Update changelog

IMP(shellcheck): replace ls parsing by stat
IMP(shellcheck) refactor new line (SC1004)
2025-07-15 21:32:17 +02:00 · 2020-12-14 16:56:09 +01:00 · 2020-12-14 16:14:37 +01:00 · 2020-12-14 16:09:14 +01:00 · 2020-12-14 15:11:33 +01:00 · 2020-12-14 15:08:18 +01:00
641 changed files with 11294 additions and 8669 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+tmp/shfmt
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -1,5 +1,6 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -9,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #

-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@ -20,13 +21,14 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''

 usage() {
-    cat << EOF
+    cat <<EOF
 $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:

    --help -h
@ -76,6 +78,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit

 OPTIONS:

@ -108,186 +114,205 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST

 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
    ARG="$1"
    case $ARG in
-        --audit)
-            AUDIT=1
+    --audit)
+        AUDIT=1
        ;;
-        --audit-all)
-            AUDIT_ALL=1
+    --audit-all)
+        AUDIT_ALL=1
        ;;
-        --audit-all-enable-passed)
-            AUDIT_ALL_ENABLE_PASSED=1
+    --audit-all-enable-passed)
+        AUDIT_ALL_ENABLE_PASSED=1
        ;;
-        --apply)
-            APPLY=1
+    --apply)
+        APPLY=1
        ;;
-        --allow-service-list)
-            ALLOW_SERVICE_LIST=1
+    --allow-service-list)
+        ALLOW_SERVICE_LIST=1
        ;;
-        --allow-service)
-            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
-            shift
+    --create-config-files-only)
+        CREATE_CONFIG=1
        ;;
-        --set-hardening-level)
-            SET_HARDENING_LEVEL="$2"
-            shift
+    --allow-service)
+        ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
+        shift
        ;;
-        --only)
-            TEST_LIST[${#TEST_LIST[@]}]="$2"
-            shift
+    --set-hardening-level)
+        SET_HARDENING_LEVEL="$2"
+        shift
        ;;
-        --sudo)
-            SUDO_MODE='--sudo'
+    --only)
+        TEST_LIST[${#TEST_LIST[@]}]="$2"
+        shift
        ;;
-        --batch)
-            BATCH_MODE='--batch'
-            LOGLEVEL=ok
+    --sudo)
+        SUDO_MODE='--sudo'
        ;;
-        -h|--help)
-            usage
+    --batch)
+        BATCH_MODE='--batch'
+        LOGLEVEL=ok
        ;;
-        *)
-            usage
+    -h | --help)
+        usage
+        ;;
+    *)
+        usage
        ;;
    esac
    shift
 done

 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
+# shellcheck source=../lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+# shellcheck source=../etc/hardening.cfg
+[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+# shellcheck source=../lib/common.sh
+[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
+# shellcheck source=../lib/utils.sh
+[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh

-[ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
-[ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
-
-if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
+if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi

 # If --allow-service-list is specified, don't run anything, just list the supported services
-if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
+if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
    declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
        template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
        [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
    done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
    exit 0
 fi

 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
-    if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
+    if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
        echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
        exit 1
    fi

-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
        script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
-        if [ -z "$script_level" ] ; then
+        if [ -z "$script_level" ]; then
            echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
            continue
        fi
        wantedstatus=disabled
        [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
    done
    echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
    exit 0
 fi

+if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
+for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
        # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
            # not in the list
            continue
        fi
    fi

    info "Treating $SCRIPT"
-
-    if [ $AUDIT = 1 ]; then
+    if [ "$CREATE_CONFIG" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
-    elif [ $AUDIT_ALL = 1 ]; then
+        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
-    elif [ $APPLY = 1 ]; then
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+        "$SCRIPT"
    fi

    SCRIPT_EXITCODE=$?

    debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
    case $SCRIPT_EXITCODE in
-        0)
-            debug "$SCRIPT passed"
-            PASSED_CHECKS=$((PASSED_CHECKS+1))
-            if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
-                SCRIPT_BASENAME=$(basename $SCRIPT .sh)
-                sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
-                info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
-            fi
+    0)
+        debug "$SCRIPT passed"
+        PASSED_CHECKS=$((PASSED_CHECKS + 1))
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
+            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+        fi
        ;;
-        1)
-            debug "$SCRIPT failed"
-            FAILED_CHECKS=$((FAILED_CHECKS+1))
+    1)
+        debug "$SCRIPT failed"
+        FAILED_CHECKS=$((FAILED_CHECKS + 1))
        ;;
-        2)
-            debug "$SCRIPT is disabled"
-            DISABLED_CHECKS=$((DISABLED_CHECKS+1))
+    2)
+        debug "$SCRIPT is disabled"
+        DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
        ;;
    esac

