Update changelog

Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.

.gitignore

@@ -0,0 +1 @@
+tmp/shfmt

README.md

@@ -1,6 +1,6 @@
-# CIS Debian 7/8 Hardening
+# CIS Debian 7/8/9 Hardening
 
-Modular Debian 7/8 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
 
 ```console
@@ -80,6 +80,15 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
+``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
+with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
+not prompt for a password.
+
+``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+captures all output to print only one line once the check is done, formatted like :
+OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 ## Hacking
 
 **Getting the source**
@@ -108,6 +117,39 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
+## Functional testing
+
+Functional tests are available. They are to be run in a Docker environment.
+
+```console
+$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
+```
+
+With `target` being like `debian8` or `debian9`.
+
+Running without script arguments will run all tests in `./tests/hardening/` directory.
+Or you can specify one or several test script to be run.
+
+This will build a new Docker image from the current state of the projet and run
+a container that will assess a blank Debian system compliance for each check.  
+For hardening audit points the audit is expected to fail, then be fixed so that
+running the audit a second time will succeed.  
+For vulnerable items, the audit is expected to succeed on a blank
+system, then the functional tests will introduce a weak point, that is expected
+to be detected when running the audit test a second time. Finally running the `apply`
+part of debian-cis script will restore a compliance state that is expected to be
+assed by running the audit check a third time.
+
+Functional tests can make use of the following helper functions :  
+
+* `describe <test description>`
+* `run <usecase> <audit_script> <audit_script_options>`
+* `register_test <test content (see below)>`
+  * `retvalshoudbe <integer>` check the script return value
+  * `contain "<SAMPLE TEXT>"` check that the output contains the following text
+
+In order to write your own functional test, you will find a code skeleton in
+`./src/skel.test`.
 
 ## Disclaimer
 

bin/hardening.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
 #
 
@@ -9,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #
 
-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@@ -20,11 +21,14 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
+SUDO_MODE=''
+BATCH_MODE=''
 
 usage() {
-    cat << EOF
+    cat <<EOF
 $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
 
     --help -h
@@ -74,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit
 
 OPTIONS:
 
@@ -83,6 +91,18 @@ OPTIONS:
         The test number is the numbered prefix of the script,
         i.e. the test number of 1.2_script_name.sh is 1.2.
 
+    --sudo
+        This option lets you audit your system as a normal user, but allows sudo
+        escalation to gain read-only access to root files. Note that you need to
+        provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+        the '-n' option instructs sudo not to prompt for a password.
+        Finally note that '--sudo' mode only works for audit mode.
+
+    --batch
+        While performing system audit, this option sets LOGLEVEL to 'ok' and
+        captures all output to print only one line once the check is done, formatted like :
+        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
 EOF
     exit 0
 }
@@ -94,159 +114,205 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST
 
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
     ARG="$1"
     case $ARG in
-        --audit)
-            AUDIT=1
+    --audit)
+        AUDIT=1
         ;;
-        --audit-all)
-            AUDIT_ALL=1
+    --audit-all)
+        AUDIT_ALL=1
         ;;
-        --audit-all-enable-passed)
-            AUDIT_ALL_ENABLE_PASSED=1
+    --audit-all-enable-passed)
+        AUDIT_ALL_ENABLE_PASSED=1
         ;;
-        --apply)
-            APPLY=1
+    --apply)
+        APPLY=1
         ;;
-        --allow-service-list)
-            ALLOW_SERVICE_LIST=1
+    --allow-service-list)
+        ALLOW_SERVICE_LIST=1
         ;;
-        --allow-service)
-            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
-            shift
+    --create-config-files-only)
+        CREATE_CONFIG=1
         ;;
-        --set-hardening-level)
-            SET_HARDENING_LEVEL="$2"
-            shift
+    --allow-service)
+        ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
+        shift
         ;;
-        --only)
-            TEST_LIST[${#TEST_LIST[@]}]="$2"
-            shift
+    --set-hardening-level)
+        SET_HARDENING_LEVEL="$2"
+        shift
         ;;
-        -h|--help)
-            usage
+    --only)
+        TEST_LIST[${#TEST_LIST[@]}]="$2"
+        shift
         ;;
-        *)
-            usage
+    --sudo)
+        SUDO_MODE='--sudo'
+        ;;
+    --batch)
+        BATCH_MODE='--batch'
+        LOGLEVEL=ok
+        ;;
+    -h | --help)
+        usage
+        ;;
+    *)
+        usage
         ;;
     esac
     shift
 done
 
+# if no RUN_MODE was passed, usage and quit
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
+    usage
+fi
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
+# shellcheck source=../lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+# shellcheck source=../etc/hardening.cfg
+[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+# shellcheck source=../lib/common.sh
+[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
+# shellcheck source=../lib/utils.sh
+[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 
-[ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
-[ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
+if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
 
