release 1.3.1-1

fix IFS bug
add test

README.md

@@ -1,6 +1,6 @@
-# CIS Debian 7/8 Hardening
+# CIS Debian 7/8/9 Hardening
 
-Modular Debian 7/8 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
 
 ```console
@@ -80,6 +80,15 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
+``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
+with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
+not prompt for a password.
+
+``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+captures all output to print only one line once the check is done, formatted like :
+OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 ## Hacking
 
 **Getting the source**
@@ -108,6 +117,39 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
+## Functional testing
+
+Functional tests are available. They are to be run in a Docker environment.
+
+```console
+$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
+```
+
+With `target` being like `debian8` or `debian9`.
+
+Running without script arguments will run all tests in `./tests/hardening/` directory.
+Or you can specify one or several test script to be run.
+
+This will build a new Docker image from the current state of the projet and run
+a container that will assess a blank Debian system compliance for each check.  
+For hardening audit points the audit is expected to fail, then be fixed so that
+running the audit a second time will succeed.  
+For vulnerable items, the audit is expected to succeed on a blank
+system, then the functional tests will introduce a weak point, that is expected
+to be detected when running the audit test a second time. Finally running the `apply`
+part of debian-cis script will restore a compliance state that is expected to be
+assed by running the audit check a third time.
+
+Functional tests can make use of the following helper functions :  
+
+* `describe <test description>`
+* `run <usecase> <audit_script> <audit_script_options>`
+* `register_test <test content (see below)>`
+  * `retvalshoudbe <integer>` check the script return value
+  * `contain "<SAMPLE TEXT>"` check that the output contains the following text
+
+In order to write your own functional test, you will find a code skeleton in
+`./src/skel.test`.
 
 ## Disclaimer
 

bin/hardening.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
 #
 
@@ -22,6 +22,8 @@ AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
+SUDO_MODE=''
+BATCH_MODE=''
 
 usage() {
     cat << EOF
@@ -83,6 +85,18 @@ OPTIONS:
         The test number is the numbered prefix of the script,
         i.e. the test number of 1.2_script_name.sh is 1.2.
 
+    --sudo
+        This option lets you audit your system as a normal user, but allows sudo
+        escalation to gain read-only access to root files. Note that you need to
+        provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+        the '-n' option instructs sudo not to prompt for a password.
+        Finally note that '--sudo' mode only works for audit mode.
+
+    --batch
+        While performing system audit, this option sets LOGLEVEL to 'ok' and
+        captures all output to print only one line once the check is done, formatted like :
+        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 EOF
     exit 0
 }
@@ -124,6 +138,13 @@ while [[ $# > 0 ]]; do
             TEST_LIST[${#TEST_LIST[@]}]="$2"
             shift
         ;;
+        --sudo)
+            SUDO_MODE='--sudo'
+        ;;
+        --batch)
+            BATCH_MODE='--batch'
+            LOGLEVEL=ok
+        ;;
         -h|--help)
             usage
         ;;
@@ -134,6 +155,11 @@ while [[ $# > 0 ]]; do
     shift
 done
 
+# if no RUN_MODE was passed, usage and quit
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+    usage
+fi
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening
@@ -149,6 +175,8 @@ fi
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 
+if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
+
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
     declare -a HARDENING_EXCEPTIONS_LIST
@@ -188,23 +216,23 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
         # --only X has been specified at least once, is this script in my list ?
         SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
-        if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi
     fi
 
     info "Treating $SCRIPT"
-    
+
     if [ $AUDIT = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
-        $SCRIPT --audit
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
+        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
     elif [ $APPLY = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
         $SCRIPT
@@ -222,7 +250,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
                 sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
                 info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
             fi
-        ;;    
+        ;;
         1)
             debug "$SCRIPT failed"
             FAILED_CHECKS=$((FAILED_CHECKS+1))
@@ -234,19 +262,32 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     esac
 
     TOTAL_CHECKS=$((TOTAL_CHECKS+1))
- 
+
 done
 
 TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
 
-printf "%40s\n" "################### SUMMARY ###################"
-printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
-if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+if [ $BATCH_MODE ]; then
+    BATCH_SUMMARY="AUDIT_SUMMARY "
+    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
+    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
+    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
+    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%.2f" $( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l))"
+    else
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
+    fi
+    becho $BATCH_SUMMARY
 else
-    printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 
+    printf "%40s\n" "################### SUMMARY ###################"
+    printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
+    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+        printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+    else
+        printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+    fi
 fi

bin/hardening/1.1_install_updates.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Install updates, patches and additional secutiry software."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/10.1.1_set_password_exp_days.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set password expiration days."