-    TOTAL_CHECKS=$((TOTAL_CHECKS+1))
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))

 done

-TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
+TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))

-if [ $BATCH_MODE ]; then
+if [ "$BATCH_MODE" ]; then
    BATCH_SUMMARY="AUDIT_SUMMARY "
    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%.2f" $( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l))"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
    else
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
-    becho $BATCH_SUMMARY
+    becho "$BATCH_SUMMARY"
 else
    printf "%40s\n" "################### SUMMARY ###################"
-    printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-    printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-    printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-    printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-    printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-        printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+
+    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
    else
-        printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+        printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
    fi
 fi
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -1,43 +1,43 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."

 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
@ -47,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -1,43 +1,43 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."

 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
@ -47,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -1,43 +1,43 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."

 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
@ -47,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -1,43 +1,43 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."

 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
@ -47,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.5_disable_udf.sh
+++ b/bin/hardening/1.1.1.5_disable_udf.sh
@ -1,43 +1,43 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.24 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."

 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
@ -47,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.6_disable_cramfs.sh
+++ b/bin/hardening/1.1.1.6_disable_cramfs.sh
@ -1,27 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
+# 1.1.1.6 Disable Mounting of cramfs Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of cramfs filesystems."

 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.7_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.7_disable_squashfs.sh
@ -1,27 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."

 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"

-
 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,9 +32,9 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,17 +49,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.10_var_tmp_noexec.sh
+++ b/bin/hardening/1.1.10_var_tmp_noexec.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
+# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with noexec option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -1,53 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.7 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Create Separate Partition for /var/log (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/var/log on separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/log"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -5,49 +5,49 @@
 #

 #
-# 2.8 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=4
+# shellcheck disable=2034
 DESCRIPTION="/var/log/audit on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +59,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -1,53 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.9 Create Separate Partition for /home (Scored)
+# 1.1.13 Create Separate Partition for /home (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/home on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/home"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.14_home_nodev.sh
+++ b/bin/hardening/1.1.14_home_nodev.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.10 Add nodev Option to /home (Scored)
+# 1.1.14 Ensure nodev Option set on /home (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="/home partition with nodev option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/home"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -6,7 +6,7 @@
 #

 #
-# 2.14 Add nodev Option to /run/shm Partition (Scored)
+# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
 #

 set -e # One error, it's over
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }

@ -74,17 +74,18 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -6,7 +6,7 @@
 #

 #
-# 2.15 Add nosuid Option to /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
 #

 set -e # One error, it's over
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }

@ -74,17 +74,18 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -6,7 +6,7 @@
 #

 #
-# 2.16 Add noexec Option to /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
 #

 set -e # One error, it's over
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }

@ -74,17 +74,18 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="nodev option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -58,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="nosuid option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -58,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="noexec option for removable media partitions."

 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,33 +24,33 @@ PARTITION="/media\S*"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
-    fi 
+        add_option_to_fstab "$PARTITION" "$OPTION"
+    fi
 }

 # This function will check config parameters required
@ -58,17 +61,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -1,27 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
+# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    # shellcheck disable=SC2086
+    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        # shellcheck disable=SC2001
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
    else
        ok "All world writable directories have a sticky bit"
@ -29,10 +34,10 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+apply() {
+    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$RESULT" ]; then
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
@ -46,17 +51,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.22_disable_automounting.sh
+++ b/bin/hardening/1.1.22_disable_automounting.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.25 Disable Automounting (Scored)
+# 1.1.22 Disable Automounting (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable automounting of devices."