 # If --allow-service-list is specified, don't run anything, just list the supported services
-if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
+if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
     declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
         template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
         [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
     done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
     exit 0
 fi
 
 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
-    if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
+    if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
         echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
         exit 1
     fi
 
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
         script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
-        if [ -z "$script_level" ] ; then
+        if [ -z "$script_level" ]; then
             echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
             continue
         fi
         wantedstatus=disabled
         [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
     done
     echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
     exit 0
 fi
 
+if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
+for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
-        if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi
     fi
 
     info "Treating $SCRIPT"
-    
-    if [ $AUDIT = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
-        $SCRIPT --audit
-    elif [ $AUDIT_ALL = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
-    elif [ $APPLY = 1 ]; then
+    if [ "$CREATE_CONFIG" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+    elif [ "$AUDIT" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$APPLY" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+        "$SCRIPT"
     fi
 
     SCRIPT_EXITCODE=$?
 
     debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
     case $SCRIPT_EXITCODE in
-        0)
-            debug "$SCRIPT passed"
-            PASSED_CHECKS=$((PASSED_CHECKS+1))
-            if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
-                SCRIPT_BASENAME=$(basename $SCRIPT .sh)
-                sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
-                info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
-            fi
-        ;;    
-        1)
-            debug "$SCRIPT failed"
-            FAILED_CHECKS=$((FAILED_CHECKS+1))
+    0)
+        debug "$SCRIPT passed"
+        PASSED_CHECKS=$((PASSED_CHECKS + 1))
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
+            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+        fi
         ;;
-        2)
-            debug "$SCRIPT is disabled"
-            DISABLED_CHECKS=$((DISABLED_CHECKS+1))
+    1)
+        debug "$SCRIPT failed"
+        FAILED_CHECKS=$((FAILED_CHECKS + 1))
+        ;;
+    2)
+        debug "$SCRIPT is disabled"
+        DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
         ;;
     esac
 
-    TOTAL_CHECKS=$((TOTAL_CHECKS+1))
- 
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
+
 done
 
-TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
+TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
 
-printf "%40s\n" "################### SUMMARY ###################"
-printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
-if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+if [ "$BATCH_MODE" ]; then
+    BATCH_SUMMARY="AUDIT_SUMMARY "
+    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
+    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
+    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
+    else
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
+    fi
+    becho "$BATCH_SUMMARY"
 else
-    printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 
+    printf "%40s\n" "################### SUMMARY ###################"
+    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+
+    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
+    else
+        printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+    fi
 fi

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -1,42 +1,43 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of freevxfs filesystems."
 
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required
@@ -46,17 +47,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -1,42 +1,43 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of jffs2 filesystems."
 
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required
@@ -46,17 +47,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -1,42 +1,43 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfs filesystems."
 
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required
@@ -46,17 +47,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -1,42 +1,43 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfsplus filesystems."
 
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required
@@ -46,17 +47,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.5_disable_udf.sh

@@ -1,42 +1,43 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.24 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of udf filesystems."
 
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
     fi
-    :
 }
 
 # This function will check config parameters required
@@ -46,17 +47,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.6_disable_cramfs.sh

@@ -1,26 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
+# 1.1.1.6 Disable Mounting of cramfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of cramfs filesystems."
 
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -29,9 +32,9 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -46,17 +49,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.1.7_disable_squashfs.sh

@@ -1,26 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of squashfs filesytems."