 
 PACKAGE='login'
 OPTIONS='PASS_MAX_DAYS=90'

bin/hardening/10.1.2_set_password_min_days_change.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set password change minimum number of days."
 
 PACKAGE='login'
 OPTIONS='PASS_MIN_DAYS=7'

bin/hardening/10.1.3_set_password_exp_warning_days.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set password expiration warning days."
 
 PACKAGE='login'
 OPTIONS='PASS_WARN_AGE=7'

bin/hardening/10.2_disable_system_accounts.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,15 +12,20 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Disable system accounts, preventing them from interactive login."
 
-SHELL='/bin/false'
+ACCEPTED_SHELLS='/bin/false /usr/sbin/nologin /sbin/nologin'
+SHELL_TO_APPLY='/bin/false'
 FILE='/etc/passwd'
 RESULT=''
 
+ACCEPTED_SHELLS_GREP=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    shells_to_grep_helper
+    info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -35,8 +40,9 @@ audit () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
+        crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
         crit "$RESULT"
     else
         ok "All admin accounts deactivated"
@@ -45,7 +51,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -60,22 +67,29 @@ apply () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
+        warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
         warn "$RESULT"
         for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
-            usermod -s $SHELL $USER
+            info "Setting $SHELL_TO_APPLY as $USER login shell"
+            usermod -s "$SHELL_TO_APPLY" "$USER"
         done
     else
         ok "All admin accounts deactivated, nothing to apply"
     fi
 }
 
+shells_to_grep_helper(){
+    for shell in $ACCEPTED_SHELLS; do
+        ACCEPTED_SHELLS_GREP+=" -e $shell"
+    done
+}
+
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF
-status=disabled
+status=audit
 # Put here your exceptions concerning admin accounts shells separated by spaces
 EXCEPTIONS=""
 EOF

bin/hardening/10.3_default_root_group.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Set default group for root account to 0."
 
 USER='root'
 EXPECTED_GID='0'

bin/hardening/10.4_default_umask.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set default mask for users to 077."
 
 USER='root'
 PATTERN='umask 077'

bin/hardening/10.5_lock_inactive_user_account.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Lock inactive user accounts."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/11.1_warning_banners.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
 
 PERMISSIONS='644'
 USER='root'
@@ -21,6 +22,11 @@ FILES='/etc/motd /etc/issue /etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for FILE in $FILES; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            crit "$FILE does not exist"
+            continue
+        fi
         has_file_correct_ownership $FILE $USER $GROUP
         if [ $FNRET = 0 ]; then
             ok "$FILE has correct ownership"

bin/hardening/11.2_remove_os_info_warning_banners.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Remove OS information from Login Warning Banners."
