fix: add tinyproxy in HTTP proxies

.github/workflows/functionnal-tests.yml

@@ -4,6 +4,13 @@ on:
   - pull_request
   - push
 jobs:
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:

.pre-commit-config.yaml

@@ -1,10 +0,0 @@
-repos:
-  - repo: local
-    hooks:
-      - id: check_has_test
-        name: check_has_test.sh
-        description: Ensure a check has a corresponding test
-        entry: hooks/check_has_test.sh
-        language: script
-        pass_filenames: true
-        files: "^bin/hardening/"

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 11/12 Hardening
+cis-hardening - CIS Debian 10/11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 11/12 Hardening
 
 # DESCRIPTION
 
-Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 11/12 Hardening
+# :lock: CIS Debian 10/11/12 Hardening
 
 
 <p align="center">
@@ -13,7 +13,7 @@
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian11` or `debian12`.
+With `target` being like `debian10` or `debian11`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -29,7 +29,6 @@ BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
-USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -106,13 +105,6 @@ OPTIONS:
         This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
-    --set-version <version>
-        This option allows to run the scripts as defined for a specific CIS debian version.
-        Supported version are the folders listed in the "versions" folder.
-        examples:
-          --set-version debian_11
-          --set-version ovh_legacy
-
     --summary-json
         While performing system audit, this option sets LOGLEVEL to silent and
         only output a json summary at the end
@@ -171,10 +163,6 @@ while [[ $# -gt 0 ]]; do
         ASK_LOGLEVEL=$2
         shift
         ;;
-    --set-version)
-        USED_VERSION=$2
-        shift
-        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -229,20 +217,9 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/constants.sh
 [ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
-# ensure the CIS version exists
-does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
-if [ "$FNRET" -ne 0 ]; then
-    echo "$USED_VERSION is not a valid version"
-    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
-    exit 1
-fi
-
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 
-# update path for the remaining of the script
-CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
-
 if [ "$DISTRIBUTION" != "debian" ]; then
     echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
     if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
@@ -254,7 +231,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
         echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
     fi
 else
-    if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
         echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
         if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
             echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
@@ -319,7 +296,10 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure Mounting of freevxfs filesystems is disabled (Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Esnure mounting of jffs2 filesystems is disabled (Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure mounting of hfs filesystems is disabled (Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure mounting of hfsplus filesystems is disabled (Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure mounting of squashfs filesystems is disabled (Scored)
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.6_disable_udf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure mounting of udf filesystems is disabled (Scored)
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure mounting of FAT filesystems is limited (Not Scored)
+# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.1.8_disable_cramfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure Mounting of cramfs filesystems is disabled (Scored)
+# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,25 +26,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -55,18 +41,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.10_var_tmp_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set on /var/tmp partition (Scored)
+# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.11.1_var_log_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set on /var/log partition (Scored)
+# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.11.2_var_log_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on /var/log partition (Scored)
+# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.11.3_var_log_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# ensure nodev option set on /var/log partition (Scored)
+# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.11_var_log_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure separate partition exists for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12.1_var_log_audit_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set on /var/log/audit partition (Scored)
+# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12.2_var_log_audit_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on /var/log/audit partition (Scored)
+# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12.3_var_log_audit_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set on /var/log/audit partition (Scored)
+# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure separate partition exists for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.13_home_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure separate partition exists for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.14.1_home_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on /home partition (Scored)
+# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.14_home_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev Option set on /home (Scored)
+# 1.1.14 Ensure nodev Option set on /home (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set on /dev/shm partition (Scored)
+# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on /run/shm partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set on /run/shm partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set on removable media partition (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on removable media partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set on removable media partition (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure sticky bit is set on all world-writable directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.22_disable_automounting.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Disable Automounting (Scored)
+# 1.1.22 Disable Automounting (Scored)
 #
 
 set -e # One error, it's over
@@ -36,7 +36,7 @@ apply() {
     is_service_enabled "$SERVICE_NAME"
     if [ "$FNRET" = 0 ]; then
         info "Disabling $SERVICE_NAME"
-        manage_service disable "$SERVICE_NAME"
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
     else
         ok "$SERVICE_NAME is disabled"
     fi