 SERVICE_NAME="autofs"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
        crit "$SERVICE_NAME is enabled"
    else
        ok "$SERVICE_NAME is disabled"
@ -28,12 +31,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
-    if [ $FNRET = 0 ]; then
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is disabled"
    fi
@ -46,17 +49,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.2_tmp_partition.sh
+++ b/bin/hardening/1.1.2_tmp_partition.sh
@ -1,53 +1,54 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.1 Create Separate Partition for /tmp (Scored)
+# 1.1.2 Ensure /tmp is configured (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
-DESCRIPTION="/tmp on a separate partition."
+# shellcheck disable=2034
+DESCRIPTION="Ensure /tmp is configured (Scored)"

 # Quick factoring as many script use the same logic
 PARTITION="/tmp"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
-    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +60,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.3_tmp_nodev.sh
+++ b/bin/hardening/1.1.3_tmp_nodev.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.2 Set nodev option for /tmp Partition (Scored)
+# 1.1.3 Ensure nodev option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="/tmp partition with nodev option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/tmp"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.4_tmp_nosuid.sh
+++ b/bin/hardening/1.1.4_tmp_nosuid.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.3 Set nosuid option for /tmp Partition (Scored)
+# 1.1.4 Ensure nosuid option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="/tmp partition with nosuid option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/tmp"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.5_tmp_noexec.sh
+++ b/bin/hardening/1.1.5_tmp_noexec.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.4 Set noexec option for /tmp Partition (Scored)
+# 1.1.5 Ensure noexec option set for /tmp Partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/tmp partition with noexec option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/tmp"
 OPTION="noexec"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -1,53 +1,56 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.5 Create Separate Partition for /var (Scored)
+# 1.1.6 Create Separate Partition for /var (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/var on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.7_var_tmp_partition.sh
+++ b/bin/hardening/1.1.7_var_tmp_partition.sh
@ -1,53 +1,56 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.6.1 Create Separate Partition for /var/tmp (Scored)
+# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="/var/tmp on a separate partition."

 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }

@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.8_var_tmp_nodev.sh
+++ b/bin/hardening/1.1.8_var_tmp_nodev.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
+# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nodev option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="nodev"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
+# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nosuid option."

 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="nosuid"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
-        if [ $FNRET -gt 0 ]; then
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
-            if [ $FNRET -gt 0 ]; then
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET = 0 ]; then
+apply() {
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    elif [ $FNRET = 3 ]; then
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
-    fi 
+        remount_partition "$PARTITION"
+    fi
 }

 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.1_bootloader_ownership.sh
+++ b/bin/hardening/1.4.1_bootloader_ownership.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 3.1 Set User/Group Owner on bootloader config (Scored)
+# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=1
+# shellcheck disable=2034
 DESCRIPTION="User and group root owner of grub bootloader config."

 # Assertion : Grub Based.
@ -19,25 +22,41 @@ DESCRIPTION="User and group root owner of grub bootloader config."
 FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
+PERMISSIONS='400'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
+audit() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE permissions were not set to $PERMISSIONS"
+    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
+apply() {
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }

@ -45,22 +64,22 @@ apply () {
 check_config() {

    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
        exit 128
    fi
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
        exit 128
    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
        exit 128
    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -68,17 +87,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.2_bootloader_password.sh
+++ b/bin/hardening/1.4.2_bootloader_password.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 3.3 Set Boot Loader Password (Scored)
+# 1.4.2 Ensure bootloader password is set (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Setting bootloader password to secure boot parameters."

 FILE='/boot/grub/grub.cfg'
@ -19,15 +22,15 @@ USER_PATTERN="^set superusers"
 PWD_PATTERN="^password_pbkdf2"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        crit "$USER_PATTERN not present in $FILE"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        crit "$PWD_PATTERN not present in $FILE"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -35,15 +38,15 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -54,11 +57,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "grub-pc is not installed, not handling configuration"
        exit 128
    fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -66,17 +69,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.3_root_password.sh
+++ b/bin/hardening/1.4.3_root_password.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 3.4 Require Authentication for Single-User Mode (Scored)
+# 1.4.3 Ensure authentication required for single user mode (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Root password for single user mode."

 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 1 ]; then
        warn "$PATTERN is present in $FILE, please put a root password"
    else
        ok "$PATTERN is not present in $FILE"
@ -45,17 +48,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.1_restrict_core_dumps.sh
+++ b/bin/hardening/1.5.1_restrict_core_dumps.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 4.1 Restrict Core Dumps (Scored)
+# 1.5.1 Ensure core dumps are restricted (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Restrict core dumps."

