Update changelog

Renaming for 2.3.4 anbd 2.3.5 to have naming consistency.

	nouveau fichier : bin/hardening/2.2.18_disable_telnet_server.sh
	renommé :         bin/hardening/2.3.4_telnet_client_not_installed.sh -> bin/hardening/2.3.4_disable_telnet_client.sh
	renommé :         bin/hardening/2.3.5_ldap_client_not_installed.sh -> bin/hardening/2.3.5_disable_ldap_client.sh
	renommé :         tests/hardening/2.3.4_telnet_client_not_installed.sh -> tests/hardening/2.2.18_disable_telnet_server.sh
	renommé :         tests/hardening/2.3.5_ldap_client_not_installed.sh -> tests/hardening/2.3.4_disable_telnet_client.sh
	nouveau fichier : tests/hardening/2.3.5_disable_ldap_client.sh

README.md

@@ -1,6 +1,6 @@
-# CIS Debian 7/8 Hardening
+# CIS Debian 7/8/9 Hardening
 
-Modular Debian 7/8 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
 
 ```console
@@ -80,6 +80,15 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
+``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
+with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
+not prompt for a password.
+
+``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+captures all output to print only one line once the check is done, formatted like :
+OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 ## Hacking
 
 **Getting the source**
@@ -108,6 +117,39 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
+## Functional testing
+
+Functional tests are available. They are to be run in a Docker environment.
+
+```console
+$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
+```
+
+With `target` being like `debian8` or `debian9`.
+
+Running without script arguments will run all tests in `./tests/hardening/` directory.
+Or you can specify one or several test script to be run.
+
+This will build a new Docker image from the current state of the projet and run
+a container that will assess a blank Debian system compliance for each check.  
+For hardening audit points the audit is expected to fail, then be fixed so that
+running the audit a second time will succeed.  
+For vulnerable items, the audit is expected to succeed on a blank
+system, then the functional tests will introduce a weak point, that is expected
+to be detected when running the audit test a second time. Finally running the `apply`
+part of debian-cis script will restore a compliance state that is expected to be
+assed by running the audit check a third time.
+
+Functional tests can make use of the following helper functions :  
+
+* `describe <test description>`
+* `run <usecase> <audit_script> <audit_script_options>`
+* `register_test <test content (see below)>`
+  * `retvalshoudbe <integer>` check the script return value
+  * `contain "<SAMPLE TEXT>"` check that the output contains the following text
+
+In order to write your own functional test, you will find a code skeleton in
+`./src/skel.test`.
 
 ## Disclaimer
 

bin/hardening.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
 #
 
@@ -22,6 +22,8 @@ AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
+SUDO_MODE=''
+BATCH_MODE=''
 
 usage() {
     cat << EOF
@@ -83,6 +85,18 @@ OPTIONS:
         The test number is the numbered prefix of the script,
         i.e. the test number of 1.2_script_name.sh is 1.2.
 
+    --sudo
+        This option lets you audit your system as a normal user, but allows sudo
+        escalation to gain read-only access to root files. Note that you need to
+        provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+        the '-n' option instructs sudo not to prompt for a password.
+        Finally note that '--sudo' mode only works for audit mode.
+
+    --batch
+        While performing system audit, this option sets LOGLEVEL to 'ok' and
+        captures all output to print only one line once the check is done, formatted like :
+        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 EOF
     exit 0
 }
@@ -124,6 +138,13 @@ while [[ $# > 0 ]]; do
             TEST_LIST[${#TEST_LIST[@]}]="$2"
             shift
         ;;
+        --sudo)
+            SUDO_MODE='--sudo'
+        ;;
+        --batch)
+            BATCH_MODE='--batch'
+            LOGLEVEL=ok
+        ;;
         -h|--help)
             usage
         ;;
@@ -134,6 +155,11 @@ while [[ $# > 0 ]]; do
     shift
 done
 
