refactor: is_kernel_option_enabled (#267)

Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
        - is_kernel_monolithic
        - is_kernel_option_enabled -> check for a kernel configuration in the running kernel
        - is_kernel_module_loaded -> check if a module is currently loaded
        - is_kernel_module_available -> check if a module is configured in all available kernel configs
        - is_kernel_module_disabled   -> check if a kernel module is disabled in the modprobe configuration

Also:

- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>

.github/workflows/functionnal-tests.yml

@@ -4,13 +4,6 @@ on:
   - pull_request
   - push
 jobs:
-  functionnal-tests-docker-debian10:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-      - name: Run the tests debian10
-        run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest
@@ -34,7 +34,7 @@ jobs:
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v4.2.0
+        uses: metcalfc/changelog-generator@v4.3.1
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/tagged-release.yml

@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 10/11/12 Hardening
+cis-hardening - CIS Debian 11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening
 
 # DESCRIPTION
 
-Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 10/11/12 Hardening
+# :lock: CIS Debian 11/12 Hardening
 
 
 <p align="center">
@@ -13,7 +13,7 @@
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian10` or `debian11`.
+With `target` being like `debian11` or `debian12`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -29,6 +29,7 @@ BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
+USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -105,6 +106,13 @@ OPTIONS:
         This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --set-version <version>
+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11
+          --set-version ovh_legacy
+
     --summary-json
         While performing system audit, this option sets LOGLEVEL to silent and
         only output a json summary at the end
@@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
         ASK_LOGLEVEL=$2
         shift
         ;;
+    --set-version)
+        USED_VERSION=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -192,7 +204,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ] && [ "$SET_HARDENING_LEVEL" -eq 0 ]; then
     usage
 fi
 
@@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/constants.sh
 [ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
+# ensure the CIS version exists
+does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
+if [ "$FNRET" -ne 0 ]; then
+    echo "$USED_VERSION is not a valid version"
+    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+    exit 1
+fi
+
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 
+# update path for the remaining of the script
+CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
+
 if [ "$DISTRIBUTION" != "debian" ]; then
     echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
     if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
@@ -231,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
         echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
     fi
 else
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+    if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
         echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
         if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
             echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
@@ -296,10 +319,7 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
-        # shellcheck disable=SC2001
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/4.1.6_record_mac_edit.sh

@@ -1,103 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.6 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
-
-AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
-FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
-FILE='/etc/audit/rules.d/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        IFS=$d_IFS
-        SEARCH_RES=0
-        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            IFS=$c_IFS
-            if [ "$FNRET" != 0 ]; then
-                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
-            else
-                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
-                SEARCH_RES=1
-            fi
-        done
-        if [ "$SEARCH_RES" = 0 ]; then
-            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        IFS=$d_IFS
-        SEARCH_RES=0
-        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            IFS=$c_IFS
-            if [ "$FNRET" != 0 ]; then
-                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
-            else
-                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
-                SEARCH_RES=1
-            fi
-        done
-        if [ "$SEARCH_RES" = 0 ]; then
-            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -1,115 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.2.15 Ensure only strong Key Exchange algorithms are used (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Checking key exchange ciphers."
-
-PACKAGE='openssh-server'
-OPTIONS=''
-FILE='/etc/ssh/sshd_config'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        ok "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-            if [ "$FNRET" = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install "$PACKAGE"
-    fi
-    for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN is present in $FILE"
-        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
-            if [ "$FNRET" != 0 ]; then
-                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
-            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-            fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
-        fi
-    done
-}
-
-create_config() {
-    set +u
-    debug "Debian version : $DEB_MAJ_VER "
-    if [[ "$DEB_MAJ_VER" -le 7 ]]; then
-        KEX='diffie-hellman-group-exchange-sha256'
-    else
-        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
-    fi
-    set -u
-    cat <<EOF
-status=audit
-# Put your KexAlgorithms
-OPTIONS="KexAlgorithms=$KEX"
-EOF
-
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.1.1.1_disable_cramfs.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening Bonus Check
-#
-
-#
-# 99.1.1.1 Ensure mounting of cramfs filesystems is disabled (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of cramfs filesystems."
-
-KERNEL_OPTION="CONFIG_CRAMFS"
-MODULE_NAME="cramfs"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-    :
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-    :
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/acc_logindefs_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.1 Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
+# Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
 #
 
 set -e # One error, it's over
@@ -48,7 +48,7 @@ apply() {
         if [ "$FNRET" != 0 ]; then
             add_end_of_file "$CONF_FILE" "$CONF_LINE"
         else
-            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+            info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
             replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
         fi
     fi
@@ -59,18 +59,9 @@ check_config() {
     :
 }
 
-# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
-# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
-# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" -ge "11" ]; then
+    CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
-        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+    CONF_LINE="ENCRYPT_METHOD YESCRYPT"
-        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
-    else
-        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
-        CONF_LINE="ENCRYPT_METHOD SHA512"
-    fi
-    unset -f _set_vars_jit
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_pam_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+# Ensure password hashing algorithm is SHA-512 (Scored)
 #
 
 set -e # One error, it's over
@@ -49,11 +49,7 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+            add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
-            else
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
-            fi
         fi
     fi
 }
@@ -67,12 +63,7 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" -ge "11" ]; then
+    CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
-    else
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
-    fi
-    unset -f _set_vars_jit
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_shadow_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.2 Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
+# Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
 #
 
 set -e # One error, it's over
@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # yescrypt: Check password against $y$<salt>$<base64>
-        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
+        elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
             pw_found+="$user "
             ok "User $user has suitable yescrypt hashed password."
         # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@@ -46,11 +46,7 @@ audit() {
             ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+            crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
-                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
-            else
-                crit "User $user has a password that is not sha512crypt hashed."
-            fi
         fi
     done
     if [[ -z "$users_reviewed" ]]; then

bin/hardening/acc_sudoers_no_all.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.1.3 Check there are no carte-blanche authorization in sudoers file(s).
+# Check there are no carte-blanche authorization in sudoers file(s).
 #
 
 set -e # One error, it's over

bin/hardening/audit_backlog_limit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+# Ensure audit_backlog_limit is sufficient (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/audit_bootloader.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/audit_log_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.2.1 Ensure audit log storage size is configured (Scored)
+# Ensure audit log storage size is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/bootloader_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+# Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/bootloader_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.2 Ensure bootloader password is set (Scored)
+# Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/check_distribution.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
+# Ensure that the distribution version is debian and supported
 #
 
 set -e # One error, it's over
@@ -22,7 +22,7 @@ audit() {
     if [ "$DISTRIBUTION" != "debian" ]; then
         crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
     else
-        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is too recent and is not yet supported."
         elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

bin/hardening/check_duplicate_gid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.17 Ensure no duplicate GIDs exist (Scored)
+# Ensure no duplicate GIDs exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/check_duplicate_groupname.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.19 Ensure no duplicate group names exist (Scored)
+# Ensure no duplicate group names exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/check_duplicate_uid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.16 Ensure no duplicate UIDs exist (Scored)
+# Ensure no duplicate UIDs exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/check_duplicate_username.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.18 Ensure no duplicate user names exist (Scored)
+# Ensure no duplicate user names exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/check_user_dir_perm.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored
+# Ensure users' home directories permissions are 750 or more restrictive (Scored
 #
 
 set -e # One error, it's over

bin/hardening/check_user_dot_file_perm.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
+# Ensure users' dot files are not group or world writable (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_chrony.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.1.3 Ensure chrony is configured (Scored)
+# Ensure chrony is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_logrotate.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.3 Ensure logrotate is configured (Not Scored)
+# Ensure logrotate is configured (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_ntp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.1.2 Ensure ntp is configured (Scored)
+# Ensure ntp is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_ssh_max_startups.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.22 Ensure SSH MaxStartups is configured (Scored)
+# Ensure SSH MaxStartups is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.1.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
+# Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/configure_systemd-timesyncd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
+# Ensure systemd-timesyncd is configured (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_d_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+# Ensure permissions on /etc/cron.d are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_daily_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+# Ensure permissions on /etc/cron.daily are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_hourly_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+# Ensure permissions on /etc/cron.hourly are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_monthly_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+# Ensure permissions on /etc/cron.monthly are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_users.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+# Ensure at/cron is restricted to authorized users (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/cron_weekly_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+# Ensure permissions on /etc/cron.weekly are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/crontab_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+# Ensure permissions on /etc/crontab are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/default_root_group.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+# Ensure default group for the root account is GID 0 (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/default_timeout.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.4 Ensure default usershell timeout is 900 seconds or less
+# Ensure default usershell timeout is 900 seconds or less
 #
 