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Disable USB storage (Scored)
+# 1.1.23 Disable USB storage (Scored)
 #
 
 set -e # One error, it's over
@@ -20,10 +20,7 @@ DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 
 KERNEL_OPTION="CONFIG_USB_STORAGE"
-# name as used for "modprobe"
 MODULE_NAME="usb-storage"
-# name as returned by "modinfo -F name <module_file.ko>"
-LOADED_MODULE_NAME="usb_storage"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -31,25 +28,11 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            crit "$MODULE_NAME is enabled!"
         else
-            ok "$LOADED_MODULE_NAME is not loaded"
+            ok "$MODULE_NAME is disabled"
-        fi
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 0 ]; then
-                ok "$MODULE_NAME is disabled in the modprobe configuration"
-            else
-                is_kernel_module_available "$KERNEL_OPTION"
-                if [ "$FNRET" -eq 0 ]; then
-                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
-                else
-                    ok "$MODULE_NAME is not available in any kernel config"
-                fi
-            fi
         fi
     fi
 }
@@ -60,18 +43,11 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$LOADED_MODULE_NAME is loaded!"
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
-            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
+        else
-        fi
+            ok "$MODULE_NAME is disabled"
-
-        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
-            is_kernel_module_disabled "$MODULE_NAME"
-            if [ "$FNRET" -eq 1 ]; then
-                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
-                info "$MODULE_NAME has been disabled in the modprobe configuration"
-            fi
         fi
     fi
 }

bin/hardening/1.1.2_tmp_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure /tmp is configured (Scored)
+# 1.1.2 Ensure /tmp is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.3_tmp_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set for /tmp Partition (Scored)
+# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.4_tmp_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set for /tmp Partition (Scored)
+# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.5_tmp_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure noexec option set for /tmp Partition (Scored)
+# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.6.1_var_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set for /var Partition (Scored)
+# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.6.2_var_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set for /var Partition (Scored)
+# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.6_var_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure separate partition exists for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.7_var_tmp_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure separate partition exists for /var/tmp (Scored)
+# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.8_var_tmp_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nodev option set on /var/tmp partition (Scored)
+# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.9_var_tmp_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure nosuid option set on /var/tmp partition (Scored)
+# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.3.1_install_sudo.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure sudo is installed (Scored)
+# 1.3.1 Ensure sudo is installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.3.2_pty_sudo.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure sudo commands use pty (Scored)
+# 1.3.2 Ensure sudo commands use pty (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.3.3_logfile_sudo.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure sudo log file exists (Scored)
+# 1.3.3 Ensure sudo log file exists (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.4.1_install_tripwire.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure tripwire is installed (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.4.2_tripwire_cron.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure filesysteme integrity is regularly checked (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.2_bootloader_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.3_root_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.1_enable_nx_support.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.2_enable_randomized_vm_placement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.3.1_disable_apport.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure apport is disabled (Scored)
+# 1.6.3.1 Ensure apport is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.3_disable_prelink.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.5_restrict_ptrace_scope.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure libpam-pwquality is installed (Automated)
+# 1.6.2 Ensure ptrace_scope is restricted
 #
 
 set -e # One error, it's over
@@ -15,28 +15,33 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Ensure libpam-pwquality is installed "
+DESCRIPTION="Ensure ptrace_scope is restricted."
 
-PACKAGE='libpam-pwquality'
+SYSCTL_PARAM='kernel.yama.ptrace_scope'
+SYSCTL_EXP_RESULT=2
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
+        warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
-        ok "$PACKAGE is installed"
+        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$PACKAGE is installed"
+        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
+        warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
-        crit "$PACKAGE is absent, installing it"
+        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-        apt_install "$PACKAGE"
     fi
 }
 

bin/hardening/1.7.1.1_install_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure AppArmor is installed (Scored)
+# 1.7.1.1 Ensure AppArmor is installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure AppArmor is enabled in the bootloader configuration (Scored)
+# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure all AppArmor profiles are in enforce or complain mode (Scored)
+# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure all AppArmor profiles are enforcing (Scored)
+# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.1_remove_os_info_motd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.2_remove_os_info_issue.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.3_remove_os_info_issue_net.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.4_motd_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure permissions on /etc/motd are configured (Scored)
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.5_etc_issue_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure permissions on /etc/issue are configured (Scored)
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.6_etc_issue_net_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure permissions on /etc/issue.net are configured (Scored)
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.2_graphical_warning_banners.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.9_install_updates.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.1.1_disable_xinetd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure xinetd is not enabled (Scored)
+# 2.1.1 Ensure xinetd is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.1.2_disable_bsd_inetd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure bsd-inetd is not enabled (Scored)
+# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure time synchronization is in use (Not Scored)
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure systemd-timesyncd is configured (Not Scored)
+# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
 #
 
 set -e # One error, it's over
@@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
+    status=$(systemctl is-enabled "$SERVICE_NAME")
-    if [ "$FNRET" -eq 0 ]; then
+    if [ "$status" = "enabled" ]; then
         ok "$SERVICE_NAME is enabled"
     else
         crit "$SERVICE_NAME is disabled"

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure chrony is configured (Scored)
+# 2.2.1.3 Ensure chrony is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.4_configure_ntp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure ntp is configured (Scored)
+# 2.2.1.2 Ensure ntp is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.10_disable_http_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure HTTP Server is not enabled (Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure IMAP and POP server is not installed (Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.12_disable_samba.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure Samba is not enabled (Scored)
+# 2.2.12 Ensure Samba is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure HTTP Proxy Server is not enabled (Scored)
+# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -19,7 +19,7 @@ DESCRIPTION="Ensure HTTP-proxy is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 
-PACKAGES='squid3 squid'
+PACKAGES='squid3 squid tinyproxy'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure SNMP Server is not enabled (Scored)
+# 2.2.14 Ensure SNMP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.15_mta_localhost.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
+# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.16_disable_rsync.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure rsync service is not enabled (Scored)
+# 2.2.16 Ensure rsync service is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.17_disable_nis.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure NIS Server is not enabled (Scored)
+# 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 
-PACKAGES='nis'
+PACKAGES='nis ypserv'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.2.18_disable_tftp.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.18 Ensure TFTP server is not enabled  (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Trivial File Transfer Protocol server is not enabled."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=tftp
+
+PACKAGES='tftpd tftpd-hpa'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure the X Window system is not installed (Scored)
+# 2.2.2 Ensure the X Window system is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure Avahi Server is not enabled (Scored)
+# 2.2.3 Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.4_disable_print_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure CUPS is not enabled (Scored)
+# 2.2.4 Ensure CUPS is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.5_disable_dhcp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure DHCP Server is not enabled (Scored)
+# 2.2.5 Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.6_disable_ldap.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure LDAP server is not enabled (Scored)
+# 2.2.6 Ensure LDAP server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure NFS and RPC are not enabled (Scored)
+# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.8_disable_dns_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure DNS Server is not enabled (Scored)
+# 2.2.8 Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 
-PACKAGES='bind9 unbound'
+PACKAGES='bind9 unbound dnsmasq'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/2.2.9_disable_ftp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure FTP Server is not enabled (Scored)
+# 2.2.9 Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.3.1_disable_nis.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.1 Ensure NIS client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
+
+PACKAGES='nis ypbind-mt'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure rsh client is not installed (Scored)
+# 2.3.2 Ensure rsh client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.3.3_disable_talk_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure talk client is not installed (Scored)
+# 2.3.3 Ensure talk client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure telnet client is not installed (Scored)
+# 2.3.4 Ensure telnet client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure LDAP client is not installed (Scored)
+# 2.3.5 Ensure LDAP client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.1.1_disable_ipv6.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.1.2_disable_wireless.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 
 set -e # One error, it's over