 
 FILES='/etc/motd /etc/issue /etc/issue.net'
 PATTERN='(\\v|\\r|\\m|\\s)'

bin/hardening/11.3_graphical_warning_banners.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set graphical warning banner."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/12.10_find_suid_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,21 +11,27 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+DESCRIPTION="Find SUID system executables."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are suid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
+    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
+    # shellcheck disable=2086
+    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    BAD_BINARIES=""
+    for BINARY in $FOUND_BINARIES; do
+        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
             debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
+        else
+            BAD_BINARIES="$BAD_BINARIES $BINARY"
         fi
     done
-    if [ ! -z "$RESULT" ]; then
+    if [ ! -z "$BAD_BINARIES" ]; then
         crit "Some suid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
         ok "No unknown suid files found"
@@ -40,9 +46,9 @@ apply () {
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF
-status=disabled
+status=audit
 # Put Here your valid suid binaries so that they do not appear during the audit
-EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
+EXCEPTIONS="/bin/mount /usr/bin/mount /bin/ping /usr/bin/ping /bin/ping6 /usr/bin/ping6 /bin/su /usr/bin/su /bin/umount /usr/bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
 EOF
 }
 
@@ -63,8 +69,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/12.11_find_sgid_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,21 +11,27 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+DESCRIPTION="Find SGID system executables."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are sgid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
+    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
+    # shellcheck disable=2086
+    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    BAD_BINARIES=""
+    for BINARY in $FOUND_BINARIES; do
+        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
             debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
+        else
+            BAD_BINARIES="$BAD_BINARIES $BINARY"
         fi
     done
-    if [ ! -z "$RESULT" ]; then
+    if [ ! -z "$BAD_BINARIES" ]; then
         crit "Some sgid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
         ok "No unknown sgid files found"
@@ -40,9 +46,9 @@ apply () {
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF
-status=disabled
+status=audit
 # Put here valid binaries with sgid enabled separated by spaces
-EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
+EXCEPTIONS="/sbin/unix_chkpwd /usr/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
 EOF
 }
 
@@ -64,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/12.1_etc_passwd_permissions.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check permissions on /etc/passwd to 644."
 
 FILE='/etc/passwd'
 PERMISSIONS='644'

bin/hardening/12.2_etc_shadow_permissions.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check permissions on /etc/shadow to 640."
 
 FILE='/etc/shadow'
 PERMISSIONS='640'

bin/hardening/12.3_etc_group_permissions.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check permissions on /etc/group to 644."
 
 FILE='/etc/group'
 PERMISSIONS='644'

bin/hardening/12.4_etc_passwd_ownership.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check user/group to root on /etc/passwd."
 
 FILE='/etc/passwd'
 USER='root'

bin/hardening/12.5_etc_shadow_ownership.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check user/group to root on etc/shadow."
 
 FILE='/etc/shadow'
 USER='root'

bin/hardening/12.6_etc_group_ownership.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Check user/group to root on /etc/group."
 
 FILE='/etc/group'
 USER='root'

bin/hardening/12.7_find_world_writable_file.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,11 +12,13 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Find world writable files."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are world writable files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
     if [ ! -z "$RESULT" ]; then
         crit "Some world writable files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

bin/hardening/12.8_find_unowned_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,13 +12,15 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Find un-owned files and directories."
 
 USER='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are unowned files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
+    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
     if [ ! -z "$RESULT" ]; then
         crit "Some unowned files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

bin/hardening/12.9_find_ungrouped_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,13 +12,15 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Find un-grouped files and directories."
 
 GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are ungrouped files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
+    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
     if [ ! -z "$RESULT" ]; then
         crit "Some ungrouped files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

bin/hardening/13.10_find_user_rhosts_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="No user's .rhosts file."
 
 ERRORS=0
 FILENAME=".rhosts"

bin/hardening/13.11_find_passwd_group_inconsistencies.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="There is no group in /etc/passwd that is not in /etc/group."
 
 ERRORS=0
 

bin/hardening/13.12_users_valid_homedir.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Users are assigned valid home directories."
 
 ERRORS=0
 
@@ -23,7 +24,7 @@ audit () {
         USER=$(awk -F: {'print $1'} <<< $LINE)
         USERID=$(awk -F: {'print $2'} <<< $LINE)
         DIR=$(awk -F: {'print $3'} <<< $LINE)
-        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
+        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
             ERRORS=$((ERRORS+1))    
         fi

bin/hardening/13.13_check_user_homedir_ownership.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,45 +12,68 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Check user home directory ownership."
