Update changelog (#99 )

Accept lower values (#95 )
* IMP(5.2.23): accept lower value as valid * IMP(5.2.7): accept lower value as valid
2025-07-15 21:32:17 +02:00 · 2021-05-07 09:16:15 +02:00 · 2021-04-27 16:04:13 +02:00 · 2021-04-27 13:49:05 +02:00 · 2021-04-27 13:31:59 +02:00 · 2021-04-26 17:05:22 +02:00
587 changed files with 22367 additions and 8792 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -0,0 +1,17 @@
+---
+name: Compile debian man
+on:
+  - push
+jobs:
+  compile-debian-man:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Produce debian man
+        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
+      - uses: EndBug/add-and-commit@v7
+        with:
+          add: 'debian/cis-hardening.8'
+          message: 'Regenerate man pages (Github action)'
+          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -0,0 +1,27 @@
+---
+name: Run functionnal tests
+on:
+  - pull_request
+  - push
+jobs:
+  functionnal-tests-docker-debian9:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian9
+        run: ./tests/docker_build_and_run_tests.sh debian9
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10
+  functionnal-tests-docker-debian11:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian11
+        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -0,0 +1,64 @@
+---
+name: Create Pre-Release
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: Create Pre-Release
+    runs-on: ubuntu-latest
+    steps:
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # GET LATEST VERSION TAG
+      - name: Get latest version tag
+        uses: actions-ecosystem/action-get-latest-tag@v1
+        id: get-latest-tag
+      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
+      - name: Generate changelog
+        id: changelog
+        uses: metcalfc/changelog-generator@v0.4.4
+        with:
+          myToken: ${{ secrets.GITHUB_TOKEN }}
+          head-ref: ${{ github.sha }}
+          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
+      # CREATE RELEASE NAMED LATEST
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: latest
+          release_name: Pre-release
+          body: ${{ steps.changelog.outputs.changelog }}
+          draft: false
+          prerelease: true
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening.deb
+          asset_content_type: application/vnd.debian.binary-package
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -0,0 +1,29 @@
+---
+name: Run shell-linter
+on:
+  - push
+  - pull_request
+jobs:
+  shellfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the sh-checker
+        uses: luizm/action-sh-checker@v0.1.12
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
+          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
+        with:
+          sh_checker_shellcheck_disable: true
+          sh_checker_comment: true
+          sh_checker_exclude: |
+                              src/
+                              debian/postrm
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run shellcheck
+        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -0,0 +1,66 @@
+---
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    name: Create Release
+    # only runs on master
+    if: github.event.base_ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    steps:
+      # GET VERSION TAG
+      - name: Get latest version number
+        id: vars
+        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.vars.outputs.tag }}
+      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
+      - name: Generate changelog
+        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
+      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
+      - name: Abort if changelog is empty
+        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # CREATE RELEASE
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          body_path: changelog.md
+          draft: false
+          prerelease: false
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
+          asset_content_type: application/vnd.debian.binary-package
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+tmp/shfmt
--- a/7
+++ b/7
@ -1,8 +1,9 @@
 Contributors of this project :

 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>

 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
--- a/211
+++ b/211
@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
-All rights reserved.
+Copyright 2020 OVHcloud

-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at

-  * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-  * Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
-  * Neither the name of OVH SAS nor the
-    names of its contributors may be used to endorse or promote products
-    derived from this software without specific prior written permission.
+       http://www.apache.org/licenses/LICENSE-2.0

-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   A copy of the license terms follows:
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
--- a/MANUAL.md
+++ b/MANUAL.md
@ -0,0 +1,160 @@
+% CIS-HARDENING(8)
+%
+% 2016
+
+# NAME
+
+cis-hardening - CIS Debian 9/10 Hardening
+
+# SYNOPSIS
+
+**hardening.sh** RUN_MODE [OPTIONS]
+
+# DESCRIPTION
+
+Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
+
+# SCRIPTS CONFIGURATION
+
+Hardening scripts are in `bin/hardening`. Each script has a corresponding
+configuration file in `etc/conf.d/[script_name].cfg`.
+
+Each hardening script can be individually enabled from its configuration file.
+For example, this is the default configuration file for `disable_system_accounts`:
+
+```
+# Configuration for script of same name
+status=disabled
+# Put here your exceptions concerning admin accounts shells separated by spaces
+EXCEPTIONS=""
+```
+
+**status** parameter may take 3 values:
+
+- `disabled` (do nothing): The script will not run.
+- `audit` (RO): The script will check if any change should be applied.
+- `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
+
+Global configuration is in `etc/hardening.cfg`. This file controls the log level
+as well as the backup directory. Whenever a script is instructed to edit a file, it
+will create a timestamped backup in this directory.
+
+
+# RUN MODE
+
+`-h`, `--help`
+:   Display a friendly help message.
+
+`--apply`
+:   Apply hardening for enabled scripts.
+    Beware that NO confirmation is asked whatsoever, which is why you're warmly
+    advised to use `--audit` before, which can be regarded as a dry-run mode.
+
+`--audit`
+:   Audit configuration for enabled scripts.
+    No modification will be made on the system, we'll only report on your system
+    compliance for each script.
+
+`--audit-all`
+:   Same as `--audit`, but for *all* scripts, even disabled ones.
+    This is a good way to peek at your compliance level if all scripts were enabled,
+    and might be a good starting point.
+
+`--audit-all-enable-passed`
+:   Same as `--audit-all`, but in addition, will *modify* the individual scripts
+    configurations to enable those which passed for your system.
+    This is an easy way to enable scripts for which you're already compliant.
+    However, please always review each activated script afterwards, this option
+    should only be regarded as a way to kickstart a configuration from scratch.
