Update changelog

add log details to be more comprehensive (#49 )
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2025-07-16 13:52:17 +02:00 · 2021-03-15 08:25:26 +01:00 · 2021-02-17 12:04:11 +01:00 · 2021-02-17 12:00:13 +01:00 · 2021-02-17 11:51:51 +01:00 · 2021-02-17 11:45:20 +01:00
568 changed files with 12685 additions and 5978 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,7 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: "daily"
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -0,0 +1,17 @@
 ---
 name: Compile debian man
 on:
  - push
 jobs:
  compile-debian-man:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Produce debian man
        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
      - uses: EndBug/add-and-commit@v7
        with:
          add: 'debian/cis-hardening.8'
          message: 'Regenerate man pages (Github action)'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -0,0 +1,27 @@
 ---
 name: Run functionnal tests
 on:
  - pull_request
  - push
 jobs:
  functionnal-tests-docker-debian9:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian9
        run: ./tests/docker_build_and_run_tests.sh debian9
  functionnal-tests-docker-debian10:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -0,0 +1,64 @@
 ---
 name: Create Pre-Release
 on:
  push:
    branches:
      - master
 jobs:
  build:
    name: Create Pre-Release
    runs-on: ubuntu-latest
    steps:
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v2
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.1.3
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
        uses: actions-ecosystem/action-get-latest-tag@v1
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
        uses: metcalfc/changelog-generator@v0.4.4
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
      # CREATE RELEASE NAMED LATEST
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: latest
          release_name: Pre-release
          body: ${{ steps.changelog.outputs.changelog }}
          draft: false
          prerelease: true
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -0,0 +1,29 @@
 ---
 name: Run shell-linter
 on:
  - push
  - pull_request
 jobs:
  shellfmt:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the sh-checker
        uses: luizm/action-sh-checker@v0.1.12
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
        with:
          sh_checker_shellcheck_disable: true
          sh_checker_comment: true
          sh_checker_exclude: |
                              src/
                              debian/postrm
  shellcheck:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run shellcheck
        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -0,0 +1,66 @@
 ---
 name: Create Release
 on:
  push:
    tags:
      - 'v*'
 jobs:
  build:
    name: Create Release
    # only runs on master
    if: github.event.base_ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      # GET VERSION TAG
      - name: Get latest version number
        id: vars
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          ref: ${{ steps.vars.outputs.tag }}
      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
      - name: Generate changelog
        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
      - name: Abort if changelog is empty
        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.1.3
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # CREATE RELEASE
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ github.ref }}
          body_path: changelog.md
          draft: false
          prerelease: false
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 tmp/shfmt
--- a/7
+++ b/7
@ -1,8 +1,9 @@
 Contributors of this project :
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
--- a/211
+++ b/211
@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
+Copyright 2020 OVHcloud
 All rights reserved.
-Redistribution and use in source and binary forms, with or without
+   Licensed under the Apache License, Version 2.0 (the "License");
-modification, are permitted provided that the following conditions are met:
+   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
-  * Redistributions of source code must retain the above copyright
+       http://www.apache.org/licenses/LICENSE-2.0
    notice, this list of conditions and the following disclaimer.
  * Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
  * Neither the name of OVH SAS nor the
    names of its contributors may be used to endorse or promote products
    derived from this software without specific prior written permission.
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
+   Unless required by applicable law or agreed to in writing, software
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   distributed under the License is distributed on an "AS IS" BASIS,
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+   See the License for the specific language governing permissions and
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+   limitations under the License.
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+   A copy of the license terms follows:
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+                                 Apache License
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
--- a/MANUAL.md
+++ b/MANUAL.md
@ -0,0 +1,160 @@
 % CIS-HARDENING(8)
 %
 % 2016
 # NAME
 cis-hardening - CIS Debian 9/10 Hardening
 # SYNOPSIS
 **hardening.sh** RUN_MODE [OPTIONS]
 # DESCRIPTION
 Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 # SCRIPTS CONFIGURATION
 Hardening scripts are in `bin/hardening`. Each script has a corresponding
 configuration file in `etc/conf.d/[script_name].cfg`.
 Each hardening script can be individually enabled from its configuration file.
 For example, this is the default configuration file for `disable_system_accounts`:
 ```
 # Configuration for script of same name
 status=disabled
 # Put here your exceptions concerning admin accounts shells separated by spaces
 EXCEPTIONS=""
 ```
 **status** parameter may take 3 values:
 - `disabled` (do nothing): The script will not run.
 - `audit` (RO): The script will check if any change should be applied.
 - `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
 Global configuration is in `etc/hardening.cfg`. This file controls the log level
 as well as the backup directory. Whenever a script is instructed to edit a file, it
 will create a timestamped backup in this directory.