+EXCEPTIONS=""
 
 ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
     for LINE in $RESULT; do
         debug "Working on $LINE"
-        USER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE)
-        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+        USER=$(awk -F: '{print $1}' <<< "$LINE")
+        USERID=$(awk -F: '{print $2}' <<< "$LINE")
+        DIR=$(awk -F: '{print $3}' <<< "$LINE")
+        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
-                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
-                ERRORS=$((ERRORS+1))
+                EXCEP_FOUND=0
+                for excep in $EXCEPTIONS; do
+                    if [ "$DIR:$USER:$OWNER" = "$excep" ]; then
+                        ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
+                        EXCEP_FOUND=1
+                        break
+                    fi
+                done
+                if [ "$EXCEP_FOUND" -eq 0 ]; then
+                    crit "The home directory ($DIR) of user $USER is owned by $OWNER."
+                    ERRORS=$((ERRORS+1))
+                fi
             fi
         fi
     done
 
     if [ $ERRORS = 0 ]; then
         ok "All home directories have correct ownership"
-    fi 
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+    awk -F: '{ print $1 " " $3 " " $6 }'  /etc/passwd | while read -r USER USERID DIR; do
+        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
                 warn "The home directory ($DIR) of user $USER is owned by $OWNER."
-                chown $USER $DIR
+                chown "$USER" "$DIR"
             fi
         fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify here exception for which owner of user's home directory is not the user
+# "home:user:owner home2:user2:owner2"
+EXCEPTIONS=""
+EOF
+}
 # This function will check config parameters required
 check_config() {
     :
@@ -66,8 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/13.14_check_duplicate_uid.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,27 +11,38 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Checking for duplicate UIDs."
+EXCEPTIONS=""
 
 ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
+    RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
+    FOUND_EXCEPTIONS=""
+    for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate UID ($USERID): ${USERS}"
+        OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")
+        USERID=$(awk -F: '{print $2}' <<< "$LINE")
+        if [ "$OCC_NUMBER" -gt 1 ]; then
+            USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERID" /etc/passwd | xargs)
+            ID_NAMES="($USERID): ${USERS}"
+            if echo "$EXCEPTIONS" | grep -qw "$USERID"; then
+                debug "$USERID is confirmed as an exception"
+                FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ID_NAMES"
+            else
+                ERRORS=$((ERRORS+1))
+                crit "Duplicate UID $ID_NAMES"
+            fi
         fi
-    done 
+    done
 
     if [ $ERRORS = 0 ]; then
-        ok "No duplicate UIDs"
-    fi 
+        ok "No duplicate UIDs${FOUND_EXCEPTIONS:+ apart from configured exceptions:}${FOUND_EXCEPTIONS}"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -39,9 +50,20 @@ apply () {
     info "Editing automatically uids may seriously harm your system, report only here"
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put here valid UIDs for which multiple usernames are accepted
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
-    :
+    if [ -z "$EXCEPTIONS" ]; then
+        EXCEPTIONS="@"
+    fi
 }
 
 # Source Root Dir Parameter
@@ -55,8 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/13.15_check_duplicate_gid.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,27 +11,30 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="There is no duplicate GIDs."
 
 ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
+    RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' )
+    for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        GROUPID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
+        OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")
+        GROUPID=$(awk -F: '{print $2}' <<< "$LINE")
+        if [ "$OCC_NUMBER" -gt 1 ]; then
+            GROUP=$(awk -F: '($3 == n) { print $1 }' n="$GROUPID" /etc/group | xargs)
             ERRORS=$((ERRORS+1))
-            crit "Duplicate GID ($GROUPID): ${USERS}"
+            crit "Duplicate GID ($GROUPID): ${GROUP}"
         fi
-    done 
+    done
 
     if [ $ERRORS = 0 ]; then
         ok "No duplicate GIDs"
-    fi 
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -55,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/13.16_check_duplicate_username.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="There is no duplicate usernames."
 
 ERRORS=0
 

bin/hardening/13.17_check_duplicate_groupname.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="There is no duplicate group names."
 
 ERRORS=0
 

bin/hardening/13.18_find_user_netrc_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="There is no user .netrc files."
 
 ERRORS=0
 FILENAME='.netrc'

bin/hardening/13.19_find_user_forward_files.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="There is no user .forward files."
 
 ERRORS=0
 FILENAME='.forward'

bin/hardening/13.1_remove_empty_password_field.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,13 +12,14 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
 
 FILE='/etc/shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if accounts have an empty password"
-    RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
     if [ ! -z "$RESULT" ]; then
         crit "Some accounts have an empty password"
         crit $RESULT

bin/hardening/13.20_shadow_group_empty.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)."
 
 ERRORS=0
 FILEGROUP='/etc/group'

bin/hardening/13.2_remove_legacy_passwd_entries.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Verify no legacy + entries exist in /etc/password file."
 
 FILE='/etc/passwd'
 RESULT=''

bin/hardening/13.3_remove_legacy_shadow_entries.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Verify no legacy + entries exist in /etc/shadow file."
 
 FILE='/etc/shadow'
 RESULT=''
@@ -19,7 +20,7 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if accounts have a legacy password entry"
-    if grep '^+:' $FILE -q; then
+    if $SUDO_CMD grep '^+:' $FILE -q; then
         RESULT=$(grep '^+:' $FILE)
         crit "Some accounts have a legacy password entry"
         crit $RESULT

bin/hardening/13.4_remove_legacy_group_entries.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Verify no legacy + entries exist in /etc/group file."
 
 FILE='/etc/group'
 RESULT=''

bin/hardening/13.5_find_0_uid_non_root_account.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,7 +11,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Verify root is the only UID 0 account."
+EXCEPTIONS=""
 
 FILE='/etc/passwd'
 RESULT=''
@@ -19,23 +23,24 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if accounts have uid 0"
-    RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
+    RESULT=$(awk -F: '($3 == 0 && $1!="root" ) { print $1 }' "$FILE" )
+    FOUND_EXCEPTIONS=""
     for ACCOUNT in $RESULT; do
         debug "Account : $ACCOUNT"
         debug "Exceptions : $EXCEPTIONS"
-        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
+        debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
+        if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
             debug "$ACCOUNT is confirmed as an exception"
             RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
+            FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
         else
             debug "$ACCOUNT not found in exceptions"
         fi
     done
     if [ ! -z "$RESULT" ]; then
-        crit "Some accounts have uid 0"
-        crit $RESULT
+        crit "Some accounts have uid 0: $(tr '\n' ' ' <<< "$RESULT")"
     else
-        ok "No account with uid 0 appart from root and potential configured exceptions"
+        ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS"
     fi
 }
 
@@ -47,8 +52,8 @@ apply () {
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF
-status=disabled
-# Put here valid accounts with uid 0 separated by spaces
+status=audit
+# Put here valid accounts with uid 0 separated by spaces
 EXCEPTIONS=""
 EOF
 }
@@ -71,8 +76,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/13.6_sanitize_root_path.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure root path integrity."
 
 ERRORS=0
 

bin/hardening/13.7_check_user_dir_perm.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Check permissions on user home directories."
 
 ERRORS=0
 
@@ -91,7 +92,7 @@ apply () {
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF
-status=disabled
+status=audit
 # Put here user home directories exceptions, separated by spaces
 EXCEPTIONS=""
 EOF

bin/hardening/13.8_check_user_dot_file_perm.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Check user dot file permissions."
 
 ERRORS=0
 

bin/hardening/13.9_set_perm_on_user_netrc.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Check user permissions on .netrc file."
 
 PERMISSIONS="600"
 ERRORS=0

bin/hardening/2.10_home_nodev.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/home partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"

bin/hardening/2.11_removable_device_nodev.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="nodev option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/2.12_removable_device_noexec.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="noexec option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/2.13_removable_device_nosuid.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="nosuid option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/2.14_run_shm_nodev.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,7 +12,10 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -36,11 +41,11 @@ audit () {
             has_mounted_option $PARTITION $OPTION
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
@@ -58,7 +63,7 @@ apply () {
     elif [ $FNRET = 3 ]; then
         info "Remounting $PARTITION from fstab"
         remount_partition $PARTITION
-    fi 
+    fi
 }
 
 # This function will check config parameters required
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.15_run_shm_nosuid.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,7 +12,10 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -36,11 +41,11 @@ audit () {
             has_mounted_option $PARTITION $OPTION
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
@@ -58,7 +63,7 @@ apply () {
     elif [ $FNRET = 3 ]; then
         info "Remounting $PARTITION from fstab"
         remount_partition $PARTITION
-    fi 
+    fi
 }
 
 # This function will check config parameters required
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.16_run_shm_noexec.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -11,7 +12,10 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -36,11 +41,11 @@ audit () {
             has_mounted_option $PARTITION $OPTION
             if [ $FNRET -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
@@ -58,7 +63,7 @@ apply () {
     elif [ $FNRET = 3 ]; then
         info "Remounting $PARTITION from fstab"
         remount_partition $PARTITION
-    fi 
+    fi
 }
 
 # This function will check config parameters required
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.17_sticky_bit_world_writable_folder.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,11 +12,13 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if setuid is set on world writable Directories"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     if [ ! -z "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

bin/hardening/2.18_disable_cramfs.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of cramfs filesystems."
 
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"

bin/hardening/2.19_disable_freevxfs.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of freevxfs filesystems."
 
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"

bin/hardening/2.1_tmp_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/tmp on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/2.20_disable_jffs2.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of jffs2 filesystems."
 
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"

bin/hardening/2.21_disable_hfs.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of hfs filesystems."
 
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"

bin/hardening/2.22_disable_hfsplus.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of hfsplus filesystems."
 
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"

bin/hardening/2.23_disable_squashfs.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of squashfs filesytems."
 
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"

bin/hardening/2.24_disable_udf.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of udf filesystems."
 
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"

bin/hardening/2.25_disable_automounting.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable automounting of devices."
 
 SERVICE_NAME="autofs"
 

bin/hardening/2.2_tmp_nodev.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/2.3_tmp_nosuid.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/2.4_tmp_noexec.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/2.5_var_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var"

bin/hardening/2.6.1_var_tmp_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/tmp on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/2.6.2_var_tmp_nodev.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/var/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/2.6.3_var_tmp_nosuid.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/var/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/2.6.4_var_tmp_noexec.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/2.7_var_log_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/log on separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"

bin/hardening/2.8_var_log_audit_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=4
+DESCRIPTION="/var/log/audit on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"

bin/hardening/2.9_home_partition.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/home on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"

bin/hardening/3.1_bootloader_ownership.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="User and group root owner of grub bootloader config."
 
 # Assertion : Grub Based.
 

bin/hardening/3.2_bootloader_permissions.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=1
+DESCRIPTION="Permissions for root only on grub bootloader config."
 
 # Assertion : Grub Based.
 

bin/hardening/3.3_bootloader_password.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Setting bootloader password to secure boot parameters."
 
 FILE='/boot/grub/grub.cfg'
 USER_PATTERN="^set superusers"

bin/hardening/3.4_root_password.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Root password for single user mode."
 
 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"

bin/hardening/4.1_restrict_core_dumps.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,19 +12,36 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Restrict core dumps."
 
 LIMIT_FILE='/etc/security/limits.conf'
+LIMIT_DIR='/etc/security/limits.d'
 LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
 SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
-        crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
-    else
-        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
+    SEARCH_RES=0
+    LIMIT_FILES=""
+    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
+        for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
+            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+        done
+    fi
+    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
+    for file in $LIMIT_FILE $LIMIT_FILES; do
+        does_pattern_exist_in_file $file $LIMIT_PATTERN
+        if [ $FNRET != 0 ]; then
+            debug "$LIMIT_PATTERN not present in $file"
+        else
+            ok "$LIMIT_PATTERN present in $file"
+            SEARCH_RES=1
+            break
+        fi
+    done
+    if [ $SEARCH_RES = 0 ]; then
+        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
     if [ $FNRET != 0 ]; then

bin/hardening/4.2_enable_nx_support.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
 
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
 
@@ -19,7 +20,7 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac
 nx_supported_and_enabled() {
     if grep -q ' nx ' /proc/cpuinfo; then
         # NX supported, but if noexec=off specified, it's not enabled
-        if grep -qi 'noexec=off' /proc/cmdline; then
+        if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
             FNRET=1 # supported but disabled
         else
             FNRET=0 # supported and enabled

bin/hardening/4.3_enable_randomized_vm_placement.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
 
 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2

bin/hardening/4.4_disable_prelink.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable prelink to prevent libraries compromission."
 
 PACKAGE='prelink'
 

bin/hardening/4.5_enable_apparmor.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Activate AppArmor to enforce permissions control."
 
 PACKAGE='apparmor'
 

bin/hardening/5.1.1_disable_nis.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 
 PACKAGE='nis'
 

bin/hardening/5.1.2_disable_rsh.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure rsh server is not enabled. Recommended alternative : sshd (openssh-server)."
 
 # Based on aptitude search '~Prsh-server'
 PACKAGES='rsh-server rsh-redone-server heimdal-servers'

bin/hardening/5.1.3_disable_rsh_client.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
 
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'

bin/hardening/5.1.4_disable_talk.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure talk server is not enabled."
 
 PACKAGES='inetutils-talkd talkd'
 FILE='/etc/inetd.conf'

bin/hardening/5.1.5_disable_talk_client.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure talk client is not installed."
 
 PACKAGES='talk inetutils-talk'
 

bin/hardening/5.1.6_disable_telnet_server.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
 
 # Based on  aptitude search '~Ptelnet-server'
 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'

bin/hardening/5.1.7_disable_tftp_server.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure tftp-server is not enabled."
 
 PACKAGES='tftpd tftpd-hpa atftpd'
 FILE='/etc/inetd.conf'

bin/hardening/5.1.8_disable_inetd.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure xinetd is not enabled."
 
 PACKAGES='openbsd-inetd xinetd rlinetd'
 

bin/hardening/5.2_disable_chargen.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure chargen debugging network service is not enabled."
 
 FILE='/etc/inetd.conf'
 PATTERN='^chargen'

bin/hardening/5.3_disable_daytime.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure daytime debugging network service is not enabled."
 
 FILE='/etc/inetd.conf'
 PATTERN='^daytime'

bin/hardening/5.4_disable_echo.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure echo debugging network service is not enabled."
 
 FILE='/etc/inetd.conf'
 PATTERN='^echo'

bin/hardening/5.5_disable_discard.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure discard debugging network service is not enabled."
 
 FILE='/etc/inetd.conf'
 PATTERN='^discard'

bin/hardening/5.6_disable_time.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure time debugging network service is not enabled."
 
 FILE='/etc/inetd.conf'
 PATTERN='^time'

bin/hardening/6.10_disable_http_server.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure HTTP server is not enabled."
 HARDENING_EXCEPTION=http
 
 # Based on aptitude search '~Phttpd'

bin/hardening/6.11_disable_imap_pop.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure IMAP and POP servers are not enabled."
 HARDENING_EXCEPTION=mail
 
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'

bin/hardening/6.12_disable_samba.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure Samba is not enabled."
 HARDENING_EXCEPTION=samba
 
 PACKAGES='samba'

bin/hardening/6.13_disable_http_proxy.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure HTTP-proxy is not enabled."
 HARDENING_EXCEPTION=http
 
 PACKAGES='squid3 squid'

bin/hardening/6.14_disable_snmp_server.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,6 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Enure SNMP server is not enabled."
 HARDENING_EXCEPTION=snmp
 
 PACKAGES='snmpd'

bin/hardening/6.15_mta_localhost.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
@@ -12,12 +12,13 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
 HARDENING_EXCEPTION=mail
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
     RESULT=${RESULT:-}
     debug "Result is $RESULT"
     if [ -z "$RESULT" ]; then