+# if no RUN_MODE was passed, usage and quit
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+    usage
+fi
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening
@@ -149,6 +175,8 @@ fi
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 
+if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
+
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
     declare -a HARDENING_EXCEPTIONS_LIST
@@ -188,7 +216,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
         # --only X has been specified at least once, is this script in my list ?
         SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
-        if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi
@@ -197,14 +225,14 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     info "Treating $SCRIPT"
 
     if [ $AUDIT = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
-        $SCRIPT --audit
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
+        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
     elif [ $APPLY = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
         $SCRIPT
@@ -239,14 +267,31 @@ done
 
 TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
 
-printf "%40s\n" "################### SUMMARY ###################"
-printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
-if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+if [ $BATCH_MODE ]; then
+    BATCH_SUMMARY="AUDIT_SUMMARY "
+    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
+    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
+    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
+    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
+    else
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
+    fi
+    becho $BATCH_SUMMARY
 else
+    printf "%40s\n" "################### SUMMARY ###################"
+    printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+    
+    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    printf "%30s %s %%\n"   "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
+    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+        printf "%30s %s %%\n"   "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
+    else
         printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+    fi
 fi

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of freevxfs filesystems."
 
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
@@ -25,7 +26,6 @@ audit () {
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
@@ -36,7 +36,6 @@ apply () {
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of jffs2 filesystems."
 
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
@@ -25,7 +26,6 @@ audit () {
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
@@ -36,7 +36,6 @@ apply () {
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of hfs filesystems."
 
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
@@ -25,7 +26,6 @@ audit () {
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
@@ -36,7 +36,6 @@ apply () {
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of hfsplus filesystems."
 
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
@@ -25,7 +26,6 @@ audit () {
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
@@ -36,7 +36,6 @@ apply () {
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.5_disable_udf.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.24 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of udf filesystems."
 
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
@@ -25,7 +26,6 @@ audit () {
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
@@ -36,7 +36,6 @@ apply () {
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.6_disable_cramfs.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
+# 1.1.1.6 Disable Mounting of cramfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of cramfs filesystems."
 
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"

bin/hardening/1.1.1.7_disable_squashfs.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable mounting of squashfs filesytems."
 
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"

bin/hardening/1.1.10_var_tmp_noexec.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
+# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/1.1.11_var_log_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.7 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Create Separate Partition for /var/log (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/log on separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
@@ -34,8 +35,6 @@ audit () {
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.8 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=4
+DESCRIPTION="/var/log/audit on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
@@ -34,8 +35,6 @@ audit () {
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/1.1.13_home_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.9 Create Separate Partition for /home (Scored)
+# 1.1.13 Create Separate Partition for /home (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/home on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"
@@ -34,8 +35,6 @@ audit () {
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/1.1.14_home_nodev.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.10 Add nodev Option to /home (Scored)
+# 1.1.14 Ensure nodev Option set on /home (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/home partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.14 Add nodev Option to /run/shm Partition (Scored)
+# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.15 Add nosuid Option to /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.16 Add noexec Option to /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
@@ -20,6 +24,7 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
     if [ $FNRET -gt 0 ]; then
@@ -78,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="nodev option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="nosuid option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="noexec option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,22 +1,24 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
+# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if setuid is set on world writable Directories"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     if [ ! -z "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

bin/hardening/1.1.22_disable_automounting.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.25 Disable Automounting (Scored)
+# 1.1.22 Disable Automounting (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable automounting of devices."
 
 SERVICE_NAME="autofs"
 

bin/hardening/1.1.2_tmp_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.1 Create Separate Partition for /tmp (Scored)
+# 1.1.2 Ensure /tmp is configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure /tmp is configured (Scored)"
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
@@ -34,8 +35,6 @@ audit () {
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/1.1.3_tmp_nodev.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.2 Set nodev option for /tmp Partition (Scored)
+# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/1.1.4_tmp_nosuid.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.3 Set nosuid option for /tmp Partition (Scored)
+# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/1.1.5_tmp_noexec.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.4 Set noexec option for /tmp Partition (Scored)
+# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

bin/hardening/1.1.6_var_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.5 Create Separate Partition for /var (Scored)
+# 1.1.6 Create Separate Partition for /var (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var"

bin/hardening/1.1.7_var_tmp_partition.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.1 Create Separate Partition for /var/tmp (Scored)
+# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="/var/tmp on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/1.1.8_var_tmp_nodev.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
+# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/var/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/1.1.9_var_tmp_nosuid.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
+# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="/var/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

bin/hardening/1.4.1_bootloader_ownership.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=1
+DESCRIPTION="User and group root owner of grub bootloader config."