 
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 
-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"
     else
         ok "$KERNEL_OPTION is disabled"
@@ -29,9 +32,9 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
     else
         ok "$KERNEL_OPTION is disabled, nothing to do"
@@ -46,17 +49,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.10_var_tmp_noexec.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
+# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="noexec"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.11_var_log_partition.sh

@@ -1,52 +1,54 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.7 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Create Separate Partition for /var/log (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log on separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +60,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -1,52 +1,53 @@
 #!/bin/bash
 
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.8 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +59,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.13_home_partition.sh

@@ -1,52 +1,54 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.9 Create Separate Partition for /home (Scored)
+# 1.1.13 Create Separate Partition for /home (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/home on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +60,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.14_home_nodev.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.10 Add nodev Option to /home (Scored)
+# 1.1.14 Ensure nodev Option set on /home (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/home partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -1,64 +1,69 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.14 Add nodev Option to /run/shm Partition (Scored)
+# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +74,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -1,64 +1,69 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.15 Add nosuid Option to /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nosuid"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +74,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -1,64 +1,69 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.16 Add noexec Option to /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="noexec"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
+    PARTITION=$(readlink -e "$PARTITION")
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +74,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="nodev option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
@@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying if there is $PARTITION like partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         ok "There is no partition like $PARTITION"
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }
 
 # This function will check config parameters required
@@ -57,17 +61,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="nosuid option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
@@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nosuid"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying if there is $PARTITION like partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         ok "There is no partition like $PARTITION"
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }
 
 # This function will check config parameters required
@@ -57,17 +61,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="noexec option for removable media partitions."
 
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
 
@@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="noexec"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying if there is $PARTITION like partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         ok "There is no partition like $PARTITION"
         FNRET=0
     else
         info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }
 
 # This function will check config parameters required
@@ -57,17 +61,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,25 +1,32 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
+# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Checking if setuid is set on world writable Directories"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    # shellcheck disable=SC2086
+    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        # shellcheck disable=SC2001
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
         ok "All world writable directories have a sticky bit"
@@ -27,10 +34,10 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+apply() {
+    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$RESULT" ]; then
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"
     fi
@@ -44,17 +51,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.22_disable_automounting.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.25 Disable Automounting (Scored)
+# 1.1.22 Disable Automounting (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable automounting of devices."
 
 SERVICE_NAME="autofs"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
         crit "$SERVICE_NAME is enabled"
     else
         ok "$SERVICE_NAME is disabled"
@@ -27,12 +31,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
         info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
     else
         ok "$SERVICE_NAME is disabled"
     fi
@@ -45,17 +49,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.2_tmp_partition.sh

@@ -1,52 +1,54 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.1 Create Separate Partition for /tmp (Scored)
+# 1.1.2 Ensure /tmp is configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure /tmp is configured (Scored)"
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
-    :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +60,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.3_tmp_nodev.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.2 Set nodev option for /tmp Partition (Scored)
+# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.4_tmp_nosuid.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.3 Set nosuid option for /tmp Partition (Scored)
+# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nosuid"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.5_tmp_noexec.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.4 Set noexec option for /tmp Partition (Scored)
+# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with noexec option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="noexec"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.6_var_partition.sh

@@ -1,52 +1,56 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.5 Create Separate Partition for /var (Scored)
+# 1.1.6 Create Separate Partition for /var (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
+
     :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +62,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.7_var_tmp_partition.sh

@@ -1,52 +1,56 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.1 Create Separate Partition for /var/tmp (Scored)
+# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp on a separate partition."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
         is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
             warn "$PARTITION is not mounted"
             FNRET=1
         else
             ok "$PARTITION is mounted"
         fi
     fi
-     
+
     :
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
     else
         info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
     fi
 }
 
@@ -58,17 +62,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.8_var_tmp_nodev.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
+# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with nodev option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nodev"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.1.9_var_tmp_nosuid.sh

@@ -1,64 +1,68 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
+# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with nosuid option."
 
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nosuid"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Verifying that $PARTITION is a partition"
     FNRET=0
     is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$PARTITION is not a partition"
         FNRET=2
     else
         ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
             crit "$PARTITION has no option $OPTION in fstab!"
             FNRET=1
         else
             ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                 warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
             else
                 ok "$PARTITION mounted with $OPTION"
             fi
-        fi       
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
         ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
         crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
         info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
         info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }
 
 # This function will check config parameters required
@@ -69,17 +73,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.4.1_bootloader_ownership.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User and group root owner of grub bootloader config."
+
+# Assertion : Grub Based.