+    Don't run this if you have already customized the scripts enable/disable
+    configurations, obviously.
+
+`--create-config-files-only`
+:   Create the config files in etc/conf.d
+    Must be run as root, before running the audit with user secaudit
+
+`-set-hardening-level=level`
+:   Modifies the configuration to enable/disable tests given an hardening level,
+    between 1 to 5. Don't run this if you have already customized the scripts
+    enable/disable configurations.
+    1: very basic policy, failure to pass tests at this level indicates severe
+        misconfiguration of the machine that can have a huge security impact
+    2: basic policy, some good practice rules that, once applied, shouldn't
+        break anything on most systems
+    3: best practices policy, passing all tests might need some configuration
+        modifications (such as specific partitioning, etc.)
+    4: high security policy, passing all tests might be time-consuming and
+        require high adaptation of your workflow
+    5: placebo, policy rules that might be very difficult to apply and maintain,
+        with questionable security benefits
+
+`--allow-service=service`
+:   Use with `--set-hardening-level`.
+    Modifies the policy to allow a certain kind of services on the machine, such
+    as http, mail, etc. Can be specified multiple times to allow multiple services.
+    Use --allow-service-list to get a list of supported services.
+
+# OPTIONS
+
+`--allow-service-list`
+:   Get a list of supported service.
+
+  
+`--only test-number`
+:    Modifies the RUN_MODE to only work on the test_number script.
+    Can be specified multiple times to work only on several scripts.
+    The test number is the numbered prefix of the script,
+    i.e. the test number of 1.2_script_name.sh is 1.2.
+
+`--sudo`
+:   This option lets you audit your system as a normal user, but allows sudo
+    escalation to gain read-only access to root files. Note that you need to
+    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+    the -n option instructs sudo not to prompt for a password.
+    Finally note that `--sudo` mode only works for audit mode.
+
+`--set-log-level=level`
+:   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+    Default value is : info
+
+`--batch`
+:   While performing system audit, this option sets LOGLEVEL to 'ok' and
+    captures all output to print only one line once the check is done, formatted like :
+    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
+`--allow-unsupported-distribution`
+    Must be specified manually in the command line to allow the run on non compatible
+    version or distribution. If you want to mute the warning change the LOGLEVEL
+    in /etc/hardening.cfg
+
+
+# AUTHORS
+
+- Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+- Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+- Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
+- Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
+
+# COPYRIGHT
+
+Copyright 2020 OVHcloud
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+# SEE ALSO
+
+- **Center for Internet Security**: https://www.cisecurity.org/
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
+- **Project repository**: https://github.com/ovh/debian-cis
+
--- a/README.md
+++ b/README.md
@ -1,44 +1,60 @@
-# CIS Debian 7/8 Hardening
+# :lock: CIS Debian 9/10 Hardening

-Modular Debian 7/8 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
+report issues if you find any!
+
+
+<p align="center">
+      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
+</p>
+
+![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
+![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
+![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
+
+![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
+![License](https://img.shields.io/github/license/ovh/debian-cis)
+---
+
+Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.

 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
-13.15_check_duplicate_gid [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Performing audit
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
-         Total Runned Checks : 191
-         Total Passed Checks : [ 170/191 ]
-         Total Failed Checks : [  21/191 ]
-   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 89.01 %
+      Total Available Checks : 232
+         Total Runned Checks : 166
+         Total Passed Checks : [ 142/166 ]
+         Total Failed Checks : [  24/166 ]
+   Enabled Checks Percentage : 71.00 %
+       Conformity Percentage : 85.00 %
 ```

-## Quickstart
+## :dizzy: Quickstart

 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
-1.1_install_updates [INFO] Checking Configuration
-1.1_install_updates [INFO] Performing audit
-1.1_install_updates [INFO] Checking if apt needs an update
-1.1_install_updates [INFO] Fetching upgrades ...
-1.1_install_updates [ OK ] No upgrades available
-1.1_install_updates [ OK ] Check Passed
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```

-## Usage
+## :hammer: Usage

 ### Configuration

@ -72,7 +88,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts

-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
+
+ ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.

 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,7 +98,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.

-## Hacking
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
+specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
+with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
+not prompt for a password.
+
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
+captures all output to print only one line once the check is done, formatted like :
+OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
+``--only <check_number>``: run only the selected checks.
+
+``--set-hardening-level``: run all checks that are lower or equal to the selected level.
+Do NOT use this option if you have already started to customize your configuration.
+
+``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
+to allow a certain kind of services on the machine, such as http, mail, etc.
+Can be specified multiple times to allow multiple services.
+Use --allow-service-list to get a list of supported services.
+
+``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+Default value is : info
+
+``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
+before running the audit with user secaudit, to have the rights setup well on the conf files.
+
+``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
+the run on non compatible version or distribution. If you want to mute the warning change the
+LOGLEVEL in /etc/hardening.cfg
+
+## :computer: Hacking

 **Getting the source**

@ -101,6 +148,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
+Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
+
+If the check replace somehow one that is in the CIS specifications,
+you can use the numerotation of the check it replaces inplace. For example we check
+the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
+
+Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
+(part of OVHcloud security policy)
+

 Code your check explaining what it does then if you want to test

@ -108,11 +164,83 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
+## :sparkles: Functional testing

-## Disclaimer
+Functional tests are available. They are to be run in a Docker environment.
+
+```console
+$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
+```
+
+With `target` being like `debian9` or `debian10`.
+
+Running without script arguments will run all tests in `./tests/hardening/` directory.
+Or you can specify one or several test script to be run.
+
+This will build a new Docker image from the current state of the projet and run
+a container that will assess a blank Debian system compliance for each check.  