 set -e # One error, it's over

bin/hardening/default_umask.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+# Ensure default user umask is 027 or more restrictive (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_apport.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.6.3.1 Ensure apport is disabled (Scored)
+# Ensure apport is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_automounting.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.22 Disable Automounting (Scored)
+# Disable Automounting (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_avahi_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.3 Ensure Avahi Server is not enabled (Scored)
+# Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_bsd_inetd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
+# Ensure bsd-inetd is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_cramfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
+# Ensure Mounting of cramfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_dccp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.4.1 Ensure DCCP is disabled (Not Scored)
+# Ensure DCCP is disabled (Not Scored)
 #
 
 set -e # One error, it's over
@@ -28,11 +28,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -43,11 +57,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_dhcp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.5 Ensure DHCP Server is not enabled (Scored)
+# Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_dns_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.8 Ensure DNS Server is not enabled (Scored)
+# Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_freevxfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
+# Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_ftp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.9 Ensure FTP Server is not enabled (Scored)
+# Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_hfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
+# Ensure mounting of hfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_hfsplus.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
+# Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_http_proxy.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
+# Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_http_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.10 Ensure HTTP Server is not enabled (Scored)
+# Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
+# Ensure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_imap_pop.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
+# Ensure IMAP and POP server is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_ip_forwarding.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.2 Ensure IP forwarding is disabled (Scored)
+# Ensure IP forwarding is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_ipv6.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.1 Disable IPv6 (Not Scored)
+# Disable IPv6 (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_ipv6_router_advertisement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
+# Ensure IPv6 router advertisements are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_jffs2.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
+# Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_ldap.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.6 Ensure LDAP server is not enabled (Scored)
+# Ensure LDAP server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_ldap_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.3.5 Ensure LDAP client is not installed (Scored)
+# Ensure LDAP client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_nfs_rpc.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
+# Ensure NFS and RPC are not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_nis.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.17 Ensure NIS Server is not enabled (Scored)
+# Ensure NIS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_prelink.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.6.3 Ensure prelink is disabled (Scored)
+# Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_print_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.4 Ensure CUPS is not enabled (Scored)
+# Ensure CUPS is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_rds.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.4.3 Ensure SCTP is disabled (Not Scored)
+# Ensure SCTP is disabled (Not Scored)
 #
 
 set -e # One error, it's over
@@ -28,11 +28,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -43,11 +57,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_root_login.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.10 Ensure SSH root login is disabled (Scored)
+# Ensure SSH root login is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_rsh_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.3.2 Ensure rsh client is not installed (Scored)
+# Ensure rsh client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_rsync.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.16 Ensure rsync service is not enabled (Scored)
+# Ensure rsync service is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_samba.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.12 Ensure Samba is not enabled (Scored)
+# Ensure Samba is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_sctp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.4.2 Ensure SCTP is disabled (Not Scored)
+# Ensure SCTP is disabled (Not Scored)
 #
 
 set -e # One error, it's over
@@ -28,11 +28,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -43,11 +57,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_secure_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
+# Ensure secure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_send_packet_redirects.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.1 Ensure packet redirect sending is disabled (Scored)
+# Ensure packet redirect sending is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_snmp_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.14 Ensure SNMP Server is not enabled (Scored)
+# Ensure SNMP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_source_routed_packets.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.3.1 Ensure source routed packets are not accepted (Scored)
+# Ensure source routed packets are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_squashfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
+# Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_ssh_allow_tcp_forwarding.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.21 Ensure SSH AllowTCPForwarding is disabled (Scored)
+# Ensure SSH AllowTCPForwarding is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_sshd_hostbasedauthentication.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+# Ensure SSH HostbasedAuthentication is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_sshd_permitemptypasswords.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+# Ensure SSH PermitEmptyPasswords is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_sshd_setenv.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+# Ensure SSH PermitUserEnvironment is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_system_accounts.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.2 Ensure system accounts are non-login (Scored)
+# Ensure system accounts are non-login (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_talk_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.3.3 Ensure talk client is not installed (Scored)
+# Ensure talk client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_telnet_client.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.3.4 Ensure telnet client is not installed (Scored)
+# Ensure telnet client is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_telnet_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.2.2 Ensure telnet server is not enabled (Scored)
+# Ensure telnet server is not enabled (Scored)
 #
 