+
+FILE='/boot/grub/grub.cfg'
+USER='root'
+GROUP='root'
+PERMISSIONS='400'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        info "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+
+    is_pkg_installed "grub-pc"
+    if [ "$FNRET" != 0 ]; then
+        warn "Grub is not installed, not handling configuration"
+        exit 128
+    fi
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.4.2_bootloader_password.sh

@@ -1,32 +1,36 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 3.3 Set Boot Loader Password (Scored)
+# 1.4.2 Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Setting bootloader password to secure boot parameters."
 
 FILE='/boot/grub/grub.cfg'
 USER_PATTERN="^set superusers"
 PWD_PATTERN="^password_pbkdf2"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
         crit "$USER_PATTERN not present in $FILE"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
         crit "$PWD_PATTERN not present in $FILE"
     else
         ok "$PWD_PATTERN is present in $FILE"
@@ -34,15 +38,15 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
         warn "$USER_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
         warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$PWD_PATTERN is present in $FILE"
@@ -53,11 +57,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
     is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "grub-pc is not installed, not handling configuration"
         exit 128
     fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
         exit 128
     fi
@@ -65,17 +69,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.4.3_root_password.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 3.4 Require Authentication for Single-User Mode (Scored)
+# 1.4.3 Ensure authentication required for single user mode (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Root password for single user mode."
 
 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
         crit "$PATTERN is present in $FILE"
     else
         ok "$PATTERN is not present in $FILE"
@@ -27,9 +31,9 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
         warn "$PATTERN is present in $FILE, please put a root password"
     else
         ok "$PATTERN is not present in $FILE"
@@ -44,17 +48,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.1_restrict_core_dumps.sh

@@ -1,35 +1,55 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.1 Restrict Core Dumps (Scored)
+# 1.5.1 Ensure core dumps are restricted (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Restrict core dumps."
 
 LIMIT_FILE='/etc/security/limits.conf'
+LIMIT_DIR='/etc/security/limits.d'
 LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
 SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
-        crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
-    else
-        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
+audit() {
+    SEARCH_RES=0
+    LIMIT_FILES=""
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
+        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
+            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+        done
+    fi
+    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
+    for file in $LIMIT_FILE $LIMIT_FILES; do
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            debug "$LIMIT_PATTERN not present in $file"
+        else
+            ok "$LIMIT_PATTERN present in $file"
+            SEARCH_RES=1
+            break
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -37,23 +57,23 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
         warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
         add_end_of_file $LIMIT_FILE "* hard core 0"
     else
         ok "$LIMIT_PATTERN present in $LIMIT_FILE"
     fi
     has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
         warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi 
+    fi
 
 }
 
@@ -64,17 +84,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.2_enable_nx_support.sh

@@ -1,17 +1,21 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
 
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
 
@@ -19,7 +23,7 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac
 nx_supported_and_enabled() {
     if grep -q ' nx ' /proc/cpuinfo; then
         # NX supported, but if noexec=off specified, it's not enabled
-        if grep -qi 'noexec=off' /proc/cmdline; then
+        if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
             FNRET=1 # supported but disabled
         else
             FNRET=0 # supported and enabled
@@ -30,11 +34,11 @@ nx_supported_and_enabled() {
 }
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+audit() {
+    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
         else
             ok "NX is supported and enabled"
@@ -45,11 +49,11 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
         nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
         else
             ok "NX is supported and enabled"
@@ -66,17 +70,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.3_enable_randomized_vm_placement.sh

@@ -1,27 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
 
 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+audit() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
         crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -29,12 +33,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+apply() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
         warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
         warn "$SYSCTL_PARAM does not exist -- Typo?"
     else
         ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -48,17 +52,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.5.4_disable_prelink.sh

@@ -1,24 +1,28 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 4.4 Disable Prelink (Scored)
+# 1.5.4 Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable prelink to prevent libraries compromission."
 
 PACKAGE='prelink'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed!"
     else
         ok "$PACKAGE is absent"
@@ -27,12 +31,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed, purging it"
         /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
         apt-get autoremove
     else
         ok "$PACKAGE is absent"
@@ -47,17 +51,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.2.1 Activate AppArmor (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Activate AppArmor to enforce permissions control."
+
+PACKAGE='apparmor'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is absent!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ "$ERROR" = 0 ]; then
+        ok "$PACKAGE is configured"
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
+    else
+        ok "$PACKAGE is installed"
+    fi
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.1_remove_os_info_motd.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from motd"
+
+FILE='/etc/motd'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.2_remove_os_info_issue.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from Login Warning Banners."