+For hardening audit points the audit is expected to fail, then be fixed so that
+running the audit a second time will succeed.  
+For vulnerable items, the audit is expected to succeed on a blank
+system, then the functional tests will introduce a weak point, that is expected
+to be detected when running the audit test a second time. Finally running the `apply`
+part of debian-cis script will restore a compliance state that is expected to be
+assed by running the audit check a third time.
+
+Functional tests can make use of the following helper functions :  
+
+* `describe <test description>`
+* `run <usecase> <audit_script> <audit_script_options>`
+* `register_test <test content (see below)>`
+  * `retvalshoudbe <integer>` check the script return value
+  * `contain "<SAMPLE TEXT>"` check that the output contains the following text
+
+In order to write your own functional test, you will find a code skeleton in
+`./src/skel.test`.
+
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
+and that we will not test the apply function. It's because the check is very basic
+(like a package install) and that a test on it is not really necessary.
+
+Furthermore, some tests are disabled on docker because there not pertinent (kernel 
+modules, grub, partitions, ...)
+You can disable a check on docker with:
+```bash
+if [ -f "/.dockerenv" ]; then
+  skip "SKIPPED on docker"
+else
+...
+fi
+```
+
+## :art: Coding style
+### Shellcheck
+
+We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
+correctness of the scripts and to respect best practices.
+It can be used directly with the docker environnment to check all scripts 
+compliancy. By default it runs on every `.sh` it founds.
+
+```console
+$ ./shellcheck/launch_shellcheck.sh [name of script...]
+```
+
+### Shellfmt
+
+We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
+consistent style in every script. 
+Identically to shellcheck, it can be run through a script with the following:
+
+```console
+$ ./shellfmt/launch_shellfmt.sh
+```
+It will automatically fix any styling problem on every script.
+
+
+## :heavy_exclamation_mark: Disclaimer

 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.

@ -121,7 +249,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -129,13 +257,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-## Reference
+## :satellite: Reference

 - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks

-## License
-
-3-Clause BSD
+## :page_facing_up: License

+Apache, Version 2.0
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -1,7 +1,8 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
 #

@ -9,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #

-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@ -20,11 +21,16 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
+SUDO_MODE=''
+BATCH_MODE=''
+ASK_LOGLEVEL=''
+ALLOW_UNSUPPORTED_DISTRIBUTION=0

 usage() {
-    cat << EOF
+    cat <<EOF
 $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:

    --help -h
@ -74,6 +80,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit

 OPTIONS:

@ -83,6 +93,27 @@ OPTIONS:
        The test number is the numbered prefix of the script,
        i.e. the test number of 1.2_script_name.sh is 1.2.

+    --sudo
+        This option lets you audit your system as a normal user, but allows sudo
+        escalation to gain read-only access to root files. Note that you need to
+        provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+        the '-n' option instructs sudo not to prompt for a password.
+        Finally note that '--sudo' mode only works for audit mode.
+
+    --set-log-level <level>
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        Default value is : info
+
+    --batch
+        While performing system audit, this option sets LOGLEVEL to 'ok' and
+        captures all output to print only one line once the check is done, formatted like :
+        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+    
+    --allow-unsupported-distribution
+        Must be specified manually in the command line to allow the run on non compatible
+        version or distribution. If you want to mute the warning change the LOGLEVEL
+        in /etc/hardening.cfg
+
 EOF
    exit 0
 }
@ -94,159 +125,249 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST

 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
    ARG="$1"
    case $ARG in
-        --audit)
-            AUDIT=1
+    --audit)
+        AUDIT=1
        ;;
-        --audit-all)
-            AUDIT_ALL=1
+    --audit-all)
+        AUDIT_ALL=1
        ;;
-        --audit-all-enable-passed)
-            AUDIT_ALL_ENABLE_PASSED=1
+    --audit-all-enable-passed)
+        AUDIT_ALL_ENABLE_PASSED=1
        ;;
-        --apply)
-            APPLY=1
+    --apply)
+        APPLY=1
        ;;
-        --allow-service-list)
-            ALLOW_SERVICE_LIST=1
+    --allow-service-list)
+        ALLOW_SERVICE_LIST=1
        ;;
-        --allow-service)
-            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
-            shift
+    --create-config-files-only)
+        CREATE_CONFIG=1
        ;;
-        --set-hardening-level)
-            SET_HARDENING_LEVEL="$2"
-            shift
+    --allow-service)
+        ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
+        shift
        ;;
-        --only)
-            TEST_LIST[${#TEST_LIST[@]}]="$2"
-            shift
+    --set-hardening-level)
+        SET_HARDENING_LEVEL="$2"
+        shift
        ;;
-        -h|--help)
-            usage
+    --set-log-level)
+        ASK_LOGLEVEL=$2
+        shift
        ;;
-        *)
-            usage
+    --only)
+        TEST_LIST[${#TEST_LIST[@]}]="$2"
+        shift
+        ;;
+    --sudo)
+        SUDO_MODE='--sudo'
+        ;;
+    --batch)
+        BATCH_MODE='--batch'
+        ASK_LOGLEVEL=ok
+        ;;
+    --allow-unsupported-distribution)
+        ALLOW_UNSUPPORTED_DISTRIBUTION=1
+        ;;
+    -h | --help)
+        usage
+        ;;
+    *)
+        usage
        ;;
    esac
    shift
 done

+# if no RUN_MODE was passed, usage and quit
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
+    usage
+fi
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

-[ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
-[ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
+# shellcheck source=../etc/hardening.cfg
+[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
+# shellcheck source=../lib/common.sh
+[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
+# shellcheck source=../lib/utils.sh
+[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
+# shellcheck source=../lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
+# print warning, otherwise quit
+
+if [ "$DISTRIBUTION" != "debian" ]; then
+    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+        echo "Exiting now"
+        exit 100
+    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+    fi
+else
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    fi
+fi

 # If --allow-service-list is specified, don't run anything, just list the supported services
-if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
+if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
    declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
        template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
        [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
    done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
    exit 0
 fi

 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
-    if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
+    if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
        echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
        exit 1
    fi

-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
        script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
-        if [ -z "$script_level" ] ; then
+        if [ -z "$script_level" ]; then
            echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
            continue
        fi
        wantedstatus=disabled
        [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
    done
    echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
    exit 0
 fi

+if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
+for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
        # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
-        if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
            # not in the list
            continue
        fi
    fi

    info "Treating $SCRIPT"
-    
-    if [ $AUDIT = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
-        $SCRIPT --audit
-    elif [ $AUDIT_ALL = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
-        $SCRIPT --audit-all
-    elif [ $APPLY = 1 ]; then
+    if [ "$CREATE_CONFIG" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+    elif [ "$AUDIT" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+        "$SCRIPT"
    fi

    SCRIPT_EXITCODE=$?

    debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
    case $SCRIPT_EXITCODE in
-        0)
-            debug "$SCRIPT passed"
-            PASSED_CHECKS=$((PASSED_CHECKS+1))
-            if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
-                SCRIPT_BASENAME=$(basename $SCRIPT .sh)
-                sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
-                info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
-            fi
-        ;;    
-        1)
-            debug "$SCRIPT failed"
-            FAILED_CHECKS=$((FAILED_CHECKS+1))
+    0)
+        debug "$SCRIPT passed"
+        PASSED_CHECKS=$((PASSED_CHECKS + 1))
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
+            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+        fi
        ;;
-        2)
-            debug "$SCRIPT is disabled"
-            DISABLED_CHECKS=$((DISABLED_CHECKS+1))
+    1)
+        debug "$SCRIPT failed"
+        FAILED_CHECKS=$((FAILED_CHECKS + 1))
+        ;;
+    2)
+        debug "$SCRIPT is disabled"
+        DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
        ;;
    esac

-    TOTAL_CHECKS=$((TOTAL_CHECKS+1))
- 
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
+
 done

-TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
+TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))

-printf "%40s\n" "################### SUMMARY ###################"
-printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
-if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+if [ "$BATCH_MODE" ]; then
+    BATCH_SUMMARY="AUDIT_SUMMARY "
+    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
+    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
+    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
+    else
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
+    fi
+    becho "$BATCH_SUMMARY"
 else
-    printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 
+    printf "%40s\n" "################### SUMMARY ###################"
+    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
+    else
+        printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+    fi
 fi
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of freevxfs filesystems."
+
+KERNEL_OPTION="CONFIG_VXFS_FS"
+MODULE_NAME="freevxfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of jffs2 filesystems."
+
+KERNEL_OPTION="CONFIG_JFFS2_FS"
+MODULE_NAME="jffs2"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfs filesystems."
+
+KERNEL_OPTION="CONFIG_HFS_FS"
+MODULE_NAME="hfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfsplus filesystems."
+
+KERNEL_OPTION="CONFIG_HFSPLUS_FS"
+MODULE_NAME="hfsplus"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of squashfs filesytems."
+
+KERNEL_OPTION="CONFIG_SQUASHFS"
+MODULE_NAME="squashfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of udf filesystems."
+
+KERNEL_OPTION="CONFIG_UDF_FS"
+MODULE_NAME="udf"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=5
+# shellcheck disable=2034
+DESCRIPTION="Limit mounting of FAT filesystems."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_VFAT_FS"
+MODULE_FILE="vfat"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # TODO check if uefi enabled if yes check if only boot partition use FAT
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.10_var_tmp_noexec.sh
+++ b/bin/hardening/1.1.10_var_tmp_noexec.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
+# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with noexec option."

 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -1,52 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.7 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log on separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/log"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -1,52 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.8 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -1,52 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.9 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/home on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/home"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.14_home_nodev.sh
+++ b/bin/hardening/1.1.14_home_nodev.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.10 Add nodev Option to /home (Scored)
+# 1.1.14 Ensure nodev Option set on /home (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/home partition with nodev option."

 # Quick factoring as many script use the same logic
 PARTITION="/home"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -1,64 +1,73 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.14 Add nodev Option to /run/shm Partition (Scored)
+# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nodev option."

 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +78,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -1,64 +1,73 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.15 Add nosuid Option to /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with nosuid option."

 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +78,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -1,64 +1,73 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.16 Add noexec Option to /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/run/shm with noexec option."

 # Quick factoring as many script use the same logic
 PARTITION="/run/shm"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +78,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -1,17 +1,21 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="nodev option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -57,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -1,17 +1,21 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="nosuid option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -57,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -1,17 +1,21 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="noexec option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

@ -20,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -57,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -0,0 +1,107 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Checking if setuid is set on world writable Directories"
+    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    # shellcheck disable=SC2086
+    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$LINE"; then
+            debug "$LINE is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$LINE not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
+    if [ -n "$RESULT" ]; then
+        crit "Some world writable directories are not on sticky bit mode!"
+        # shellcheck disable=SC2001
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
+        crit "$FORMATTED_RESULT"
+    else
+        ok "All world writable directories have a sticky bit"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
+            debug "$ACCOUNT is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$ACCOUNT not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
+    if [ -n "$RESULT" ]; then
+        warn "Setting sticky bit on world writable directories"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+    else
+        ok "All world writable directories have a sticky bit, nothing to apply"
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put here your exceptions separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    if [ -z "$EXCEPTIONS" ]; then
+        EXCEPTIONS="@"
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.22_disable_automounting.sh
+++ b/bin/hardening/1.1.22_disable_automounting.sh
@ -1,25 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.25 Disable Automounting (Scored)
+# 1.1.22 Disable Automounting (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable automounting of devices."