 LIMIT_FILE='/etc/security/limits.conf'
@ -21,18 +24,18 @@ SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    SEARCH_RES=0
    LIMIT_FILES=""
-    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
-        for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
+        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
        done
    fi
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
    for file in $LIMIT_FILE $LIMIT_FILES; do
-        does_pattern_exist_in_file $file $LIMIT_PATTERN
-        if [ $FNRET != 0 ]; then
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
            debug "$LIMIT_PATTERN not present in $file"
        else
            ok "$LIMIT_PATTERN present in $file"
@ -40,13 +43,13 @@ audit () {
            break
        fi
    done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -54,23 +57,23 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
        warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
        add_end_of_file $LIMIT_FILE "* hard core 0"
    else
        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi 
+    fi

 }

@ -81,17 +84,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.2_enable_nx_support.sh
+++ b/bin/hardening/1.5.2_enable_nx_support.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."

 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
@ -31,11 +34,11 @@ nx_supported_and_enabled() {
 }

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+audit() {
+    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -46,11 +49,11 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+apply() {
+    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -67,17 +70,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh
@ -1,28 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."

 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+audit() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -30,12 +33,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
+apply() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -49,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.4_disable_prelink.sh
+++ b/bin/hardening/1.5.4_disable_prelink.sh
@ -1,25 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 4.4 Disable Prelink (Scored)
+# 1.5.4 Ensure prelink is disabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable prelink to prevent libraries compromission."

 PACKAGE='prelink'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -48,17 +51,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.2.1 Activate AppArmor (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Activate AppArmor to enforce permissions control."
+
+PACKAGE='apparmor'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is absent!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ "$ERROR" = 0 ]; then
+        ok "$PACKAGE is configured"
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
+    else
+        ok "$PACKAGE is installed"
+    fi
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from motd"
+
+FILE='/etc/motd'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from Login Warning Banners."
+
+FILE='/etc/issue'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file $FILE "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Remove OS information from remote Login Warning Banners."
+
+FILE='/etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PATTERN is present in $FILE"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PATTERN is present in $FILE"
+        delete_line_in_file "$FILE" "$PATTERN"
+    else
+        ok "$PATTERN is not present in $FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.4_motd_perms.sh
+++ b/bin/hardening/1.7.1.4_motd_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/motd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILE='/etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    fi
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "fixing $FILE ownership to $USER:$GROUP"
+        chown "$USER":"$GROUP" "$FILE"
+    fi
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    if [ "$FNRET" = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0"$PERMISSIONS" "$FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/1.7.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.7.2_graphical_warning_banners.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 11.3 Set Graphical Warning Banner (Not Scored)
+# 1.7.2 Ensure GDM login banner is configured (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Set graphical warning banner."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Not implemented yet"
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Not implemented yet"
 }