 # RUN MODE
 `-h`, `--help`
 :   Display a friendly help message.
 `--apply`
 :   Apply hardening for enabled scripts.
    Beware that NO confirmation is asked whatsoever, which is why you're warmly
    advised to use `--audit` before, which can be regarded as a dry-run mode.
 `--audit`
 :   Audit configuration for enabled scripts.
    No modification will be made on the system, we'll only report on your system
    compliance for each script.
 `--audit-all`
 :   Same as `--audit`, but for *all* scripts, even disabled ones.
    This is a good way to peek at your compliance level if all scripts were enabled,
    and might be a good starting point.
 `--audit-all-enable-passed`
 :   Same as `--audit-all`, but in addition, will *modify* the individual scripts
    configurations to enable those which passed for your system.
    This is an easy way to enable scripts for which you're already compliant.
    However, please always review each activated script afterwards, this option
    should only be regarded as a way to kickstart a configuration from scratch.
    Don't run this if you have already customized the scripts enable/disable
    configurations, obviously.
 `--create-config-files-only`
 :   Create the config files in etc/conf.d
    Must be run as root, before running the audit with user secaudit
 `-set-hardening-level=level`
 :   Modifies the configuration to enable/disable tests given an hardening level,
    between 1 to 5. Don't run this if you have already customized the scripts
    enable/disable configurations.
    1: very basic policy, failure to pass tests at this level indicates severe
        misconfiguration of the machine that can have a huge security impact
    2: basic policy, some good practice rules that, once applied, shouldn't
        break anything on most systems
    3: best practices policy, passing all tests might need some configuration
        modifications (such as specific partitioning, etc.)
    4: high security policy, passing all tests might be time-consuming and
        require high adaptation of your workflow
    5: placebo, policy rules that might be very difficult to apply and maintain,
        with questionable security benefits
 `--allow-service=service`
 :   Use with `--set-hardening-level`.
    Modifies the policy to allow a certain kind of services on the machine, such
    as http, mail, etc. Can be specified multiple times to allow multiple services.
    Use --allow-service-list to get a list of supported services.
 # OPTIONS
 `--allow-service-list`
 :   Get a list of supported service.
 `--only test-number`
 :    Modifies the RUN_MODE to only work on the test_number script.
    Can be specified multiple times to work only on several scripts.
    The test number is the numbered prefix of the script,
    i.e. the test number of 1.2_script_name.sh is 1.2.
 `--sudo`
 :   This option lets you audit your system as a normal user, but allows sudo
    escalation to gain read-only access to root files. Note that you need to
    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
    the -n option instructs sudo not to prompt for a password.
    Finally note that `--sudo` mode only works for audit mode.
 `--set-log-level=level`
 :   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
    Default value is : info
 `--batch`
 :   While performing system audit, this option sets LOGLEVEL to 'ok' and
    captures all output to print only one line once the check is done, formatted like :
    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 `--allow-unsupported-distribution`
    Must be specified manually in the command line to allow the run on non compatible
    version or distribution. If you want to mute the warning change the LOGLEVEL
    in /etc/hardening.cfg
 # AUTHORS
 - Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
 - Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
 - Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 - Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
 # COPYRIGHT
 Copyright 2020 OVHcloud
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 # SEE ALSO
 - **Center for Internet Security**: https://www.cisecurity.org/
 - **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **Project repository**: https://github.com/ovh/debian-cis
--- a/README.md
+++ b/README.md
@ -1,44 +1,60 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 9/10 Hardening
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+report issues if you find any !
 <p align="center">
      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
 </p>
 ![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
 ![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
 ![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
 ![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
-13.15_check_duplicate_gid [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
+6.2.19_check_duplicate_gr [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
+      Total Available Checks : 232
-         Total Runned Checks : 191
+         Total Runned Checks : 166
-         Total Passed Checks : [ 170/191 ]
+         Total Passed Checks : [ 142/166 ]
-         Total Failed Checks : [  21/191 ]
+         Total Failed Checks : [  24/166 ]
-   Enabled Checks Percentage : 100.00 %
+   Enabled Checks Percentage : 71.00 %
-       Conformity Percentage : 89.01 %
+       Conformity Percentage : 85.00 %
 ```
-## Quickstart
+## :dizzy: Quickstart
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
-1.1_install_updates [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
-1.1_install_updates [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
-1.1_install_updates [INFO] Checking if apt needs an update
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
-1.1_install_updates [INFO] Fetching upgrades ...
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
-1.1_install_updates [ OK ] No upgrades available
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
-1.1_install_updates [ OK ] Check Passed
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
-## Usage
+## :hammer: Usage
 ### Configuration
@ -72,7 +88,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
 ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,16 +98,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
-## Hacking
+``--only <check_number>``: run only the selected checks.