 SERVICE_NAME="autofs"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
        crit "$SERVICE_NAME is enabled"
    else
        ok "$SERVICE_NAME is disabled"
@ -27,12 +31,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is disabled"
    fi
@ -45,17 +49,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -0,0 +1,78 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.23 Disable USB storage (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable USB storage."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_USB_STORAGE"
+MODULE_NAME="usb-storage"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.1.2_tmp_partition.sh
+++ b/bin/hardening/1.1.2_tmp_partition.sh
@ -1,52 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.1 Create Separate Partition for /tmp (Scored)
+# 1.1.2 Ensure /tmp is configured (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure /tmp is configured (Scored)"

 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.3_tmp_nodev.sh
+++ b/bin/hardening/1.1.3_tmp_nodev.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.2 Set nodev option for /tmp Partition (Scored)
+# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with nodev option."

 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.4_tmp_nosuid.sh
+++ b/bin/hardening/1.1.4_tmp_nosuid.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.3 Set nosuid option for /tmp Partition (Scored)
+# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with nosuid option."

 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.5_tmp_noexec.sh
+++ b/bin/hardening/1.1.5_tmp_noexec.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.4 Set noexec option for /tmp Partition (Scored)
+# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/tmp partition with noexec option."

 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -1,52 +1,56 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.5 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.7_var_tmp_partition.sh
+++ b/bin/hardening/1.1.7_var_tmp_partition.sh
@ -1,52 +1,56 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.6.1 Create Separate Partition for /var/tmp (Scored)
+# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -58,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.8_var_tmp_nodev.sh
+++ b/bin/hardening/1.1.8_var_tmp_nodev.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
+# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with nodev option."

 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh
@ -1,64 +1,68 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
+# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/tmp partition with nosuid option."

 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -69,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/7.7_enable_firewall.sh
+++ b/bin/hardening/7.7_enable_firewall.sh
@ -1,27 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 7.7 Ensure Firewall is active (Scored)
+# 1.3.1 Ensure sudo is installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."

-# Quick note here : CIS recommends your iptables rules to be persistent. 
-# Do as you want, but this script does not handle this
-
-PACKAGE='iptables'
+PACKAGE='sudo'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
@ -29,14 +30,14 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            ok "$PACKAGE is installed"
-        else
-            crit "$PACKAGE is absent, installing it"
-            apt_install $PACKAGE
-        fi
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
 }

 # This function will check config parameters required
@ -46,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.3.2_pty_sudo.sh
+++ b/bin/hardening/1.3.2_pty_sudo.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.2 Ensure sudo commands use pty (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
+
+PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        crit "Defaults use_pty not found in sudoers files"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        warn "Defaults use_pty not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.3.3_logfile_sudo.sh
+++ b/bin/hardening/1.3.3_logfile_sudo.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.3 Ensure sudo log file exists (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo log files exists."
+
+PATTERN="^\s*Defaults\s+logfile=\S+"
+LOGFILE="/var/log/sudo.log"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        crit "Defaults log file not found in sudoers files"
+    fi
+}
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        warn "Defaults log file not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.4.1_install_tripwire.sh
+++ b/bin/hardening/1.4.1_install_tripwire.sh
@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.4.1 Ensure tripwire is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Ensure tripwire package is installed."
+
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
+PACKAGE='tripwire'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+        info "Tripwire is now installed but not fully functionnal, please see readme to go further"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.4.2_tripwire_cron.sh
+++ b/bin/hardening/1.4.2_tripwire_cron.sh
@ -0,0 +1,84 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Implemet periodic execution of file integrity."
+
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
+FILES="/etc/crontab"
+DIRECTORY="/etc/cron.d"
+PATTERN='tripwire --check'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)"
+    FOUND=0
+    for FILE in $FILES; do
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+    if [ $FOUND = 1 ]; then
+        ok "$PATTERN is present in $FILES"
+    else
+        crit "$PATTERN is not present in $FILES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)"
+    FOUND=0
+    for FILE in $FILES; do
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+    if [ "$FOUND" != 1 ]; then
+        warn "$PATTERN is not present in $FILES, setting tripwire cron"
+        echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " >/etc/cron.d/CIS_8.3.2_tripwire
+    else
+        ok "$PATTERN is present in $FILES"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User and group root owner of grub bootloader config."
+
+# Assertion : Grub Based.
+
+FILE='/boot/grub/grub.cfg'
+USER='root'
+GROUP='root'
+PERMISSIONS='400'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE ownership was not set to $USER:$GROUP"
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        info "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+
+    is_pkg_installed "grub-pc"
+    if [ "$FNRET" != 0 ]; then
+        warn "Grub is not installed, not handling configuration"
+        exit 2
+    fi
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 2
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 2
+    fi
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+        exit 2
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -1,32 +1,36 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 3.3 Set Boot Loader Password (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Setting bootloader password to secure boot parameters."

 FILE='/boot/grub/grub.cfg'
 USER_PATTERN="^set superusers"
 PWD_PATTERN="^password_pbkdf2"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        crit "$USER_PATTERN not present in $FILE"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        crit "$PWD_PATTERN not present in $FILE"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -34,48 +38,49 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$PWD_PATTERN is present in $FILE"
    fi
-    :
 }

 # This function will check config parameters required
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "grub-pc is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -1,25 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 3.4 Require Authentication for Single-User Mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Root password for single user mode."