@ -31,17 +34,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.8_install_updates.sh
+++ b/bin/hardening/1.8_install_updates.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
-DESCRIPTION="Install updates, patches and additional secutiry software."
+# shellcheck disable=2034
+DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if apt needs an update"
-    apt_update_if_needed 
+    apt_update_if_needed
    info "Fetching upgrades ..."
    apt_check_updates "CIS_APT"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$RESULT"
        FNRET=1
    else
@ -30,8 +33,8 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    if [ $FNRET -gt 0 ]; then 
+apply() {
+    if [ "$FNRET" -gt 0 ]; then
        info "Applying Upgrades..."
        DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
    else
@ -47,17 +50,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/10.1.1_set_password_exp_days.sh
+++ b/bin/hardening/10.1.1_set_password_exp_days.sh
@ -1,92 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 10.1.1 Set Password Expiration Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Set password expiration days."
-
-PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/10.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/10.1.2_set_password_min_days_change.sh
@ -1,92 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 10.1.2 Set Password Change Minimum Number of Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Set password change minimum number of days."
-
-PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh
@ -1,92 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 10.1.3 Set Password Expiring Warning Days (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Set password expiration warning days."
-
-PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
-FILE='/etc/login.defs'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/11.1_warning_banners.sh
+++ b/bin/hardening/11.1_warning_banners.sh
@ -1,91 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 11.1 Set Warning Banner for Standard Login Services (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
-
-PERMISSIONS='644'
-USER='root'
-GROUP='root'
-FILES='/etc/motd /etc/issue /etc/issue.net'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
-            crit "$FILE does not exist"
-            continue
-        fi
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            crit "$FILE ownership was not set to $USER:$GROUP"
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            crit "$FILE permissions were not set to $PERMISSIONS"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
-            info "$FILE does not exist"
-            touch $FILE
-        fi
-        has_file_correct_ownership $FILE $USER $GROUP
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown $USER:$GROUP $FILE
-        fi
-        has_file_correct_permissions $FILE $PERMISSIONS
-        if [ $FNRET = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0$PERMISSIONS $FILE
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@ -1,66 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 11.2 Remove OS Information from Login Warning Banners (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Remove OS information from Login Warning Banners."
-
-FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s)'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            crit "$PATTERN is present in $FILE"
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for FILE in $FILES; do
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            warn "$PATTERN is present in $FILE"
-            delete_line_in_file $FILE $PATTERN
-        else
-            ok "$PATTERN is not present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.1_etc_passwd_permissions.sh
+++ b/bin/hardening/12.1_etc_passwd_permissions.sh
@ -1,62 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.1 Verify Permissions on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check permissions on /etc/passwd to 644."
-
-FILE='/etc/passwd'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.2_etc_shadow_permissions.sh
+++ b/bin/hardening/12.2_etc_shadow_permissions.sh
@ -1,62 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.2 Verify Permissions on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check permissions on /etc/shadow to 640."
-
-FILE='/etc/shadow'
-PERMISSIONS='640'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.3_etc_group_permissions.sh
+++ b/bin/hardening/12.3_etc_group_permissions.sh
@ -1,62 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.3 Verify Permissions on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check permissions on /etc/group to 644."
-
-FILE='/etc/group'
-PERMISSIONS='644'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.4_etc_passwd_ownership.sh
+++ b/bin/hardening/12.4_etc_passwd_ownership.sh
@ -1,77 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check user/group to root on /etc/passwd."
-
-FILE='/etc/passwd'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.5_etc_shadow_ownership.sh
+++ b/bin/hardening/12.5_etc_shadow_ownership.sh
@ -1,77 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check user/group to root on etc/shadow."
-
-FILE='/etc/shadow'
-USER='root'
-GROUP='shadow'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.6_etc_group_ownership.sh
+++ b/bin/hardening/12.6_etc_group_ownership.sh
@ -1,77 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.6 Verify User/Group Ownership on /etc/group (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Check user/group to root on /etc/group."
-
-FILE='/etc/group'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_ownership $FILE $USER $GROUP
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -1,75 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.8 Find Un-owned Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-DESCRIPTION="Find un-owned files and directories."
-
-USER='root'
-EXCLUDED=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
-    else
-        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        crit "Some unowned files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unowned files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
-    else
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
-    else
-        ok "No unowned files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -1,75 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 12.9 Find Un-grouped Files and Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-DESCRIPTION="Find un-grouped files and directories."
-
-GROUP='root'
-EXCLUDED=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
-    else
-        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        crit "Some ungrouped files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No ungrouped files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
-    else
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
-    else
-        ok "No ungrouped files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.8_check_user_dot_file_perm.sh
+++ b/bin/hardening/13.8_check_user_dot_file_perm.sh
@ -1,83 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 13.8 Check User Dot File Permissions (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-DESCRIPTION="Check user dot file permissions."
-
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    crit "Group Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    crit "Other Write permission set on FILE $FILE"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "Dot file permission in users directories are correct"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
-                    warn "Group Write permission set on FILE $FILE"
-                    chmod g-w $FILE
-                fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
-                    warn "Other Write permission set on FILE $FILE"
-                    chmod o-w $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/13.9_set_perm_on_user_netrc.sh
+++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh
@ -1,82 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 13.9 Check Permissions on User .netrc Files (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=2
-DESCRIPTION="Check user permissions on .netrc file."
-
-PERMISSIONS="600"
-ERRORS=0
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    crit "$FILE permissions were not set to $PERMISSIONS"
-                    ERRORS=$((ERRORS+1))
-                fi
-            fi
-        done
-    done
-
-    if [ $ERRORS = 0 ]; then
-        ok "permission $PERMISSIONS set on .netrc users files"
-    fi
-
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-    debug "Working on $DIR"
-        for FILE in $DIR/.netrc; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                has_file_correct_permissions $FILE $PERMISSIONS
-                if [ $FNRET = 0 ]; then
-                    ok "$FILE has correct permissions"
-                else
-                    warn "$FILE permissions were not set to $PERMISSIONS"
-                    chmod 600 $FILE
-                fi
-            fi
-        done
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/2.1.1_disable_xinetd.sh
+++ b/bin/hardening/2.1.1_disable_xinetd.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.1.1 Ensure xinetd is not enabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure xinetd is not enabled."
+
+PACKAGE='xinetd'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        warn "$PACKAGE is installed, purging"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.1.2_disable_bsd_inetd.sh
+++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 5.1.8 Ensure xinetd is not enabled (Scored)
+# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
-DESCRIPTION="Ensure xinetd is not enabled."
+# shellcheck disable=2034
+DESCRIPTION="Ensure bsd-inetd is not enabled."