 ``--set-hardening-level``: run all checks that are lower or equal to the selected level.
 Do NOT use this option if you have already started to customize your configuration.
 ``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
 to allow a certain kind of services on the machine, such as http, mail, etc.
 Can be specified multiple times to allow multiple services.
 Use --allow-service-list to get a list of supported services.
 ``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
 Default value is : info
 ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
 before running the audit with user secaudit, to have the rights setup well on the conf files.
 ``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
 the run on non compatible version or distribution. If you want to mute the warning change the
 LOGLEVEL in /etc/hardening.cfg
 ## :computer: Hacking
 **Getting the source**
@ -110,6 +148,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
 Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
 If the check replace somehow one that is in the CIS specifications,
 you can use the numerotation of the check it replaces inplace. For example we check
 the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
 Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
 (part of OVHcloud security policy)
 Code your check explaining what it does then if you want to test
@ -117,7 +164,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 Functional tests are available. They are to be run in a Docker environment.
@ -125,7 +172,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian9` or `debian10`.
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@ -151,10 +198,49 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
 and that we will not test the apply function. It's because the check is very basic
 (like a package install) and that a test on it is not really necessary.
 Furthermore, some tests are disabled on docker because there not pertinent (kernel 
 modules, grub, partitions, ...)
 You can disable a check on docker with:
 ```bash
 if [ -f "/.dockerenv" ]; then
  skip "SKIPPED on docker"
 else
 ...
 fi
 ```
 ## :art: Coding style
 ### Shellcheck
 We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
 correctness of the scripts and to respect best practices.
 It can be used directly with the docker environnment to check all scripts 
 compliancy. By default it runs on every `.sh` it founds.
 ```console
 $ ./shellcheck/launch_shellcheck.sh [name of script...]
 ```
 ### Shellfmt
 We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
 consistent style in every script. 
 Identically to shellcheck, it can be run through a script with the following:
 ```console
 $ ./shellfmt/launch_shellfmt.sh
 ```
 It will automatically fix any styling problem on every script.
 ## :heavy_exclamation_mark: Disclaimer
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
@ -163,7 +249,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -171,13 +257,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-## Reference
+## :satellite: Reference
 - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
-## License
+## :page_facing_up: License
 3-Clause BSD
 Apache, Version 2.0
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -9,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #
-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@ -20,13 +21,16 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
 CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 usage() {
-    cat << EOF
+    cat <<EOF
 $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
    --help -h
@ -76,6 +80,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
    --create-config-files-only
        Create the config files in etc/conf.d
        Must be run as root, before running the audit with user secaudit
 OPTIONS:
@ -92,10 +100,19 @@ OPTIONS:
        the '-n' option instructs sudo not to prompt for a password.
        Finally note that '--sudo' mode only works for audit mode.
    --set-log-level <level>
        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
        Default value is : info
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
    --allow-unsupported-distribution
        Must be specified manually in the command line to allow the run on non compatible
        version or distribution. If you want to mute the warning change the LOGLEVEL
        in /etc/hardening.cfg
 EOF
    exit 0
@ -108,190 +125,249 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
    ARG="$1"
    case $ARG in
-        --audit)
+    --audit)
-            AUDIT=1
+        AUDIT=1
        ;;
-        --audit-all)
+    --audit-all)
-            AUDIT_ALL=1
+        AUDIT_ALL=1
        ;;
-        --audit-all-enable-passed)
+    --audit-all-enable-passed)
-            AUDIT_ALL_ENABLE_PASSED=1
+        AUDIT_ALL_ENABLE_PASSED=1
        ;;
-        --apply)
+    --apply)
-            APPLY=1
+        APPLY=1
        ;;
-        --allow-service-list)
+    --allow-service-list)
-            ALLOW_SERVICE_LIST=1
+        ALLOW_SERVICE_LIST=1
        ;;
-        --allow-service)
+    --create-config-files-only)
-            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
+        CREATE_CONFIG=1
            shift
        ;;
-        --set-hardening-level)
+    --allow-service)
-            SET_HARDENING_LEVEL="$2"
+        ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
-            shift
+        shift
        ;;
-        --only)
+    --set-hardening-level)
-            TEST_LIST[${#TEST_LIST[@]}]="$2"
+        SET_HARDENING_LEVEL="$2"
-            shift
+        shift
        ;;
-        --sudo)
+    --set-log-level)
-            SUDO_MODE='--sudo'
+        ASK_LOGLEVEL=$2
        shift
        ;;
-        --batch)
+    --only)
-            BATCH_MODE='--batch'
+        TEST_LIST[${#TEST_LIST[@]}]="$2"
-            LOGLEVEL=ok
+        shift
        ;;
-        -h|--help)
+    --sudo)
-            usage
+        SUDO_MODE='--sudo'
        ;;
-        *)
+    --batch)
-            usage
+        BATCH_MODE='--batch'
        ASK_LOGLEVEL=ok
        ;;
    --allow-unsupported-distribution)
        ALLOW_UNSUPPORTED_DISTRIBUTION=1
        ;;
    -h | --help)
        usage
        ;;
    *)
        usage
        ;;
    esac
    shift
 done
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
-[ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
+# shellcheck source=../etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
+[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
-[ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
+# shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=../lib/constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
-if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 if [ "$DISTRIBUTION" != "debian" ]; then
    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
        echo "Exiting now"
        exit 100
    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
    fi
 else
    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    fi
 fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
-if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
+if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
    declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
        template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