+
+# Assertion : Grub Based.
+
+FILE='/boot/grub/grub.cfg'
+USER='root'
+GROUP='root'
+PERMISSIONS='400'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi 
+
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        info "fixing $FILE ownership to $USER:$GROUP"
+        chown $USER:$GROUP $FILE
+    fi
+
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+
+    is_pkg_installed "grub-pc"
+    if [ $FNRET != 0 ]; then
+        warn "Grub is not installed, not handling configuration"
+        exit 128
+    fi
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.4.2_bootloader_password.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 3.3 Set Boot Loader Password (Scored)
+# 1.4.2 Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Setting bootloader password to secure boot parameters."
 
 FILE='/boot/grub/grub.cfg'
 USER_PATTERN="^set superusers"

bin/hardening/1.4.3_root_password.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 3.4 Require Authentication for Single-User Mode (Scored)
+# 1.4.3 Ensure authentication required for single user mode (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Root password for single user mode."
 
 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"

bin/hardening/1.5.1_restrict_core_dumps.sh

@@ -1,30 +1,47 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.1 Restrict Core Dumps (Scored)
+# 1.5.1 Ensure core dumps are restricted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Restrict core dumps."
 
 LIMIT_FILE='/etc/security/limits.conf'
+LIMIT_DIR='/etc/security/limits.d'
 LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
 SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
+    SEARCH_RES=0
+    LIMIT_FILES=""
+    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
+        for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
+            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+        done
+    fi
+    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
+    for file in $LIMIT_FILE $LIMIT_FILES; do
+        does_pattern_exist_in_file $file $LIMIT_PATTERN
         if [ $FNRET != 0 ]; then
-        crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
+            debug "$LIMIT_PATTERN not present in $file"
         else
-        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
+            ok "$LIMIT_PATTERN present in $file"
+            SEARCH_RES=1
+            break
+        fi
+    done
+    if [ $SEARCH_RES = 0 ]; then
+        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
     if [ $FNRET != 0 ]; then

bin/hardening/1.5.2_enable_nx_support.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
 
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
 
@@ -19,7 +20,7 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac
 nx_supported_and_enabled() {
     if grep -q ' nx ' /proc/cpuinfo; then
         # NX supported, but if noexec=off specified, it's not enabled
-        if grep -qi 'noexec=off' /proc/cmdline; then
+        if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
             FNRET=1 # supported but disabled
         else
             FNRET=0 # supported and enabled

bin/hardening/1.5.3_enable_randomized_vm_placement.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
 
 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2

bin/hardening/1.5.4_disable_prelink.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.4 Disable Prelink (Scored)
+# 1.5.4 Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable prelink to prevent libraries compromission."
 
 PACKAGE='prelink'
 

bin/hardening/1.7.1.1_remove_os_info_motd.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Remove OS information from motd"
+
+FILE='/etc/motd'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file $FILE $PATTERN
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.2_remove_os_info_issue.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Remove OS information from Login Warning Banners."
+
+FILE='/etc/issue'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file $FILE $PATTERN
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.3_remove_os_info_issue_net.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Remove OS information from remote Login Warning Banners."
+
+FILE='/etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ $FNRET = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file $FILE $PATTERN
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.4_motd_perms.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/motd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        continue
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.5_etc_issue_perms.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        continue
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.6_etc_issue_net_perms.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        crit "$FILE does not exist"
+        continue
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.2_graphical_warning_banners.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 1.7.2 Ensure GDM login banner is configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Set graphical warning banner."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/1.8_install_updates.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/11.2_remove_os_info_warning_banners.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s)'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            crit "$PATTERN is present in $FILE"
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            warn "$PATTERN is present in $FILE"
-            delete_line_in_file $FILE $PATTERN
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.1_etc_passwd_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.1 Verify Permissions on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.2_etc_shadow_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.2 Verify Permissions on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-PERMISSIONS='640'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.3_etc_group_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.3 Verify Permissions on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.4_etc_passwd_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.5_etc_shadow_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-USER='root'
-GROUP='shadow'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.6_etc_group_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.6 Verify User/Group Ownership on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.13_check_user_homedir_ownership.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.13 Check User Home Directory Ownership (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE)
-        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
-                ERRORS=$((ERRORS+1))
-            fi
-        fi
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "All home directories have correct ownership"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                warn "The home directory ($DIR) of user $USER is owned by $OWNER."