 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -27,14 +31,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
        warn "$PATTERN is present in $FILE, please put a root password"
    else
        ok "$PATTERN is not present in $FILE"
    fi
-    :
 }

 # This function will check config parameters required
@ -44,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -0,0 +1,97 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
+
+PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
+
+# Check if the NX bit is supported and noexec=off hasn't been asked
+nx_supported_and_enabled() {
+    if grep -q ' nx ' /proc/cpuinfo; then
+        # NX supported, but if noexec=off specified, it's not enabled
+        if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
+            FNRET=1 # supported but disabled
+        else
+            FNRET=0 # supported and enabled
+        fi
+    else
+        FNRET=1 # not supported
+    fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
+    else
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
+    else
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."

 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+audit() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -29,12 +33,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+apply() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -48,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.3_disable_prelink.sh
+++ b/bin/hardening/1.6.3_disable_prelink.sh
@ -1,24 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 4.4 Disable Prelink (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable prelink to prevent libraries compromission."

 PACKAGE='prelink'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -27,12 +31,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -47,17 +51,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.4_restrict_core_dumps.sh
+++ b/bin/hardening/1.6.4_restrict_core_dumps.sh
@ -1,35 +1,55 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 4.1 Restrict Core Dumps (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Restrict core dumps."

 LIMIT_FILE='/etc/security/limits.conf'
+LIMIT_DIR='/etc/security/limits.d'
 LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
 SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
-        crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
-    else
-        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
+audit() {
+    SEARCH_RES=0
+    LIMIT_FILES=""
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
+        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
+            LIMIT_FILES="$LIMIT_FILES $file"
+        done
+    fi
+    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
+    for file in $LIMIT_FILE $LIMIT_FILES; do
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            debug "$LIMIT_PATTERN not present in $file"
+        else
+            ok "$LIMIT_PATTERN present in $file"
+            SEARCH_RES=1
+            break
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -37,23 +57,23 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
        add_end_of_file $LIMIT_FILE "* hard core 0"
    else
        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi 
+    fi

 }

@ -64,17 +84,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.1_install_apparmor.sh
+++ b/bin/hardening/1.7.1.1_install_apparmor.sh
@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure AppArmor is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Install AppArmor."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -0,0 +1,134 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Activate AppArmor to enforce permissions control."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    ERROR=0
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+            ERROR=1
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    if [ "$ERROR" = 0 ]; then
+        is_pkg_installed "grub-pc"
+        if [ "$FNRET" != 0 ]; then
+            if [ "$IS_CONTAINER" -eq 1 ]; then
+                ok "Grub is not installed in container"
+            else
+                warn "Grub is not installed"
+                exit 128
+            fi
+        else
+            ERROR=0
+            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+            # define custom IFS and save default one
+            d_IFS=$IFS
+            c_IFS=$'\n'
+            IFS=$c_IFS
+            for line in $RESULT; do
+                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
+                    crit "$line is not configured"
+                    ERROR=1
+                fi
+            done
+            IFS=$d_IFS
+            if [ "$ERROR" = 0 ]; then
+                ok "$PACKAGES are configured"
+
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
+
+    is_pkg_installed "grub-pc"
+    if [ "$FNRET" != 0 ]; then
+        if [ "$IS_CONTAINER" -eq 1 ]; then
+            ok "Grub is not installed in container"
+        else
+            warn "You should use grub. Install it yourself"
+        fi
+    else
+        ERROR=0
+        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+        # define custom IFS and save default one
+        d_IFS=$IFS
+        c_IFS=$'\n'
+        IFS=$c_IFS
+        for line in $RESULT; do
+            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+                crit "$line is not configured"
+                ERROR=1
+            fi
+        done
+        IFS=$d_IFS
+
+        if [ $ERROR = 1 ]; then
+            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
+            $SUDO_CMD update-grub
+        else
+            ok "$PACKAGES are configured"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -0,0 +1,91 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce or complain AppArmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    ERROR=0
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+            ERROR=1
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
+
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGES is absent!"
+            apt_install "$PACKAGE"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
+        aa-complain /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -0,0 +1,105 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce Apparmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    ERROR=0
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+            ERROR=1
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi
+
+        if [ -n "$RESULT_COMPLAIN" ]; then
+            ok "No profiles are in complain mode"
+        else
+            crit "Some processes are in complain mode"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+            apt_install "$PACKAGE"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        warn "Some processes are in complain mode, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.8.1.1_remove_os_info_motd.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from motd"
+
+FILE='/etc/motd'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.8.1.2_remove_os_info_issue.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from Login Warning Banners."
+
+FILE='/etc/issue'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from remote Login Warning Banners."
+
+FILE='/etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.4_motd_perms.sh
+++ b/bin/hardening/1.8.1.4_motd_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/motd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.8.1.5_etc_issue_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.8.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.8.2_graphical_warning_banners.sh
@ -1,25 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Set graphical warning banner."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Not implemented yet"
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Not implemented yet"
 }

@ -30,17 +34,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.9_install_updates.sh
+++ b/bin/hardening/1.9_install_updates.sh
@ -1,25 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if apt needs an update"
-    apt_update_if_needed 
+    apt_update_if_needed
    info "Fetching upgrades ..."
    apt_check_updates "CIS_APT"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$RESULT"
        FNRET=1
    else
@ -29,8 +33,8 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET -gt 0 ]; then 
+apply() {
+    if [ "$FNRET" -gt 0 ]; then
        info "Applying Upgrades..."
        DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
    else
@ -46,17 +50,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/10.1.1_set_password_exp_days.sh
+++ b/bin/hardening/10.1.1_set_password_exp_days.sh
@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.1 Set Password Expiration Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/10.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/10.1.2_set_password_min_days_change.sh
@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.2 Set Password Change Minimum Number of Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh
@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.1.3 Set Password Expiring Warning Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/10.2_disable_system_accounts.sh
+++ b/bin/hardening/10.2_disable_system_accounts.sh
@ -1,107 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 10.2 Disable System Accounts (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-SHELL='/bin/false'
-FILE='/etc/passwd'
-RESULT=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
-        debug "Account : $ACCOUNT"
-        debug "Exceptions : $EXCEPTIONS"
-        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
-            debug "$ACCOUNT is confirmed as an exception"
-            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
-        crit "$RESULT"
-    else
-        ok "All admin accounts deactivated"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
-        debug "Account : $ACCOUNT"
-        debug "Exceptions : $EXCEPTIONS"
-        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
-        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
-            debug "$ACCOUNT is confirmed as an exception"
-            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
-        warn "$RESULT"
-        for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
-            usermod -s $SHELL $USER
-        done
-    else
-        ok "All admin accounts deactivated, nothing to apply"
-    fi
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put here your exceptions concerning admin accounts shells separated by spaces
-EXCEPTIONS=""
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/11.1_warning_banners.sh
+++ b/bin/hardening/11.1_warning_banners.sh
@ -1,85 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 11.1 Set Warning Banner for Standard Login Services (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-PERMISSIONS='644'
-USER='root'
-GROUP='root'
-FILES='/etc/motd /etc/issue /etc/issue.net'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            crit "$FILE ownership was not set to $USER:$GROUP"
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            crit "$FILE permissions were not set to $PERMISSIONS"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
-            info "$FILE does not exist"
-            touch $FILE
-        fi
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown $USER:$GROUP $FILE
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0$PERMISSIONS $FILE
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@ -1,65 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s)'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            crit "$PATTERN is present in $FILE"
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            warn "$PATTERN is present in $FILE"
-            delete_line_in_file $FILE $PATTERN
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@ -1,71 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.10 Find SUID System Executables (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are suid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
-            debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some suid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unknown suid files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Removing suid on valid binary may seriously harm your system, report only here"
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put Here your valid suid binaries so that they do not appear during the audit
-EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@ -1,72 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.11 Find SGID System Executables (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are sgid files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
-    for BINARY in $RESULT; do
-        if grep -q $BINARY <<< "$EXCEPTIONS"; then
-            debug "$BINARY is confirmed as an exception"
-            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
-        fi
-    done
-    if [ ! -z "$RESULT" ]; then
-        crit "Some sgid files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unknown sgid files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Removing sgid on valid binary may seriously harm your system, report only here"
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=disabled
-# Put here valid binaries with sgid enabled separated by spaces
-EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.1_etc_passwd_permissions.sh
+++ b/bin/hardening/12.1_etc_passwd_permissions.sh
@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.1 Verify Permissions on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.2_etc_shadow_permissions.sh
+++ b/bin/hardening/12.2_etc_shadow_permissions.sh
@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.2 Verify Permissions on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-PERMISSIONS='640'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.3_etc_group_permissions.sh
+++ b/bin/hardening/12.3_etc_group_permissions.sh
@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.3 Verify Permissions on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.4_etc_passwd_ownership.sh
+++ b/bin/hardening/12.4_etc_passwd_ownership.sh
@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/passwd'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.5_etc_shadow_ownership.sh
+++ b/bin/hardening/12.5_etc_shadow_ownership.sh
@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/shadow'
-USER='root'
-GROUP='shadow'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.6_etc_group_ownership.sh
+++ b/bin/hardening/12.6_etc_group_ownership.sh
@ -1,76 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.6 Verify User/Group Ownership on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-FILE='/etc/group'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.7_find_world_writable_file.sh
+++ b/bin/hardening/12.7_find_world_writable_file.sh
@ -1,62 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.7 Find World Writable Files (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are world writable files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some world writable files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No world writable files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "chmoding o-w all files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null|  xargs chmod o-w
-    else
-        ok "No world writable files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.8 Find Un-owned Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-USER='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are unowned files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some unowned files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unowned files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
-    else
-        ok "No unowned files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 12.9 Find Un-grouped Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are ungrouped files"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some ungrouped files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No ungrouped files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
-    else
-        ok "No ungrouped files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.13_check_user_homedir_ownership.sh
+++ b/bin/hardening/13.13_check_user_homedir_ownership.sh
@ -1,74 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.13 Check User Home Directory Ownership (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE)
-        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
-                ERRORS=$((ERRORS+1))
-            fi
-        fi
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "All home directories have correct ownership"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
-            OWNER=$(stat -L -c "%U" "$DIR")
-            if [ "$OWNER" != "$USER" ]; then
-                warn "The home directory ($DIR) of user $USER is owned by $OWNER."
-                chown $USER $DIR
-            fi
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.14_check_duplicate_uid.sh
+++ b/bin/hardening/13.14_check_duplicate_uid.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.14 Check for Duplicate UIDs (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate UID ($USERID): ${USERS}"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate UIDs"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically uids may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.15_check_duplicate_gid.sh
+++ b/bin/hardening/13.15_check_duplicate_gid.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.15 Check for Duplicate GIDs (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        GROUPID=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate GID ($GROUPID): ${USERS}"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate GIDs"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically gids may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.16_check_duplicate_username.sh
+++ b/bin/hardening/13.16_check_duplicate_username.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.16 Check for Duplicate User Names (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        USERNAME=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate username $USERNAME"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate usernames"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically username may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.17_check_duplicate_groupname.sh
+++ b/bin/hardening/13.17_check_duplicate_groupname.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.17 Check for Duplicate Group Names (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
-    for LINE in $RESULT; do 
-        debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
-        GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) 
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
-            ERRORS=$((ERRORS+1))
-            crit "Duplicate groupname $GROUPNAME"
-        fi
-    done 
-
-    if [ $ERRORS = 0 ]; then
-        ok "No duplicate groupnames"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing automatically groupname may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.6_sanitize_root_path.sh
+++ b/bin/hardening/13.6_sanitize_root_path.sh
@ -1,89 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.6 Ensure root PATH Integrity (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    if [ "`echo $PATH | grep :: `" != "" ]; then
-        crit "Empty Directory in PATH (::)"
-        ERRORS=$((ERRORS+1))
-    fi
-    if [ "`echo $PATH | grep :$`" != "" ]; then
-        crit "Trailing : in PATH $PATH"
-        ERRORS=$((ERRORS+1))
-    fi
-    FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
-    set -- $FORMATTED_PATH
-    while [ "${1:-}" != "" ]; do
-        if [ "$1" = "." ]; then
-            crit "PATH contains ."
-            ERRORS=$((ERRORS+1))
-        else
-            if [ -d $1 ]; then
-                dirperm=$(ls -ldH $1 | cut -f1 -d" ")
-                if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
-                    crit "Group Write permission set on directory $1"
-                    ERRORS=$((ERRORS+1))
-                fi
-                if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
-                    crit "Other Write permission set on directory $1"
-                    ERRORS=$((ERRORS+1))
-                fi
-                dirown=$(ls -ldH $1 | awk '{print $3}')
-                if [ "$dirown" != "root" ] ; then
-                    crit "$1 is not owned by root"
-                    ERRORS=$((ERRORS+1))
-                fi
-            else
-                crit "$1 is not a directory"
-                ERRORS=$((ERRORS+1))
-            fi
-        fi
-        shift
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "root PATH is secure"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    info "Editing items from PATH may seriously harm your system, report only here"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.8_check_user_dot_file_perm.sh
+++ b/bin/hardening/13.8_check_user_dot_file_perm.sh
@ -1,82 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.8 Check User Dot File Permissions (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    crit "Group Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    crit "Other Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "Dot file permission in users directories are correct"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    warn "Group Write permission set on FILE $FILE"
-                    chmod g-w $FILE
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    warn "Other Write permission set on FILE $FILE"
-                    chmod o-w $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.9_set_perm_on_user_netrc.sh
+++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh
@ -1,81 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 13.9 Check Permissions on User .netrc Files (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-PERMISSIONS="600"
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    crit "$FILE permissions were not set to $PERMISSIONS"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "permission $PERMISSIONS set on .netrc users files"
-    fi
-
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    warn "$FILE permissions were not set to $PERMISSIONS"
-                    chmod 600 $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/2.1.1_disable_xinetd.sh
+++ b/bin/hardening/2.1.1_disable_xinetd.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.1.1 Ensure xinetd is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure xinetd is not enabled."
+
+PACKAGE='xinetd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PACKAGE is installed, purging"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.1.2_disable_bsd_inetd.sh
+++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh
@ -1,25 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 5.1.8 Ensure xinetd is not enabled (Scored)
+# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure bsd-inetd is not enabled."

-PACKAGES='openbsd-inetd xinetd rlinetd'
+PACKAGES='openbsd-inetd inetutils-inetd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -28,12 +32,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -48,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
@ -1,61 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if setuid is set on world writable Directories"
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "All world writable directories have a sticky bit"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
-    else
-        ok "All world writable directories have a sticky bit, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/2.19_disable_freevxfs.sh
+++ b/bin/hardening/2.19_disable_freevxfs.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-
-KERNEL_OPTION="CONFIG_VXFS_FS"
-MODULE_NAME="freevxfs"
-
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-    :
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-    :
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/2.2.1.1_use_time_sync.sh
+++ b/bin/hardening/2.2.1.1_use_time_sync.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure time synchronization is in use"
+
+PACKAGES="ntp chrony"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=false
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "Time synchronization is available through $PACKAGE"
+            FOUND=true
+        fi
+    done
+    if [ "$FOUND" = false ]; then
+        crit "None of the following time sync packages are installed: $PACKAGES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -1,25 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 8.2.2 Ensure the syslog-ng Service is activated (Scored)
+# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

-HARDENING_LEVEL=3
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure systemd-timesyncd."

-SERVICE_NAME="syslog-ng"
+SERVICE_NAME="systemd-timesyncd"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+audit() {
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
@ -27,16 +30,8 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET != 0 ]; then
-        info "Enabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
-        update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
-    else
-        ok "$SERVICE_NAME is enabled"
-    fi
+apply() {
+    :
 }

 # This function will check config parameters required
@ -46,17 +41,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.3 Ensure chrony is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE=chrony
+CONF_DEFAULT_PATTERN='^(server|pool)'
+CONF_FILE='/etc/chrony/chrony.conf'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
+        else
+            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.2 Ensure ntp is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE='ntp'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_FILE='/etc/ntp.conf'
+NTP_INIT_PATTERN='RUNASUSER=ntp'
+NTP_INIT_FILE='/etc/init.d/ntp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
+        else
+            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+        fi
+        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+        else
+            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+        info "Checking $PACKAGE configuration"
+    fi
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
+        backup_file "$NTP_CONF_FILE"
+        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
+    else
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
+        backup_file "$NTP_INIT_FILE"
+        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -1,27 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 6.10 Ensure HTTP Server is not enabled (Not Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure HTTP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=http

 # Based on aptitude search '~Phttpd'
 PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -1,27 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #

 #
-# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure IMAP and POP servers are not installed"
+# shellcheck disable=2034
 HARDENING_EXCEPTION=mail

 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
 PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/Show More
+++ b/Show More