+
+FILE='/etc/issue'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.3_remove_os_info_issue_net.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from remote Login Warning Banners."
+
+FILE='/etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.4_motd_perms.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/motd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.5_etc_issue_perms.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.6_etc_issue_net_perms.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.2_graphical_warning_banners.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 1.7.2 Ensure GDM login banner is configured (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Set graphical warning banner."
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Not implemented yet"
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     info "Not implemented yet"
 }
 
@@ -30,17 +34,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/1.8_install_updates.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Checking if apt needs an update"
-    apt_update_if_needed 
+    apt_update_if_needed
     info "Fetching upgrades ..."
     apt_check_updates "CIS_APT"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
         crit "$RESULT"
         FNRET=1
     else
@@ -29,8 +33,8 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET -gt 0 ]; then 
+apply() {
+    if [ "$FNRET" -gt 0 ]; then
         info "Applying Upgrades..."
         DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
     else
@@ -46,17 +50,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/10.1.1_set_password_exp_days.sh

@@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.1 Set Password Expiration Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/10.1.2_set_password_min_days_change.sh

@@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.2 Set Password Change Minimum Number of Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/10.1.3_set_password_exp_warning_days.sh

@@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.3 Set Password Expiring Warning Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/10.2_disable_system_accounts.sh

@@ -1,107 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.2 Disable System Accounts (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-SHELL='/bin/false'
-FILE='/etc/passwd'
-RESULT=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
-        debug "Account : $ACCOUNT"
-        debug "Exceptions : $EXCEPTIONS"
-        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
-            debug "$ACCOUNT is confirmed as an exception"
-            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
-        crit "$RESULT"
-    else
-        ok "All admin accounts deactivated"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
-        debug "Account : $ACCOUNT"
-        debug "Exceptions : $EXCEPTIONS"
-        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
-            debug "$ACCOUNT is confirmed as an exception"
-            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
-        warn "$RESULT"
-        for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
-            usermod -s $SHELL $USER
-        done
-    else
-        ok "All admin accounts deactivated, nothing to apply"
-    fi
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put here your exceptions concerning admin accounts shells separated by spaces
-EXCEPTIONS=""
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/11.1_warning_banners.sh

@@ -1,85 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 11.1 Set Warning Banner for Standard Login Services (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PERMISSIONS='644'
-USER='root'
-GROUP='root'
-FILES='/etc/motd /etc/issue /etc/issue.net'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            crit "$FILE ownership was not set to $USER:$GROUP"
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            crit "$FILE permissions were not set to $PERMISSIONS"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
-            info "$FILE does not exist"
-            touch $FILE
-        fi
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown $USER:$GROUP $FILE
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0$PERMISSIONS $FILE
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/11.2_remove_os_info_warning_banners.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s)'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            crit "$PATTERN is present in $FILE"
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            warn "$PATTERN is present in $FILE"
-            delete_line_in_file $FILE $PATTERN
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.10_find_suid_files.sh

@@ -1,71 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.10 Find SUID System Executables (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are suid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
-            debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some suid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unknown suid files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Removing suid on valid binary may seriously harm your system, report only here"
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put Here your valid suid binaries so that they do not appear during the audit
-EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.11_find_sgid_files.sh

@@ -1,72 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.11 Find SGID System Executables (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are sgid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
-            debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some sgid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unknown sgid files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Removing sgid on valid binary may seriously harm your system, report only here"
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put here valid binaries with sgid enabled separated by spaces
-EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.1_etc_passwd_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.1 Verify Permissions on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.2_etc_shadow_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.2 Verify Permissions on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-PERMISSIONS='640'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.3_etc_group_permissions.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.3 Verify Permissions on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.4_etc_passwd_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.5_etc_shadow_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-USER='root'
-GROUP='shadow'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.6_etc_group_ownership.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.6 Verify User/Group Ownership on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.8_find_unowned_files.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.8 Find Un-owned Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-USER='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are unowned files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some unowned files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unowned files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
-    else
-        ok "No unowned files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/12.9_find_ungrouped_files.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.9 Find Un-grouped Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are ungrouped files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some ungrouped files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No ungrouped files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
-    else
-        ok "No ungrouped files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.13_check_user_homedir_ownership.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.13 Check User Home Directory Ownership (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE)
-        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
-                ERRORS=$((ERRORS+1))
-            fi
-        fi
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "All home directories have correct ownership"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                warn "The home directory ($DIR) of user $USER is owned by $OWNER."