-PACKAGES='openbsd-inetd xinetd rlinetd'
+PACKAGES='openbsd-inetd inetutils-inetd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.1_use_time_sync.sh
+++ b/bin/hardening/2.2.1.1_use_time_sync.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure time synchronization is in use"
+
+PACKAGES="ntp chrony"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=false
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "Time synchronization is available through $PACKAGE"
+            FOUND=true
+        fi
+    done
+    if [ "$FOUND" = false ]; then
+        crit "None of the following time sync packages are installed: $PACKAGES"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.1.2_configure_ntp.sh
+++ b/bin/hardening/2.2.1.2_configure_ntp.sh
@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.2 Ensure ntp is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE='ntp'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_FILE='/etc/ntp.conf'
+NTP_INIT_PATTERN='RUNASUSER=ntp'
+NTP_INIT_FILE='/etc/init.d/ntp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
+        else
+            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+        fi
+        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+        else
+            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+        info "Checking $PACKAGE configuration"
+    fi
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
+        backup_file "$NTP_CONF_FILE"
+        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
+    else
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
+        backup_file "$NTP_INIT_FILE"
+        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.3 Ensure chrony is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=ntp
+
+PACKAGE=chrony
+CONF_DEFAULT_PATTERN='^(server|pool)'
+CONF_FILE='/etc/chrony/chrony.conf'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed, checking configuration"
+        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
+        else
+            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -1,28 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.10 Ensure HTTP Server is not enabled (Not Scored)
+# 2.2.10 Ensure HTTP Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure HTTP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=http

 # Based on aptitude search '~Phttpd'
 PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -1,28 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
+# 2.2.11 Ensure IMAP and POP server is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
-DESCRIPTION="Ensure IMAP and POP servers are not enabled."
+# shellcheck disable=2034
+DESCRIPTION="Ensure IMAP and POP servers are not installed"
+# shellcheck disable=2034
 HARDENING_EXCEPTION=mail

 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
 PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -1,46 +1,64 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.12 Ensure Samba is not enabled (Not Scored)
+# 2.2.12 Ensure Samba is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure Samba is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=samba

 PACKAGES='samba'
+SERVICE='smbd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+    else
+        ok "Service $SERVICE is disabled"
+    fi
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" = 0 ]; then
+        crit "Service $SERVICE is enabled!"
+        systemctl disable "$SERVICE"
+    else
+        ok "Service $SERVICE is disabled"
+    fi
 }

 # This function will check config parameters required
@ -50,17 +68,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.13_disable_http_proxy.sh
+++ b/bin/hardening/2.2.13_disable_http_proxy.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
+# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure HTTP-proxy is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=http

 PACKAGES='squid3 squid'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.14 Ensure SNMP Server is not enabled (Not Scored)
+# 2.2.14 Ensure SNMP Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Enure SNMP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=snmp

 PACKAGES='snmpd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -1,22 +1,26 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=mail

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking netport ports opened"
    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
    RESULT=${RESULT:-}
@ -25,7 +29,7 @@ audit () {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            crit "MTA listens worldwide"
@ -34,7 +38,7 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Checking netport ports opened"
    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
    RESULT=${RESULT:-}
@ -43,7 +47,7 @@ apply () {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            warn "MTA listens worldwide, correct this considering your MTA"
@ -59,17 +63,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.16_disable_rsync.sh
+++ b/bin/hardening/2.2.16_disable_rsync.sh
@ -1,18 +1,22 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.16 Ensure rsync service is not enabled (Scored)
+# 2.2.16 Ensure rsync service is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure rsync service is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=rsync

 PACKAGE='rsync'
@ -21,14 +25,14 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
 RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
            crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@ -37,17 +41,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
+        if [ "$FNRET" != 0 ]; then
            warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
-            backup_file $RSYNC_DEFAULT_FILE
-            replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
+            backup_file "$RSYNC_DEFAULT_FILE"
+            replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
        fi
@ -61,17 +65,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.18_disable_telnet_server.sh
+++ b/bin/hardening/2.2.18_disable_telnet_server.sh
@ -1,17 +1,22 @@
 #!/bin/bash

+# run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #

 #
-# 5.1.6 Ensure telnet server is not enabled (Scored)
+# 2.2.18 Ensure telnet server is not enabled (Scored)
 #

+# Note: this check is not anymore in CIS hardening but we decided to keep it anyway
+
 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."

 # Based on  aptitude search '~Ptelnet-server'
@ -20,17 +25,17 @@ FILE='/etc/inetd.conf'
 PATTERN='^telnet'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, checking configuration"
-            does_file_exist $FILE
-            if [ $FNRET != 0 ]; then
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
                ok "$FILE does not exist"
            else
-                does_pattern_exist_in_file $FILE $PATTERN
-                if [ $FNRET = 0 ]; then
+                does_pattern_exist_in_file "$FILE" "$PATTERN"
+                if [ "$FNRET" = 0 ]; then
                    crit "$PATTERN exists, $PACKAGE services are enabled!"
                else
                    ok "$PATTERN is not present in $FILE"
@ -43,27 +48,28 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
        fi
-        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
            ok "$FILE does not exist"
        else
            info "$FILE exists, checking patterns"
-            does_pattern_exist_in_file $FILE $PATTERN
-            if [ $FNRET = 0 ]; then
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
                warn "$PATTERN is present in $FILE, purging it"
                backup_file $FILE
-                ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
-                sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
+                # shellcheck disable=SC2001
+                ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
+                sed -ie "s/$ESCAPED_PATTERN/#&/g" "$FILE"
            else
                ok "$PATTERN is not present in $FILE"
            fi
@ -78,17 +84,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -1,28 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.1 Ensure the X Window system is not installed (Scored)
+# 2.2.2 Ensure the X Window system is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure the X Window system is not installed."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=x11

 # Based on aptitude search '~Pxserver'
 PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.2 Ensure Avahi Server is not enabled (Scored)
+# 2.2.3 Ensure Avahi Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure Avahi server is not enabled."

 PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.3 Ensure print server is not enabled (Not Scored)
+# 2.2.4 Ensure CUPS is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=cups

 PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.4 Ensure DHCP Server is not enabled (Scored)
+# 2.2.5 Ensure DHCP Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure DHCP server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=dhcp

 PACKAGES='udhcpd isc-dhcp-server'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.6 Ensure LDAP is not enabled (Not Scored)
+# 2.2.6 Ensure LDAP server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure LDAP is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=ldap

 PACKAGES='slapd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.7 Ensure NFS and RPC are not enabled (Not Scored)
+# 2.2.7 Ensure NFS and RPC are not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=nfs

 PACKAGES='rpcbind nfs-kernel-server'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -1,27 +1,31 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.8 Ensure DNS Server is not enabled (Not Scored)
+# 2.2.8 Ensure DNS Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=dns

 PACKAGES='bind9 unbound'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -1,28 +1,32 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 6.9 Ensure FTP Server is not enabled (Not Scored)
+# 2.2.9 Ensure FTP Server is not enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
+# shellcheck disable=2034
 HARDENING_EXCEPTION=ftp

 # Based on aptitude search '~Pftp-server'
 PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -1,25 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 5.1.1 Ensure NIS is not installed (Scored)
+# 2.3.1 Ensure NIS client is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."

 PACKAGE='nis'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
@ -46,17 +49,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -1,27 +1,30 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 5.1.3 Ensure rsh client is not installed (Scored)
+# 2.3.2 Ensure rsh client is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."

 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -30,13 +33,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +53,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -1,26 +1,29 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 5.1.5 Ensure talk client is not installed (Scored)
+# 2.3.3 Ensure talk client is not installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Ensure talk client is not installed."

 PACKAGES='talk inetutils-talk'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.4 Ensure telnet client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure telnet client is not installed."
+
+PACKAGES='telnet'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PACKAGE is installed, purging"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.3.5 Ensure LDAP client is not installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ldap client is not installed."
+
+PACKAGES='ldap-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PACKAGE is installed, purging"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -0,0 +1,81 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 3.1.1 Ensure IP forwarding is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+HARDENING_EXCEPTION=gw
+# shellcheck disable=2034
+DESCRIPTION="Disable IP forwarding."
+
+SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
+SYSCTL_EXP_RESULT=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+            elif [ "$FNRET" = 255 ]; then
+                warn "$SYSCTL_PARAM does not exist -- Typo?"
+            else
+                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+            fi
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh
+++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh
@ -1,17 +1,20 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.1.2 Disable Send Packet Redirects (Scored)
+# 3.1.2 Ensure packet redirect sending is disabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."

 #net.ipv4.conf.all.send_redirects = 0
@ -19,15 +22,15 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
 SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,17 +39,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -61,17 +64,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh
@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 3.2.1 Ensure source routed packets are not accepted (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable source routed packet acceptance."
+# set in config file
+SYSCTL_PARAMS=''
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+            elif [ "$FNRET" = 255 ]; then
+                warn "$SYSCTL_PARAM does not exist -- Typo?"
+            else
+                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+            fi
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
+EOF
+}
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/3.2.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh
@ -0,0 +1,93 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
+# set in config file
+SYSCTL_PARAMS=''
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        does_sysctl_param_exists "net.ipv6"
+        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+            elif [ "$FNRET" = 255 ]; then
+                warn "$SYSCTL_PARAM does not exist -- Typo?"
+            else
+                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+            fi
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Specify system parameters to audit, space separated
+SYSCTL_PARAMS="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
+EOF
+}
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
+++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions."

 SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.4_log_martian_packets.sh
+++ b/bin/hardening/3.2.4_log_martian_packets.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.4 Log Suspicious Packets (Scored)
+# 3.2.4 Ensure suspicious packets are logged (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Log suspicious packets, like spoofed packets."

 SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh
+++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.5 Enable Ignore Broadcast Requests (Scored)
+# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."

 SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist --Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh
+++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.6 Enable Bad Error Message Protection (Scored)
+# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."

 SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.7_enable_source_route_validation.sh
+++ b/bin/hardening/3.2.7_enable_source_route_validation.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
+# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Enable RFC-recommended source route validation."

 SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
+++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
@ -1,31 +1,34 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.2.8 Enable TCP SYN Cookies (Scored)
+# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."

 SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -34,17 +37,17 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        if [ $FNRET != 0 ]; then
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
-        elif [ $FNRET = 255 ]; then
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,17 +62,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
@ -1,35 +1,38 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
+# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=2
+# shellcheck disable=2034
 DESCRIPTION="Disable IPv6 router advertisements."

 SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            if [ $FNRET != 0 ]; then
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,21 +42,21 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-            if [ $FNRET != 0 ]; then
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-                sysctl -w net.ipv4.route.flush=1 > /dev/null
-            elif [ $FNRET = 255 ]; then
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+                sysctl -w net.ipv4.route.flush=1 >/dev/null
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +72,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2_bootloader_permissions.sh
+++ b/bin/hardening/3.2_bootloader_permissions.sh
@ -1,72 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 3.2 Set Permissions on bootloader config (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=1
-DESCRIPTION="Permissions for root only on grub bootloader config."
-
-# Assertion : Grub Based.
-
-FILE='/boot/grub/grub.cfg'
-PERMISSIONS='400'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-    has_file_correct_permissions $FILE $PERMISSIONS
-    if [ $FNRET = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
-    fi
-    if [ $FNRET != 0 ]; then
-        crit "$FILE does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
--- a/bin/hardening/3.3.1_install_tcp_wrapper.sh
+++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh
@ -1,25 +1,28 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #

 #
-# 7.4.1 Install TCP Wrappers (Scored)
+# 3.3.1 Ensure TCP Wrappers is installed (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

+# shellcheck disable=2034
 HARDENING_LEVEL=3
+# shellcheck disable=2034
 DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services."

 PACKAGE='tcpd'

 # This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
@ -27,14 +30,14 @@ audit () {
 }

 # This function will be called if the script status is on enabled mode
-apply () {
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            ok "$PACKAGE is installed"
-        else
-            crit "$PACKAGE is absent, installing it"
-            apt_install $PACKAGE
-        fi
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
 }

 # This function will check config parameters required
@ -44,17 +47,19 @@ check_config() {

 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/Show More
+++ b/Show More