-                chown $USER $DIR
-            fi
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.14_check_duplicate_uid.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.14 Check for Duplicate UIDs (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate UID ($USERID): ${USERS}"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate UIDs"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically uids may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/2.1.1_disable_xinetd.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.1.1 Ensure xinetd is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure xinetd is not enabled."
+
+PACKAGE='xinetd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        warn "$PACKAGE is installed, purging"
+        apt-get purge $PACKAGE -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.1.2_disable_bsd_inetd.sh

@@ -1,19 +1,20 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.8 Ensure xinetd is not enabled (Scored)
+# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure bsd-inetd is not enabled."
 
-PACKAGES='openbsd-inetd xinetd rlinetd'
+PACKAGES='openbsd-inetd inetutils-inetd'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure time synchronization is in use"
+
+PACKAGES="ntp chrony"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    FOUND=false
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            ok "Time synchronization is available through $PACKAGE"
+            FOUND=true
+        fi
+    done
+    if [  "$FOUND" = false ]; then
+        crit "None of the following time sync packages are installed: $PACKAGES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
+

bin/hardening/2.2.1.2_configure_ntp.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.5 Configure Network Time Protocol (NTP) (Scored)
+# 2.2.1.2 Ensure ntp is configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 HARDENING_EXCEPTION=ntp
 
 PACKAGE='ntp'

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.3 Ensure chrony is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+HARDENING_EXCEPTION=ntp
+
+PACKAGE=chrony
+CONF_DEFAULT_PATTERN='^(server|pool)'
+CONF_FILE='/etc/chrony/chrony.conf'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
+        if [ $FNRET != 0 ]; then
+            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
+        else
+            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.10_disable_http_server.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.10 Ensure HTTP Server is not enabled (Not Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure HTTP server is not enabled."
 HARDENING_EXCEPTION=http
 
 # Based on aptitude search '~Phttpd'

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure IMAP and POP servers are not installed"
 HARDENING_EXCEPTION=mail
 
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'

bin/hardening/2.2.12_disable_samba.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.12 Ensure Samba is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Ensure Samba is not enabled."
+HARDENING_EXCEPTION=samba
+
+PACKAGES='samba'
+SERVICE='smbd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+    is_service_enabled $SERVICE
+    if [ $FNRET = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+    else
+        ok "Service $SERVICE is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge $PACKAGE -y
+            apt-get autoremove
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+    is_service_enabled $SERVICE
+    if [ $FNRET = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+        systemctl disable $SERVICE
+    else
+        ok "Service $SERVICE is disabled"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
+# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure HTTP-proxy is not enabled."
 HARDENING_EXCEPTION=http
 
 PACKAGES='squid3 squid'

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.14 Ensure SNMP Server is not enabled (Not Scored)
+# 2.2.14 Ensure SNMP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Enure SNMP server is not enabled."
 HARDENING_EXCEPTION=snmp
 
 PACKAGES='snmpd'

bin/hardening/2.2.15_mta_localhost.sh

@@ -1,23 +1,24 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
 HARDENING_EXCEPTION=mail
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
     RESULT=${RESULT:-}
     debug "Result is $RESULT"
     if [ -z "$RESULT" ]; then

bin/hardening/2.2.16_disable_rsync.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.16 Ensure rsync service is not enabled (Scored)
+# 2.2.16 Ensure rsync service is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure rsync service is not enabled."
 HARDENING_EXCEPTION=rsync
 
 PACKAGE='rsync'

bin/hardening/2.2.18_disable_telnet_server.sh

@@ -1,17 +1,20 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# Legacy CIS Debian Hardening
 #
 
 #
-# 5.1.6 Ensure telnet server is not enabled (Scored)
+# 2.2.18 Ensure telnet server is not enabled (Scored)
 #
 
+# Note: this check is not anymore in CIS hardening but we decided to keep it anyway
+
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
 
 # Based on  aptitude search '~Ptelnet-server'
 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.1 Ensure the X Window system is not installed (Scored)
+# 2.2.2 Ensure the X Window system is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure the X Window system is not installed."
 HARDENING_EXCEPTION=x11
 
 # Based on aptitude search '~Pxserver'

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.2 Ensure Avahi Server is not enabled (Scored)
+# 2.2.3 Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure Avahi server is not enabled."
 
 PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
 

bin/hardening/2.2.4_disable_print_server.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.3 Ensure print server is not enabled (Not Scored)
+# 2.2.4 Ensure CUPS is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
 HARDENING_EXCEPTION=cups
 
 PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'

bin/hardening/2.2.5_disable_dhcp.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.4 Ensure DHCP Server is not enabled (Scored)
+# 2.2.5 Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure DHCP server is not enabled."
 HARDENING_EXCEPTION=dhcp
 
 PACKAGES='udhcpd isc-dhcp-server'

bin/hardening/2.2.6_disable_ldap.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.6 Ensure LDAP is not enabled (Not Scored)
+# 2.2.6 Ensure LDAP server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure LDAP is not enabled."
 HARDENING_EXCEPTION=ldap
 
 PACKAGES='slapd'

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.7 Ensure NFS and RPC are not enabled (Not Scored)
+# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 HARDENING_EXCEPTION=nfs
 
 PACKAGES='rpcbind nfs-kernel-server'

bin/hardening/2.2.8_disable_dns_server.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.8 Ensure DNS Server is not enabled (Not Scored)
+# 2.2.8 Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 HARDENING_EXCEPTION=dns
 
 PACKAGES='bind9 unbound'

bin/hardening/2.2.9_disable_ftp.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.9 Ensure FTP Server is not enabled (Not Scored)
+# 2.2.9 Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
 HARDENING_EXCEPTION=ftp
 
 # Based on aptitude search '~Pftp-server'

bin/hardening/2.3.1_disable_nis.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.1 Ensure NIS is not installed (Scored)
+# 2.3.1 Ensure NIS client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 
 PACKAGE='nis'
 

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.3 Ensure rsh client is not installed (Scored)
+# 2.3.2 Ensure rsh client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
 
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'

bin/hardening/2.3.3_disable_talk_client.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.5 Ensure talk client is not installed (Scored)
+# 2.3.3 Ensure talk client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ensure talk client is not installed."
 
 PACKAGES='talk inetutils-talk'
 

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -1,27 +1,27 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.12 Ensure Samba is not enabled (Not Scored)
+# 2.3.4 Ensure telnet client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-HARDENING_LEVEL=3
-HARDENING_EXCEPTION=samba
+HARDENING_LEVEL=2
+DESCRIPTION="Ensure telnet client is not installed."
 
-PACKAGES='samba'
+PACKAGES='telnet'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed $PACKAGE
         if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed!"
+            crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
         fi
@@ -33,7 +33,7 @@ apply () {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed $PACKAGE
         if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed, purging it"
+            warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
             apt-get autoremove
         else

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.5 Ensure LDAP client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+DESCRIPTION="Ensure ldap client is not installed."
+
+PACKAGES='ldap-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            warn "$PACKAGE is installed, purging"
+            apt-get purge $PACKAGE -y
+            apt-get autoremove
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 3.1.1 Ensure IP forwarding is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=gw
+DESCRIPTION="Disable IP forwarding."
+
+SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
+SYSCTL_EXP_RESULT=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            if [ $FNRET != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+            elif [ $FNRET = 255 ]; then
+                warn "$SYSCTL_PARAM does not exist -- Typo?"
+            else
+                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+            fi
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        if [ $FNRET != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            sysctl -w net.ipv4.route.flush=1 > /dev/null
+        elif [ $FNRET = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/3.1.2_disable_send_packet_redirects.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.1.2 Disable Send Packet Redirects (Scored)
+# 3.1.2 Ensure packet redirect sending is disabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
 
 #net.ipv4.conf.all.send_redirects = 0
 #net.ipv4.conf.default.send_redirects = 0

bin/hardening/3.1_bootloader_ownership.sh

@@ -1,84 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 3.1 Set User/Group Owner on bootloader config (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-# Assertion : Grub Based.