        [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
    done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
    exit 0
 fi
 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
-    if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
+    if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
        echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
        exit 1
    fi
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
        script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
-        if [ -z "$script_level" ] ; then
+        if [ -z "$script_level" ]; then
            echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
            continue
        fi
        wantedstatus=disabled
        [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
    done
    echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
    exit 0
 fi
 if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
    echo "For --create-config-files-only, please run as root"
    exit 1
 fi
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
-    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
        # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
+        # shellcheck disable=SC2001
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
            # not in the list
            continue
        fi
    fi
    info "Treating $SCRIPT"
-
+    if [ "$CREATE_CONFIG" = 1 ]; then
-    if [ $AUDIT = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $AUDIT_ALL = 1 ]; then
+    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $APPLY = 1 ]; then
+    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+        "$SCRIPT"
    fi
    SCRIPT_EXITCODE=$?
    debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
    case $SCRIPT_EXITCODE in
-        0)
+    0)
-            debug "$SCRIPT passed"
+        debug "$SCRIPT passed"
-            PASSED_CHECKS=$((PASSED_CHECKS+1))
+        PASSED_CHECKS=$((PASSED_CHECKS + 1))
-            if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
-                SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
-                sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
-                info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
-            fi
+        fi
        ;;
-        1)
+    1)
-            debug "$SCRIPT failed"
+        debug "$SCRIPT failed"
-            FAILED_CHECKS=$((FAILED_CHECKS+1))
+        FAILED_CHECKS=$((FAILED_CHECKS + 1))
        ;;
-        2)
+    2)
-            debug "$SCRIPT is disabled"
+        debug "$SCRIPT is disabled"
-            DISABLED_CHECKS=$((DISABLED_CHECKS+1))
+        DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
        ;;
    esac
-    TOTAL_CHECKS=$((TOTAL_CHECKS+1))
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
 done
-TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
+TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
-if [ $BATCH_MODE ]; then
+if [ "$BATCH_MODE" ]; then
    BATCH_SUMMARY="AUDIT_SUMMARY "
    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
    else
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
-    becho $BATCH_SUMMARY
+    becho "$BATCH_SUMMARY"
 else
    printf "%40s\n" "################### SUMMARY ###################"
-    printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
+    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
-    printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
+    printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-    printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-    printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
+    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-    
+
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
-    CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
-    printf "%30s %s %%\n"   "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
+    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        printf "%30s %s %%\n"   "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
+        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
    else
-        printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
+        printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
    fi
 fi
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -1,40 +1,52 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
@ -45,17 +57,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -1,40 +1,52 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
@ -45,17 +57,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -1,40 +1,52 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
+MODULE_NAME="hfs"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
@ -45,17 +57,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -1,40 +1,52 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
+MODULE_NAME="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
@ -45,17 +57,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_NAME="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.1.5_disable_udf.sh
+++ b/bin/hardening/1.1.1.5_disable_udf.sh
@ -1,62 +0,0 @@
 #!/bin/bash
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 DESCRIPTION="Disable mounting of udf filesystems."
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    is_kernel_option_enabled $KERNEL_OPTION
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_NAME="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.1.7_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.7_disable_squashfs.sh
@ -1,64 +0,0 @@
 #!/bin/bash
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 DESCRIPTION="Disable mounting of squashfs filesytems."
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
    :
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    is_kernel_option_enabled $KERNEL_OPTION
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -0,0 +1,69 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=5
 # shellcheck disable=2034
 DESCRIPTION="Limit mounting of FAT filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_VFAT_FS"
 MODULE_FILE="vfat"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    # TODO check if uefi enabled if yes check if only boot partition use FAT
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_kernel_option_enabled "$KERNEL_OPTION"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.10_var_tmp_noexec.sh
+++ b/bin/hardening/1.1.10_var_tmp_noexec.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with noexec option."
 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    fi 
+    fi
 }
 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -1,34 +1,37 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.11 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log on separate partition."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
@ -38,14 +41,14 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,17 +60,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -1,34 +1,37 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit on a separate partition."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
@ -38,14 +41,14 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,17 +60,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -1,34 +1,37 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.13 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/home on a separate partition."
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
@ -38,14 +41,14 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,17 +60,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.14_home_nodev.sh
+++ b/bin/hardening/1.1.14_home_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/home partition with nodev option."
 # Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/home"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -46,19 +49,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,17 +74,18 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,17 +74,18 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -22,24 +22,24 @@ PARTITION="/run/shm"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -50,19 +50,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,17 +74,18 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="nodev option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -41,12 +44,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
@ -58,17 +61,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="nosuid option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -41,12 +44,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
@ -58,17 +61,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="noexec option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -21,17 +24,17 @@ PARTITION="/media\S*"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -41,12 +44,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
@ -58,17 +61,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -1,27 +1,32 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    # shellcheck disable=SC2086
-    if [ ! -z "$RESULT" ]; then
+    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        # shellcheck disable=SC2001
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
    else
        ok "All world writable directories have a sticky bit"
@ -29,10 +34,10 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
@ -46,17 +51,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.22_disable_automounting.sh
+++ b/bin/hardening/1.1.22_disable_automounting.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable automounting of devices."
 SERVICE_NAME="autofs"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$SERVICE_NAME is enabled"
    else
        ok "$SERVICE_NAME is disabled"
@ -28,12 +31,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is disabled"
    fi
@ -46,17 +49,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -0,0 +1,78 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.23 Disable USB storage (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_USB_STORAGE"
 MODULE_NAME="usb-storage"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.2_tmp_partition.sh
+++ b/bin/hardening/1.1.2_tmp_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,24 +12,26 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure /tmp is configured (Scored)"
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
@ -38,14 +41,14 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,17 +60,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.3_tmp_nodev.sh
+++ b/bin/hardening/1.1.3_tmp_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with nodev option."
 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/tmp"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    fi 
+    fi
 }
 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.4_tmp_nosuid.sh
+++ b/bin/hardening/1.1.4_tmp_nosuid.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with nosuid option."
 # Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/tmp"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -46,19 +49,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.5_tmp_noexec.sh
+++ b/bin/hardening/1.1.5_tmp_noexec.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with noexec option."
 # Quick factoring as many script use the same logic
@ -19,23 +22,23 @@ PARTITION="/tmp"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -46,19 +49,19 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -1,53 +1,56 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.6 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var on a separate partition."
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -59,17 +62,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.7_var_tmp_partition.sh
+++ b/bin/hardening/1.1.7_var_tmp_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,43 +12,45 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp on a separate partition."
 # Quick factoring as many script use the same logic
 PARTITION="/var/tmp"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
-     
+
    :
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -59,17 +62,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.8_var_tmp_nodev.sh
+++ b/bin/hardening/1.1.8_var_tmp_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nodev option."
 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    fi 
+    fi
 }
 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nosuid option."
 # Quick factoring as many script use the same logic
@ -19,47 +22,47 @@ PARTITION="/var/tmp"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
-                FNRET=3 
+                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
-        fi       
+        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    fi 
+    fi
 }
 # This function will check config parameters required
@ -70,17 +73,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.3.1_install_sudo.sh
+++ b/bin/hardening/1.3.1_install_sudo.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.1 Ensure sudo is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
 PACKAGE='sudo'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.2_pty_sudo.sh
+++ b/bin/hardening/1.3.2_pty_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.2 Ensure sudo commands use pty (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
 PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        crit "Defaults use_pty not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        warn "Defaults use_pty not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.3_logfile_sudo.sh
+++ b/bin/hardening/1.3.3_logfile_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.3 Ensure sudo log file exists (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo log files exists."
 PATTERN="^\s*Defaults\s+logfile=\S+"
 LOGFILE="/var/log/sudo.log"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        crit "Defaults log file not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        warn "Defaults log file not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.4.1_install_tripwire.sh
+++ b/bin/hardening/1.4.1_install_tripwire.sh
@ -1,26 +1,30 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
 PACKAGE='tripwire'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
@ -28,15 +32,15 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-        is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
-            ok "$PACKAGE is installed"
+        ok "$PACKAGE is installed"
-        else
+    else
-            crit "$PACKAGE is absent, installing it"
+        crit "$PACKAGE is absent, installing it"
-            apt_install $PACKAGE
+        apt_install "$PACKAGE"
-            info "Tripwire is now installed but not fully functionnal, please see readme to go further"
+        info "Tripwire is now installed but not fully functionnal, please see readme to go further"
-        fi
+    fi
 }
 # This function will check config parameters required
@ -46,17 +50,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.2_tripwire_cron.sh
+++ b/bin/hardening/1.4.2_tripwire_cron.sh
@ -6,7 +6,7 @@
 #
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,14 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 # Note : in CIS, AIDE has been chosen, however we chose tripwire
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)"
    FOUND=0
    for FILE in $FILES; do
@ -39,7 +41,7 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)"
    FOUND=0
    for FILE in $FILES; do
@ -50,7 +52,7 @@ apply () {
    done
    if [ "$FOUND" != 1 ]; then
        warn "$PATTERN is not present in $FILES, setting tripwire cron"
-        echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire
+        echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " >/etc/cron.d/CIS_8.3.2_tripwire
    else
        ok "$PATTERN is present in $FILES"
    fi
@ -63,17 +65,18 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="User and group root owner of grub bootloader config."