-                chown $USER $DIR
-            fi
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.14_check_duplicate_uid.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.14 Check for Duplicate UIDs (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate UID ($USERID): ${USERS}"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate UIDs"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically uids may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.15_check_duplicate_gid.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.15 Check for Duplicate GIDs (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        GROUPID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate GID ($GROUPID): ${USERS}"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate GIDs"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically gids may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.16_check_duplicate_username.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.16 Check for Duplicate User Names (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERNAME=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate username $USERNAME"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate usernames"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically username may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.17_check_duplicate_groupname.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.17 Check for Duplicate Group Names (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate groupname $GROUPNAME"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate groupnames"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically groupname may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.6_sanitize_root_path.sh

@@ -1,89 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.6 Ensure root PATH Integrity (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    if [ "`echo $PATH | grep :: `" != "" ]; then
-        crit "Empty Directory in PATH (::)"
-        ERRORS=$((ERRORS+1))
-    fi
-    if [ "`echo $PATH | grep :$`" != "" ]; then
-        crit "Trailing : in PATH $PATH"
-        ERRORS=$((ERRORS+1))
-    fi
-    FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
-    set -- $FORMATTED_PATH
-    while [ "${1:-}" != "" ]; do
-        if [ "$1" = "." ]; then
-            crit "PATH contains ."
-            ERRORS=$((ERRORS+1))
-        else
-            if [ -d $1 ]; then
-                dirperm=$(ls -ldH $1 | cut -f1 -d" ")
-                if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
-                    crit "Group Write permission set on directory $1"
-                    ERRORS=$((ERRORS+1))
-                fi
-                if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
-                    crit "Other Write permission set on directory $1"
-                    ERRORS=$((ERRORS+1))
-                fi
-                dirown=$(ls -ldH $1 | awk '{print $3}')
-                if [ "$dirown" != "root" ] ; then
-                    crit "$1 is not owned by root"
-                    ERRORS=$((ERRORS+1))
-                fi
-            else
-                crit "$1 is not a directory"
-                ERRORS=$((ERRORS+1))
-            fi
-        fi
-        shift
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "root PATH is secure"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing items from PATH may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.8_check_user_dot_file_perm.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.8 Check User Dot File Permissions (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    crit "Group Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    crit "Other Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "Dot file permission in users directories are correct"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    warn "Group Write permission set on FILE $FILE"
-                    chmod g-w $FILE
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    warn "Other Write permission set on FILE $FILE"
-                    chmod o-w $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/13.9_set_perm_on_user_netrc.sh

@@ -1,81 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.9 Check Permissions on User .netrc Files (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-PERMISSIONS="600"
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    crit "$FILE permissions were not set to $PERMISSIONS"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "permission $PERMISSIONS set on .netrc users files"
-    fi
-
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    warn "$FILE permissions were not set to $PERMISSIONS"
-                    chmod 600 $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/2.1.1_disable_xinetd.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.1.1 Ensure xinetd is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure xinetd is not enabled."
+
+PACKAGE='xinetd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PACKAGE is installed, purging"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.1.2_disable_bsd_inetd.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.8 Ensure xinetd is not enabled (Scored)
+# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure bsd-inetd is not enabled."