 # Note: this check is not anymore in CIS hardening but we decided to keep it anyway

bin/hardening/disable_tipc.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.4.4 Ensure TIPC is disabled (Not Scored)
+# Ensure TIPC is disabled (Not Scored)
 #
 
 set -e # One error, it's over
@@ -28,11 +28,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -43,11 +57,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_udf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
+# Ensure mounting of udf filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -26,11 +26,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -41,11 +55,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_usb_devices.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.1.1.23 Disable USB Devices
+# Disable USB Devices
 #
 
 set -e # One error, it's over
@@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     SEARCH_RES=0
+    # if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
+    # shellcheck disable=SC2086
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
         if [ "$SEARCH_RES" = 1 ]; then break; fi
         if $SUDO_CMD test -d "$FILE_SEARCHED"; then

bin/hardening/disable_usb_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.23 Disable USB storage (Scored)
+# Disable USB storage (Scored)
 #
 
 set -e # One error, it's over
@@ -20,7 +20,10 @@ DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 
 KERNEL_OPTION="CONFIG_USB_STORAGE"
+# name as used for "modprobe"
 MODULE_NAME="usb-storage"
+# name as returned by "modinfo -F name <module_file.ko>"
+LOADED_MODULE_NAME="usb_storage"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -28,11 +31,25 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            crit "$MODULE_NAME is enabled!"
+            crit "$LOADED_MODULE_NAME is loaded!"
         else
-            ok "$MODULE_NAME is disabled"
+            ok "$LOADED_MODULE_NAME is not loaded"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 0 ]; then
+                ok "$MODULE_NAME is disabled in the modprobe configuration"
+            else
+                is_kernel_module_available "$KERNEL_OPTION"
+                if [ "$FNRET" -eq 0 ]; then
+                    crit "$MODULE_NAME is available in some kernel config, but not disabled"
+                else
+                    ok "$MODULE_NAME is not available in any kernel config"
+                fi
+            fi
         fi
     fi
 }
@@ -43,11 +60,18 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
-        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
-            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+            crit "$LOADED_MODULE_NAME is loaded!"
-        else
+            warn "I wont unload the module, unload it manually or recompile the kernel if needed"
-            ok "$MODULE_NAME is disabled"
+        fi
+
+        if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
+            is_kernel_module_disabled "$MODULE_NAME"
+            if [ "$FNRET" -eq 1 ]; then
+                echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
+                info "$MODULE_NAME has been disabled in the modprobe configuration"
+            fi
         fi
     fi
 }

bin/hardening/disable_wireless.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
+# Ensure wireless interfaces are disabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_x11_forwarding.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.2.6 Ensure SSH X11 forwarding is disabled (Scored)
+# Ensure SSH X11 forwarding is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_xinetd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.1.1 Ensure xinetd is not enabled (Scored)
+# Ensure xinetd is not enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/disable_xwindow_system.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.2 Ensure the X Window system is not installed (Scored)
+# Ensure the X Window system is not installed (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/enable_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
+# Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/enable_auditd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.2 Ensure auditd service is enabled (Scored)
+# Ensure auditd service is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/enable_auditd_kernel.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.4.0 Ensure CONFIG_AUDIT is enabled in your running kernel
+# Ensure CONFIG_AUDIT is enabled in your running kernel
 #
 
 set -e # One error, it's over

bin/hardening/enable_bad_error_message_protection.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
+# Ensure bogus ICMP responses are ignored (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/enable_cron.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.1 Ensure cron daemon is enabled (Scored)
+# Ensure cron daemon is enabled (Scored)
 #
 
 set -e # One error, it's over