 # Assertion : Grub Based.
@ -22,38 +25,38 @@ GROUP='root'
 PERMISSIONS='400'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi 
+    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi 
+    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -61,22 +64,22 @@ apply () {
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
        exit 128
    fi
-    does_user_exist $USER
+    does_user_exist "$USER"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
        exit 128
    fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
        exit 128
    fi
-    does_file_exist $FILE
+    does_file_exist "$FILE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -84,17 +87,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Setting bootloader password to secure boot parameters."
 FILE='/boot/grub/grub.cfg'
@ -19,15 +22,15 @@ USER_PATTERN="^set superusers"
 PWD_PATTERN="^password_pbkdf2"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$USER_PATTERN not present in $FILE"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PWD_PATTERN not present in $FILE"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -35,15 +38,15 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -54,11 +57,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "grub-pc is not installed, not handling configuration"
        exit 128
    fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -66,17 +69,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.4.3 Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Root password for single user mode."
 FILE="/etc/shadow"
 PATTERN="^root:[*\!]:"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -28,9 +31,9 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
        warn "$PATTERN is present in $FILE, please put a root password"
    else
        ok "$PATTERN is not present in $FILE"
@ -45,17 +48,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
@ -31,11 +34,11 @@ nx_supported_and_enabled() {
 }
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -46,11 +49,11 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -67,17 +70,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
@ -1,28 +1,31 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
 SYSCTL_PARAM='kernel.randomize_va_space'
 SYSCTL_EXP_RESULT=2
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -30,12 +33,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.3_disable_prelink.sh
+++ b/bin/hardening/1.6.3_disable_prelink.sh
@ -1,25 +1,28 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.5.4 Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable prelink to prevent libraries compromission."
 PACKAGE='prelink'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -48,17 +51,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.4_restrict_core_dumps.sh
+++ b/bin/hardening/1.6.4_restrict_core_dumps.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.5.1 Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Restrict core dumps."
 LIMIT_FILE='/etc/security/limits.conf'
@ -21,18 +24,18 @@ SYSCTL_PARAM='fs.suid_dumpable'
 SYSCTL_EXP_RESULT=0
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    SEARCH_RES=0
    LIMIT_FILES=""
-    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
-        for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
+        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
-            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+            LIMIT_FILES="$LIMIT_FILES $file"
        done
    fi
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
    for file in $LIMIT_FILE $LIMIT_FILES; do
-        does_pattern_exist_in_file $file $LIMIT_PATTERN
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            debug "$LIMIT_PATTERN not present in $file"
        else
            ok "$LIMIT_PATTERN present in $file"
@ -40,13 +43,13 @@ audit () {
            break
        fi
    done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -54,23 +57,23 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
        add_end_of_file $LIMIT_FILE "* hard core 0"
    else
        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi 
+    fi
 }
@ -81,17 +84,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.1_install_apparmor.sh
+++ b/bin/hardening/1.7.1.1_install_apparmor.sh
@ -0,0 +1,70 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.1 Ensure AppArmor is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install AppArmor."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -0,0 +1,111 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ "$ERROR" = 0 ]; then
        ok "$PACKAGES are configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
        $SUDO_CMD update-grub
    else
        ok "$PACKAGES are configured"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -0,0 +1,87 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce or complain AppArmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
        aa-complain /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -0,0 +1,101 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce Apparmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        crit "Some processes are in complain mode"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        warn "Some processes are in complain mode, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
@ -1,87 +0,0 @@
 #!/bin/bash
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
 FILE='/etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    does_file_exist $FILE
    if [ $FNRET != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
    has_file_correct_ownership $FILE $USER $GROUP
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
    has_file_correct_permissions $FILE $PERMISSIONS
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    does_file_exist $FILE
    if [ $FNRET != 0 ]; then
        info "$FILE does not exist"
        touch $FILE
    fi
    has_file_correct_ownership $FILE $USER $GROUP
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
    has_file_correct_permissions $FILE $PERMISSIONS
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
        chmod 0$PERMISSIONS $FILE
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.8.1.1_remove_os_info_motd.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from motd"
 FILE='/etc/motd'
 PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
@ -45,17 +48,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.8.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.8.1.2_remove_os_info_issue.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from Login Warning Banners."
 FILE='/etc/issue'
 PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
@ -45,17 +48,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from remote Login Warning Banners."
 FILE='/etc/issue.net'
 PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -28,11 +31,11 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
@ -45,17 +48,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.8.1.4_motd_perms.sh
+++ b/bin/hardening/1.8.1.4_motd_perms.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
 FILE='/etc/motd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.8.1.5_etc_issue_perms.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
 FILE='/etc/issue'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
 FILE='/etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.8.2_graphical_warning_banners.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.7.2 Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Set graphical warning banner."
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Not implemented yet"
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Not implemented yet"
 }
@ -31,17 +34,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.9_install_updates.sh
+++ b/bin/hardening/1.9_install_updates.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking if apt needs an update"
-    apt_update_if_needed 
+    apt_update_if_needed
    info "Fetching upgrades ..."
    apt_check_updates "CIS_APT"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$RESULT"
        FNRET=1
    else
@ -30,8 +33,8 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    if [ $FNRET -gt 0 ]; then 
+    if [ "$FNRET" -gt 0 ]; then
        info "Applying Upgrades..."
        DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
    else
@ -47,17 +50,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.1.1_disable_xinetd.sh
+++ b/bin/hardening/2.1.1_disable_xinetd.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure xinetd is not enabled."
 PACKAGE='xinetd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed"
    else
        ok "$PACKAGE is absent"
@ -27,11 +30,11 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PACKAGE is installed, purging"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -45,17 +48,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.1.2_disable_bsd_inetd.sh
+++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure bsd-inetd is not enabled."
 PACKAGES='openbsd-inetd inetutils-inetd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,12 +32,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.1_use_time_sync.sh
+++ b/bin/hardening/2.2.1.1_use_time_sync.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,28 +12,30 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure time synchronization is in use"
 PACKAGES="ntp chrony"
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    FOUND=false
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            ok "Time synchronization is available through $PACKAGE"
            FOUND=true
        fi
    done
-    if [  "$FOUND" = false ]; then
+    if [ "$FOUND" = false ]; then
        crit "None of the following time sync packages are installed: $PACKAGES"
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }
@ -43,14 +46,20 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.2_configure_ntp.sh
+++ b/bin/hardening/2.2.1.2_configure_ntp.sh
@ -1,95 +0,0 @@
 #!/bin/bash
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.1.2 Ensure ntp is configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 HARDENING_EXCEPTION=ntp
 PACKAGE='ntp'
 NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
        if [ $FNRET != 0 ]; then
            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
        else
            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
        fi
        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
        if [ $FNRET != 0 ]; then
            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
        else
            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install $PACKAGE
            info "Checking $PACKAGE configuration"
        fi
        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
        if [ $FNRET != 0 ]; then
            warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
            backup_file $NTP_CONF_FILE
            add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
        else
            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
        fi
        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
        if [ $FNRET != 0 ]; then
            warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
            backup_file $NTP_INIT_FILE
            add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" 
        else
            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
        fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -0,0 +1,60 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure systemd-timesyncd."
 SERVICE_NAME="systemd-timesyncd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" = 0 ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ntp
 PACKAGE=chrony
@ -20,14 +24,14 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
 CONF_FILE='/etc/chrony/chrony.conf'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
+        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
        else
            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
@ -36,7 +40,7 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }
@ -47,17 +51,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -0,0 +1,101 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.1.2 Ensure ntp is configured (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ntp
 PACKAGE='ntp'
 NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
        else
            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
        fi
        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
        else
            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
        info "Checking $PACKAGE configuration"
    fi
    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
        backup_file "$NTP_CONF_FILE"
        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
    else
        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
    fi
    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
        backup_file "$NTP_INIT_FILE"
        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
    else
        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,18 +12,21 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure HTTP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 # Based on aptitude search '~Phttpd'
 PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,18 +12,21 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure IMAP and POP servers are not installed"
 # shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
 PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,25 +12,28 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Samba is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=samba
 PACKAGES='samba'
 SERVICE='smbd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
-    is_service_enabled $SERVICE
+    is_service_enabled "$SERVICE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
    else
        ok "Service $SERVICE is disabled"
@ -37,21 +41,21 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
-    is_service_enabled $SERVICE
+    is_service_enabled "$SERVICE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
-        systemctl disable $SERVICE
+        systemctl disable "$SERVICE"
    else
        ok "Service $SERVICE is disabled"
    fi
@ -64,17 +68,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.13_disable_http_proxy.sh
+++ b/bin/hardening/2.2.13_disable_http_proxy.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure HTTP-proxy is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 PACKAGES='squid3 squid'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,12 +34,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enure SNMP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=snmp
 PACKAGES='snmpd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,12 +12,15 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Checking netport ports opened"
    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
    RESULT=${RESULT:-}
@ -25,7 +29,7 @@ audit () {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            crit "MTA listens worldwide"
@ -34,7 +38,7 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Checking netport ports opened"
    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
    RESULT=${RESULT:-}
@ -43,7 +47,7 @@ apply () {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if  $(grep -q "127.0.0.1" <<< $RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            warn "MTA listens worldwide, correct this considering your MTA"
@ -59,17 +63,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.16_disable_rsync.sh
+++ b/bin/hardening/2.2.16_disable_rsync.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure rsync service is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=rsync
 PACKAGE='rsync'
@ -21,14 +25,14 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
 RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@ -37,17 +41,17 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
-            backup_file $RSYNC_DEFAULT_FILE
+            backup_file "$RSYNC_DEFAULT_FILE"
-            replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
+            replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
        fi
@ -61,17 +65,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.17_disable_nis.sh
+++ b/bin/hardening/2.2.17_disable_nis.sh
@ -0,0 +1,71 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 PACKAGES='nis'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge "$PACKAGE" -y
            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,18 +12,21 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure the X Window system is not installed."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=x11
 # Based on aptitude search '~Pxserver'
 PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Avahi server is not enabled."
 PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=cups
 PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure DHCP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dhcp
 PACKAGES='udhcpd isc-dhcp-server'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure LDAP is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ldap
 PACKAGES='slapd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 PACKAGES='rpcbind nfs-kernel-server'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,20 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 PACKAGES='bind9 unbound'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -30,13 +34,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +54,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,18 +12,21 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ftp
 # Based on aptitude search '~Pftp-server'
 PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,13 +35,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,17 +55,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 PACKAGE='nis'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -28,12 +31,12 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
-        apt-get autoremove
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
@ -46,17 +49,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,19 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
 PACKAGES='rsh-client rsh-redone-client heimdal-clients'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    for PACKAGE in $PACKAGES; do 
+    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -30,13 +33,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    for PACKAGE in $PACKAGES; do 
+    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,17 +53,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure talk client is not installed."
 PACKAGES='talk inetutils-talk'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure telnet client is not installed."
 PACKAGES='telnet'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure ldap client is not installed."
 PACKAGES='ldap-utils'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -29,13 +32,13 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,17 +52,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -1,73 +0,0 @@
 #!/bin/bash
 #
 # CIS Debian Hardening
 #
 #
 # 3.1.1 Ensure IP forwarding is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 HARDENING_EXCEPTION=gw
 DESCRIPTION="Disable IP forwarding."
 SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
 SYSCTL_EXP_RESULT=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
    does_sysctl_param_exists "net.ipv6"
    if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            if [ $FNRET != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ $FNRET = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
    if [ $FNRET != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
        sysctl -w net.ipv4.route.flush=1 > /dev/null
    elif [ $FNRET = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/3.1.1_disable_ipv6.sh
+++ b/bin/hardening/3.1.1_disable_ipv6.sh
@ -1,59 +1,50 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 3.7 Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable IPv6."
 SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        crit "ipv6 is enabled"
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            if [ $FNRET != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ $FNRET = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
                warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,17 +60,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.1.2_disable_wireless.sh
+++ b/bin/hardening/3.1.2_disable_wireless.sh
@ -1,26 +1,29 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 3.6 Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Deactivate wireless interfaces."
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    info "Not implemented yet"
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    info "Not implemented yet"
 }
@ -31,28 +34,31 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-	 echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." 
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-	 echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-	exit 128
+    exit 128
-fi 
+fi
 ## Source Root Dir Parameter
 #if [ ! -r /etc/default/cis-hardening ]; then
 #    echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
 #    exit 128
 #else
 # shellcheck source=../../debian/default
 #    . /etc/default/cis-hardening
 #    if [ -z ${CIS_ROOT_DIR:-} ]; then
 #        echo "No CIS_ROOT_DIR variable, aborting"
 #        exit 128
 #    fi
-#fi 
+#fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.1_disable_send_packet_redirects.sh
+++ b/bin/hardening/3.2.1_disable_send_packet_redirects.sh
@ -1,17 +1,20 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 3.1.2 Ensure packet redirect sending is disabled (Scored)
+# 3.2.1 Ensure packet redirect sending is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
 #net.ipv4.conf.all.send_redirects = 0
@ -19,15 +22,15 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
 SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -36,17 +39,17 @@ audit () {
 }
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            sysctl -w net.ipv4.route.flush=1 > /dev/null
+            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -61,17 +64,19 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/Show More
+++ b/Show More