 
-PACKAGES='openbsd-inetd xinetd rlinetd'
+PACKAGES='openbsd-inetd inetutils-inetd'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -28,12 +32,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
@@ -48,17 +52,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure time synchronization is in use"
+
+PACKAGES="ntp chrony"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=false
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "Time synchronization is available through $PACKAGE"
+            FOUND=true
+        fi
+    done
+    if [ "$FOUND" = false ]; then
+        crit "None of the following time sync packages are installed: $PACKAGES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.1.2_configure_ntp.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.2 Ensure ntp is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE='ntp'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_FILE='/etc/ntp.conf'
+NTP_INIT_PATTERN='RUNASUSER=ntp'
+NTP_INIT_FILE='/etc/init.d/ntp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
+        else
+            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+        fi
+        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+        else
+            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+        info "Checking $PACKAGE configuration"
+    fi
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
+        backup_file "$NTP_CONF_FILE"
+        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
+    else
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
+        backup_file "$NTP_INIT_FILE"
+        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.3 Ensure chrony is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE=chrony
+CONF_DEFAULT_PATTERN='^(server|pool)'
+CONF_FILE='/etc/chrony/chrony.conf'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
+        else
+            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.10_disable_http_server.sh

@@ -1,27 +1,32 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.10 Ensure HTTP Server is not enabled (Not Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure HTTP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=http
 
 # Based on aptitude search '~Phttpd'
 PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -30,13 +35,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -50,17 +55,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -1,27 +1,32 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure IMAP and POP servers are not installed"
+# shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
 PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -30,13 +35,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -50,17 +55,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.12_disable_samba.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.12 Ensure Samba is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Samba is not enabled."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=samba
+
+PACKAGES='samba'
+SERVICE='smbd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+    else
+        ok "Service $SERVICE is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+        systemctl disable "$SERVICE"
+    else
+        ok "Service $SERVICE is disabled"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
+# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure HTTP-proxy is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=http
 
 PACKAGES='squid3 squid'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,12 +34,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.14 Ensure SNMP Server is not enabled (Not Scored)
+# 2.2.14 Ensure SNMP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enure SNMP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=snmp
 
 PACKAGES='snmpd'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.15_mta_localhost.sh

@@ -1,30 +1,35 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
     RESULT=${RESULT:-}
     debug "Result is $RESULT"
     if [ -z "$RESULT" ]; then
         ok "Nothing listens on 25 port, probably unix socket configured"
     else
         info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
             ok "MTA is configured to localhost only"
         else
             crit "MTA listens worldwide"
@@ -33,7 +38,7 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     info "Checking netport ports opened"
     RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
     RESULT=${RESULT:-}
@@ -42,7 +47,7 @@ apply () {
         ok "Nothing listens on 25 port, probably unix socket configured"
     else
         info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
             ok "MTA is configured to localhost only"
         else
             warn "MTA listens worldwide, correct this considering your MTA"
@@ -58,17 +63,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.16_disable_rsync.sh

@@ -1,17 +1,22 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.16 Ensure rsync service is not enabled (Scored)
+# 2.2.16 Ensure rsync service is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure rsync service is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=rsync
 
 PACKAGE='rsync'
@@ -20,14 +25,14 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
 RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed"
     else
         ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
             crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
         else
             ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@@ -36,17 +41,17 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed"
     else
         ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
             warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
-            backup_file $RSYNC_DEFAULT_FILE
-            replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
+            backup_file "$RSYNC_DEFAULT_FILE"
+            replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
         else
             ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
         fi
@@ -60,17 +65,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.18_disable_telnet_server.sh

@@ -1,17 +1,23 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# Legacy CIS Debian Hardening
 #
 
 #
-# 5.1.6 Ensure telnet server is not enabled (Scored)
+# 2.2.18 Ensure telnet server is not enabled (Scored)
 #
 
+# Note: this check is not anymore in CIS hardening but we decided to keep it anyway
+
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
 
 # Based on  aptitude search '~Ptelnet-server'
 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
@@ -19,17 +25,17 @@ FILE='/etc/inetd.conf'
 PATTERN='^telnet'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, checking configuration"
-            does_file_exist $FILE
-            if [ $FNRET != 0 ]; then
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
                 ok "$FILE does not exist"
             else
-                does_pattern_exist_in_file $FILE $PATTERN
-                if [ $FNRET = 0 ]; then
+                does_pattern_exist_in_file "$FILE" "$PATTERN"
+                if [ "$FNRET" = 0 ]; then
                     crit "$PATTERN exists, $PACKAGE services are enabled!"
                 else
                     ok "$PATTERN is not present in $FILE"
@@ -42,27 +48,28 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
             apt-get autoremove
         else
             ok "$PACKAGE is absent"
         fi
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
             ok "$FILE does not exist"
         else
             info "$FILE exists, checking patterns"
-            does_pattern_exist_in_file $FILE $PATTERN
-            if [ $FNRET = 0 ]; then
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
                 warn "$PATTERN is present in $FILE, purging it"
                 backup_file $FILE
-                ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
-                sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
+                # shellcheck disable=SC2001
+                ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
+                sed -ie "s/$ESCAPED_PATTERN/#&/g" "$FILE"
             else
                 ok "$PATTERN is not present in $FILE"
             fi
@@ -77,17 +84,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -1,27 +1,32 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.1 Ensure the X Window system is not installed (Scored)
+# 2.2.2 Ensure the X Window system is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure the X Window system is not installed."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=x11
 
 # Based on aptitude search '~Pxserver'
 PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -30,13 +35,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -50,17 +55,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.2 Ensure Avahi Server is not enabled (Scored)
+# 2.2.3 Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Avahi server is not enabled."