-
-FILE='/boot/grub/grub.cfg'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-
-    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
-        warn "Grub is not installed, not handling configuration"
-        exit 128
-    fi
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/3.2.1_disable_source_routed_packets.sh

@@ -1,23 +1,26 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
+# 3.2.1 Ensure source routed packets are not accepted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0'
+DESCRIPTION="Disable source routed packet acceptance."
+# set in config file
+SYSCTL_PARAMS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
@@ -29,6 +32,7 @@ audit () {
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
+        fi
     done
 }
 
@@ -51,6 +55,14 @@ apply () {
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/3.2.2_disable_icmp_redirect.sh

@@ -1,26 +1,30 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
+# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
-
-SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0'
+DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
+# set in config file
+SYSCTL_PARAMS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+            
             has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             if [ $FNRET != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@@ -29,6 +33,7 @@ audit () {
             else
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
+        fi
     done
 }
 
@@ -51,6 +56,14 @@ apply () {
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
+EOF
+}
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/3.2.3_disable_secure_icmp_redirect.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions."
 
 SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
 

bin/hardening/3.2.4_log_martian_packets.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.4 Log Suspicious Packets (Scored)
+# 3.2.4 Ensure suspicious packets are logged (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Log suspicious packets, like spoofed packets."
 
 SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
 

bin/hardening/3.2.5_ignore_broadcast_requests.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.5 Enable Ignore Broadcast Requests (Scored)
+# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
 
 SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
 

bin/hardening/3.2.6_enable_bad_error_message_protection.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.6 Enable Bad Error Message Protection (Scored)
+# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
 
 SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
 

bin/hardening/3.2.7_enable_source_route_validation.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
+# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable RFC-recommended source route validation."
 
 SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
 

bin/hardening/3.2.8_enable_tcp_syn_cookies.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.2.8 Enable TCP SYN Cookies (Scored)
+# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
 
 SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
 

bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
+# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable IPv6 router advertisements."
 
 SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 

bin/hardening/3.2_bootloader_permissions.sh

@@ -1,71 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 3.2 Set Permissions on bootloader config (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-# Assertion : Grub Based.
-
-FILE='/boot/grub/grub.cfg'
-PERMISSIONS='400'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
-    fi
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/3.3.1_install_tcp_wrapper.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.4.1 Install TCP Wrappers (Scored)
+# 3.3.1 Ensure TCP Wrappers is installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services."
 
 PACKAGE='tcpd'
 

bin/hardening/3.3.2_hosts_allow.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.4.2 Create /etc/hosts.allow (Not Scored)
+# 3.3.2 Ensure /etc/hosts.allow is configured (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Create /etc/hosts.allow ."
 
 FILE='/etc/hosts.allow'
 

bin/hardening/3.3.3_hosts_deny.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.4.4 Create /etc/hosts.deny (Not Scored)
+# 3.3.3 Ensure /etc/hosts.deny is configured (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Create /etc/hosts.deny ."
 
 FILE='/etc/hosts.deny'
 PATTERN='ALL: ALL'

bin/hardening/3.3.4_hosts_allow_permissions.sh

@@ -1,20 +1,23 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
+# 3.3.4 Ensure permissions on /etc/hosts.allow are configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ."
 
 FILE='/etc/hosts.allow'
 PERMISSIONS='644'
+USER='root'
+GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -24,6 +27,12 @@ audit () {
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
     fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/3.3.5_hosts_deny_permissions.sh

@@ -1,20 +1,23 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored)
+# 3.3.5 Verify Permissions on /etc/hosts.deny (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=3
+DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ."
 
 FILE='/etc/hosts.deny'
 PERMISSIONS='644'
+USER='root'
+GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -24,6 +27,12 @@ audit () {
     else
         crit "$FILE permissions were not set to $PERMISSIONS"
     fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode

bin/hardening/3.4.1_disable_dccp.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.5.3 Disable RDS (Not Scored)
+# 3.4.1 Ensure DCCP is disabled (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/3.4.2_disable_sctp.sh

@@ -1,17 +1,18 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.5.2 Disable SCTP (Not Scored)
+# 3.4.2 Ensure SCTP is disabled (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
+DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {