
	deleted:    bin/hardening/6.3_disable_print_server.sh
	new file:   tests/hardening/2.2.1.1_use_time_sync.sh
	renamed:    tests/hardening/6.9_disable_ftp.sh -> tests/hardening/2.2.1.2_configure_ntp.sh
	renamed:    tests/hardening/6.8_disable_dns_server.sh -> tests/hardening/2.2.1.3_configure_chrony.sh
	renamed:    tests/hardening/6.7_disable_nfs_rpc.sh -> tests/hardening/2.2.10_disable_http_server.sh
	renamed:    tests/hardening/6.6_disable_ldap.sh -> tests/hardening/2.2.11_disable_imap_pop.sh
	renamed:    tests/hardening/6.5_configure_ntp.sh -> tests/hardening/2.2.12_disable_samba.sh
	renamed:    tests/hardening/6.4_disable_dhcp.sh -> tests/hardening/2.2.13_disable_http_proxy.sh
	renamed:    tests/hardening/6.3_disable_print_server.sh -> tests/hardening/2.2.14_disable_snmp_server.sh
	renamed:    tests/hardening/6.2_disable_avahi_server.sh -> tests/hardening/2.2.15_mta_localhost.sh
	renamed:    tests/hardening/6.1_disable_xwindow_system.sh -> tests/hardening/2.2.16_disable_rsync.sh
	renamed:    tests/hardening/6.16_disable_rsync.sh -> tests/hardening/2.2.2_disable_xwindow_system.sh
	renamed:    tests/hardening/6.15_mta_localhost.sh -> tests/hardening/2.2.3_disable_avahi_server.sh
	renamed:    tests/hardening/6.14_disable_snmp_server.sh -> tests/hardening/2.2.5_disable_dhcp.sh
	renamed:    tests/hardening/6.13_disable_http_proxy.sh -> tests/hardening/2.2.6_disable_ldap.sh
	renamed:    tests/hardening/6.12_disable_samba.sh -> tests/hardening/2.2.7_disable_nfs_rpc.sh
	renamed:    tests/hardening/6.11_disable_imap_pop.sh -> tests/hardening/2.2.8_disable_dns_server.sh
	renamed:    tests/hardening/6.10_disable_http_server.sh -> tests/hardening/2.2.9_disable_ftp.sh

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure time synchronization is in use"
+
+PACKAGES="ntp chrony"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    FOUND=false
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            ok "Time synchronization is available through $PACKAGE"
+            FOUND=true
+        fi
+    done
+    if [  "$FOUND" = false ]; then
+        crit "None of the following time sync packages are installed: $PACKAGES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
+

bin/hardening/2.2.1.2_configure_ntp.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.5 Configure Network Time Protocol (NTP) (Scored)
+# 2.2.1.2 Ensure ntp is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.3 Ensure chrony is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+HARDENING_EXCEPTION=ntp
+
+PACKAGE=chrony
+CONF_DEFAULT_PATTERN='^(server|pool)'
+CONF_FILE='/etc/chrony/chrony.conf'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
+        if [ $FNRET != 0 ]; then
+            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
+        else
+            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.10_disable_http_server.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.10 Ensure HTTP Server is not enabled (Not Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -5,14 +5,14 @@
 #
 
 #
-# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
-DESCRIPTION="Ensure IMAP and POP servers are not enabled."
+DESCRIPTION="Ensure IMAP and POP servers are not installed"
 HARDENING_EXCEPTION=mail
 
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'

bin/hardening/2.2.12_disable_samba.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.12 Ensure Samba is not enabled (Not Scored)
+# 2.2.12 Ensure Samba is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Ensure Samba is not enabled."
 HARDENING_EXCEPTION=samba
 
-PACKAGES='samba'
+PACKAGES='samba smbd'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
+# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.14 Ensure SNMP Server is not enabled (Not Scored)
+# 2.2.14 Ensure SNMP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.15_mta_localhost.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.16_disable_rsync.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.16 Ensure rsync service is not enabled (Scored)
+# 2.2.16 Ensure rsync service is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.1 Ensure the X Window system is not installed (Scored)
+# 2.2.2 Ensure the X Window system is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.2 Ensure Avahi Server is not enabled (Scored)
+# 2.2.3 Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.5_disable_dhcp.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.4 Ensure DHCP Server is not enabled (Scored)
+# 2.2.5 Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.6_disable_ldap.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.6 Ensure LDAP is not enabled (Not Scored)
+# 2.2.6 Ensure LDAP server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.7 Ensure NFS and RPC are not enabled (Not Scored)
+# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.8_disable_dns_server.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.8 Ensure DNS Server is not enabled (Not Scored)
+# 2.2.8 Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.9_disable_ftp.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 6.9 Ensure FTP Server is not enabled (Not Scored)
+# 2.2.9 Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.3_disable_print_server.sh

@@ -1,67 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 6.3 Ensure print server is not enabled (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
-HARDENING_EXCEPTION=cups
-
-PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed!"
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

tests/hardening/2.2.1.1_use_time_sync.sh

@@ -0,0 +1,20 @@
+# run-shellcheck
+test_audit() {
+    # Make all variable local to the function by using `local`
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    register_test contain "None of the following time sync packages are installed"
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe Correcting situation
+    apt update
+    apt install -y ntp
+
+    # Finally assess that your corrective actions end up with a compliant system
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "Time synchronization is available through"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+}
+