 
 PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -28,13 +32,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -48,17 +52,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.4_disable_print_server.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.3 Ensure print server is not enabled (Not Scored)
+# 2.2.4 Ensure CUPS is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=cups
 
 PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.5_disable_dhcp.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.4 Ensure DHCP Server is not enabled (Scored)
+# 2.2.5 Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure DHCP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=dhcp
 
 PACKAGES='udhcpd isc-dhcp-server'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.6_disable_ldap.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.6 Ensure LDAP is not enabled (Not Scored)
+# 2.2.6 Ensure LDAP server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure LDAP is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=ldap
 
 PACKAGES='slapd'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.7 Ensure NFS and RPC are not enabled (Not Scored)
+# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 
 PACKAGES='rpcbind nfs-kernel-server'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.8_disable_dns_server.sh

@@ -1,26 +1,31 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.8 Ensure DNS Server is not enabled (Not Scored)
+# 2.2.8 Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 
 PACKAGES='bind9 unbound'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +34,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +54,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.2.9_disable_ftp.sh

@@ -1,27 +1,32 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 6.9 Ensure FTP Server is not enabled (Not Scored)
+# 2.2.9 Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=ftp
 
 # Based on aptitude search '~Pftp-server'
 PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed!"
         else
             ok "$PACKAGE is absent"
@@ -30,13 +35,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -50,17 +55,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.1_disable_nis.sh

@@ -1,24 +1,28 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.1 Ensure NIS is not installed (Scored)
+# 2.3.1 Ensure NIS client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 
 PACKAGE='nis'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed!"
     else
         ok "$PACKAGE is absent"
@@ -27,12 +31,12 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
         crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove -y
     else
         ok "$PACKAGE is absent"
     fi
@@ -45,17 +49,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -1,26 +1,30 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.3 Ensure rsh client is not installed (Scored)
+# 2.3.2 Ensure rsh client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
 
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -29,13 +33,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -49,17 +53,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.3_disable_talk_client.sh

@@ -1,25 +1,29 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 5.1.5 Ensure talk client is not installed (Scored)
+# 2.3.3 Ensure talk client is not installed (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure talk client is not installed."
 
 PACKAGES='talk inetutils-talk'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             crit "$PACKAGE is installed"
         else
             ok "$PACKAGE is absent"
@@ -28,13 +32,13 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
             warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi
@@ -48,17 +52,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.4 Ensure telnet client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure telnet client is not installed."
+
+PACKAGES='telnet'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PACKAGE is installed, purging"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.5 Ensure LDAP client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ldap client is not installed."
+
+PACKAGES='ldap-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PACKAGE is installed, purging"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 3.1.1 Ensure IP forwarding is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+HARDENING_EXCEPTION=gw
+# shellcheck disable=2034
+DESCRIPTION="Disable IP forwarding."
+
+SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
+SYSCTL_EXP_RESULT=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+            elif [ "$FNRET" = 255 ]; then
+                warn "$SYSCTL_PARAM does not exist -- Typo?"
+            else
+                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+            fi
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/3.1.2_disable_send_packet_redirects.sh

@@ -1,32 +1,36 @@
 #!/bin/bash
 
+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# 7.1.2 Disable Send Packet Redirects (Scored)
+# 3.1.2 Ensure packet redirect sending is disabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
 
 #net.ipv4.conf.all.send_redirects = 0
 #net.ipv4.conf.default.send_redirects = 0
 SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
 
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
             crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -35,17 +39,17 @@ audit () {
 }
 
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
         debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
             warn "$SYSCTL_PARAM does not exist -- Typo?"
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@@ -60,17 +64,19 @@ check_config() {
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/3.1_bootloader_ownership.sh

@@ -1,84 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 3.1 Set User/Group Owner on bootloader config (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-# Assertion : Grub Based.
-
-FILE='/boot/grub/grub.cfg'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-
-    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
-        warn "Grub is not installed, not handling configuration"
-        exit 128
-    fi
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi