Update changelog

IMP(shfmt): add shell formatter
IMP(shellcheck): quote variable in tests (SC2086)
2025-07-16 13:52:17 +02:00 · 2020-12-04 14:24:34 +01:00 · 2020-12-04 14:08:01 +01:00 · 2020-11-30 13:05:41 +01:00 · 2020-11-27 09:29:11 +01:00 · 2020-11-27 09:22:47 +01:00
431 changed files with 5653 additions and 3614 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 tmp/shfmt
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -20,6 +21,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
 CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@ -77,6 +79,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
    --create-config-files-only
        Create the config files in etc/conf.d
        Must be run as root, before running the audit with user secaudit
 OPTIONS:
    --only <test_number>
@ -126,6 +132,9 @@ while [[ $# > 0 ]]; do
    --allow-service-list)
        ALLOW_SERVICE_LIST=1
        ;;
    --create-config-files-only)
        CREATE_CONFIG=1
        ;;
    --allow-service)
        ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
        shift
@ -156,7 +165,7 @@ while [[ $# > 0 ]]; do
 done
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi
@ -210,6 +219,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
    exit 0
 fi
 if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
    echo "For --create-config-files-only, please run as root"
    exit 1
 fi
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    if [ ${#TEST_LIST[@]} -gt 0 ]; then
@ -223,8 +237,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    fi
    info "Treating $SCRIPT"
-
+    if [ $CREATE_CONFIG = 1 ]; then
-    if [ $AUDIT = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
        $SCRIPT --create-config-files-only $BATCH_MODE
    elif [ $AUDIT = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
    elif [ $AUDIT_ALL = 1 ]; then
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,8 +32,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,8 +32,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,8 +32,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,8 +32,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.5_disable_udf.sh
+++ b/bin/hardening/1.1.1.5_disable_udf.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -30,8 +32,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -45,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.6_disable_cramfs.sh
+++ b/bin/hardening/1.1.1.6_disable_cramfs.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of cramfs filesystems."
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -31,8 +33,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,6 +49,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.1.7_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.7_disable_squashfs.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,17 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
@ -31,8 +33,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
@ -47,6 +49,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -56,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.10_var_tmp_noexec.sh
+++ b/bin/hardening/1.1.10_var_tmp_noexec.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with noexec option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log on separate partition."
 # Quick factoring as many script use the same logic
@ -39,13 +42,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,6 +60,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -11,7 +11,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit on a separate partition."
 # Quick factoring as many script use the same logic
@ -39,13 +41,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,6 +59,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,8 +69,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/home on a separate partition."
 # Quick factoring as many script use the same logic
@ -39,13 +42,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,6 +60,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.14_home_nodev.sh
+++ b/bin/hardening/1.1.14_home_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/home partition with nodev option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -32,13 +32,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -51,18 +51,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,6 +74,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +85,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -32,13 +32,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -51,18 +51,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,6 +74,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +85,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -32,13 +32,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -51,18 +51,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -74,6 +74,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +85,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="nodev option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -30,7 +33,7 @@ audit () {
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
@ -42,9 +45,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
    fi
@ -58,6 +61,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="nosuid option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -30,7 +33,7 @@ audit () {
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
@ -42,9 +45,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
    fi
@ -58,6 +61,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="noexec option for removable media partitions."
 # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
@ -30,7 +33,7 @@ audit () {
        FNRET=0
    else
        info "detected $PARTITION like"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
@ -42,9 +45,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
    fi
@ -58,6 +61,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 # This function will be called if the script status is on enabled / audit mode
@ -46,6 +49,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -55,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.22_disable_automounting.sh
+++ b/bin/hardening/1.1.22_disable_automounting.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable automounting of devices."
 SERVICE_NAME="autofs"
@ -19,8 +22,8 @@ SERVICE_NAME="autofs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$SERVICE_NAME is enabled"
    else
        ok "$SERVICE_NAME is disabled"
@ -30,8 +33,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled $SERVICE_NAME
+    is_service_enabled "$SERVICE_NAME"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
    else
@ -46,6 +49,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -55,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.2_tmp_partition.sh
+++ b/bin/hardening/1.1.2_tmp_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure /tmp is configured (Scored)"
 # Quick factoring as many script use the same logic
@ -39,13 +42,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -57,6 +60,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,8 +70,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.3_tmp_nodev.sh
+++ b/bin/hardening/1.1.3_tmp_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with nodev option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.4_tmp_nosuid.sh
+++ b/bin/hardening/1.1.4_tmp_nosuid.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with nosuid option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.5_tmp_noexec.sh
+++ b/bin/hardening/1.1.5_tmp_noexec.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/tmp partition with noexec option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var on a separate partition."
 # Quick factoring as many script use the same logic
@ -41,13 +44,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.7_var_tmp_partition.sh
+++ b/bin/hardening/1.1.7_var_tmp_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp on a separate partition."
 # Quick factoring as many script use the same logic
@ -41,13 +44,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
-        mount $PARTITION
+        mount "$PARTITION"
    fi
 }
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.8_var_tmp_nodev.sh
+++ b/bin/hardening/1.1.8_var_tmp_nodev.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nodev option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/tmp partition with nosuid option."
 # Quick factoring as many script use the same logic
@ -28,13 +31,13 @@ audit () {
        FNRET=2
    else
        ok "$PARTITION is a partition"
-        has_mount_option $PARTITION $OPTION
+        has_mount_option "$PARTITION" "$OPTION"
        if [ $FNRET -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
-            has_mounted_option $PARTITION $OPTION
+            has_mounted_option "$PARTITION" "$OPTION"
            if [ $FNRET -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
@ -47,18 +50,18 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
-    elif [ $FNRET = 2 ]; then
+    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
-    elif [ $FNRET = 1 ]; then
+    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
-    elif [ $FNRET = 3 ]; then
+    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
-        remount_partition $PARTITION
+        remount_partition "$PARTITION"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.1_bootloader_ownership.sh
+++ b/bin/hardening/1.4.1_bootloader_ownership.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="User and group root owner of grub bootloader config."
 # Assertion : Grub Based.
@ -23,15 +26,15 @@ PERMISSIONS='400'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
@ -40,20 +43,20 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        info "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -61,22 +64,22 @@ apply () {
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
        exit 128
    fi
    does_user_exist $USER
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
        exit 128
    fi
    does_group_exist $GROUP
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
        exit 128
    fi
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -84,6 +87,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -93,8 +97,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.2_bootloader_password.sh
+++ b/bin/hardening/1.4.2_bootloader_password.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Setting bootloader password to secure boot parameters."
 FILE='/boot/grub/grub.cfg'
@ -21,13 +24,13 @@ PWD_PATTERN="^password_pbkdf2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$USER_PATTERN not present in $FILE"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PWD_PATTERN not present in $FILE"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -37,13 +40,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE "$USER_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$PWD_PATTERN is present in $FILE"
@ -54,11 +57,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
    is_pkg_installed "grub-pc"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "grub-pc is not installed, not handling configuration"
        exit 128
    fi
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
    fi
@ -66,6 +69,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -75,8 +79,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.4.3_root_password.sh
+++ b/bin/hardening/1.4.3_root_password.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Root password for single user mode."
 FILE="/etc/shadow"
@ -20,7 +23,7 @@ PATTERN="^root:[*\!]:"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -30,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET != 1 ]; then
+    if [ "$FNRET" != 1 ]; then
        warn "$PATTERN is present in $FILE, please put a root password"
    else
        ok "$PATTERN is not present in $FILE"
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.1_restrict_core_dumps.sh
+++ b/bin/hardening/1.5.1_restrict_core_dumps.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Restrict core dumps."
 LIMIT_FILE='/etc/security/limits.conf'
@ -32,7 +35,7 @@ audit () {
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
    for file in $LIMIT_FILE $LIMIT_FILES; do
        does_pattern_exist_in_file $file $LIMIT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            debug "$LIMIT_PATTERN not present in $file"
        else
            ok "$LIMIT_PATTERN present in $file"
@ -44,9 +47,9 @@ audit () {
        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -56,17 +59,17 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
        add_end_of_file $LIMIT_FILE "* hard core 0"
    else
        ok "$LIMIT_PATTERN present in $LIMIT_FILE"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -81,6 +84,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -90,8 +94,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.2_enable_nx_support.sh
+++ b/bin/hardening/1.5.2_enable_nx_support.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
 PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
@ -33,9 +36,9 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -48,9 +51,9 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_dmesg $PATTERN
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
@ -67,6 +70,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -76,8 +80,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
 SYSCTL_PARAM='kernel.randomize_va_space'
@ -19,10 +22,10 @@ SYSCTL_EXP_RESULT=2
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -31,11 +34,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    elif [ $FNRET = 255 ]; then
+    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.5.4_disable_prelink.sh
+++ b/bin/hardening/1.5.4_disable_prelink.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable prelink to prevent libraries compromission."
 PACKAGE='prelink'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -29,11 +32,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        /usr/sbin/prelink -ua
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -48,6 +51,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -57,8 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -0,0 +1,106 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.6.2.1 Activate AppArmor (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 PACKAGE='apparmor'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is absent!"
    else
        ok "$PACKAGE is installed"
    fi
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 0 ]; then
        ok "$PACKAGE is configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
    else
        ok "$PACKAGE is installed"
    fi
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
        $SUDO_CMD update-grub
    else
        ok "$PACKAGE is configured"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from motd"
 FILE='/etc/motd'
@ -20,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -30,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
        delete_line_in_file $FILE $PATTERN
    else
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from Login Warning Banners."
 FILE='/etc/issue'
@ -20,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -30,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
        delete_line_in_file $FILE $PATTERN
    else
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Remove OS information from remote Login Warning Banners."
 FILE='/etc/issue.net'
@ -20,7 +23,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
        ok "$PATTERN is not present in $FILE"
@ -30,7 +33,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
        delete_line_in_file $FILE $PATTERN
    else
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.4_motd_perms.sh
+++ b/bin/hardening/1.7.1.4_motd_perms.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
@ -22,18 +25,18 @@ FILE='/etc/motd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
@ -43,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch $FILE
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
@ -22,18 +25,18 @@ FILE='/etc/issue'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
@ -43,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch $FILE
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net ."
 PERMISSIONS='644'
@ -22,18 +25,18 @@ FILE='/etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
@ -43,23 +46,23 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch $FILE
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.7.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.7.2_graphical_warning_banners.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Set graphical warning banner."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/1.8_install_updates.sh
+++ b/bin/hardening/1.8_install_updates.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
 # This function will be called if the script status is on enabled / audit mode
@ -47,6 +50,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -56,8 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.1.1_disable_xinetd.sh
+++ b/bin/hardening/2.1.1_disable_xinetd.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure xinetd is not enabled."
 PACKAGE='xinetd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed"
    else
        ok "$PACKAGE is absent"
@ -28,10 +31,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        warn "$PACKAGE is installed, purging"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.1.2_disable_bsd_inetd.sh
+++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure bsd-inetd is not enabled."
 PACKAGES='openbsd-inetd inetutils-inetd'
@ -19,8 +22,8 @@ PACKAGES='openbsd-inetd inetutils-inetd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -31,10 +34,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.1_use_time_sync.sh
+++ b/bin/hardening/2.2.1.1_use_time_sync.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure time synchronization is in use"
 PACKAGES="ntp chrony"
@ -20,8 +23,8 @@ PACKAGES="ntp chrony"
 audit() {
    FOUND=false
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            ok "Time synchronization is available through $PACKAGE"
            FOUND=true
        fi
@ -43,6 +46,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -52,5 +56,10 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-[ -r "$CIS_ROOT_DIR"/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.2_configure_ntp.sh
+++ b/bin/hardening/2.2.1.2_configure_ntp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ntp
 PACKAGE='ntp'
@ -23,19 +27,19 @@ NTP_INIT_FILE='/etc/init.d/ntp'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
        else
            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
        fi
        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
        else
            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
@ -45,8 +49,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-        is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
@ -54,7 +58,7 @@ apply () {
        info "Checking $PACKAGE configuration"
    fi
    does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
        backup_file $NTP_CONF_FILE
        add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
@ -62,7 +66,7 @@ apply () {
        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
    fi
    does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
-        if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
        backup_file $NTP_INIT_FILE
        add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
@ -78,6 +82,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -87,8 +92,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ntp
 PACKAGE=chrony
@ -21,13 +25,13 @@ CONF_FILE='/etc/chrony/chrony.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
        else
            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
@ -47,6 +51,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -56,8 +61,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure HTTP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 # Based on aptitude search '~Phttpd'
@ -21,8 +25,8 @@ PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -33,11 +37,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,6 +55,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure IMAP and POP servers are not installed"
 # shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 # Based on aptitude search '~Pimap-server' and  aptitude search '~Ppop3-server'
@ -21,8 +25,8 @@ PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-im
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -33,11 +37,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,6 +55,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Samba is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=samba
 PACKAGES='samba'
@ -21,15 +25,15 @@ SERVICE='smbd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
    is_service_enabled $SERVICE
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
    else
        ok "Service $SERVICE is disabled"
@ -39,17 +43,17 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
    is_service_enabled $SERVICE
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
        systemctl disable $SERVICE
    else
@ -64,6 +68,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,8 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.13_disable_http_proxy.sh
+++ b/bin/hardening/2.2.13_disable_http_proxy.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure HTTP-proxy is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 PACKAGES='squid3 squid'
@ -20,8 +24,8 @@ PACKAGES='squid3 squid'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,10 +36,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enure SNMP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=snmp
 PACKAGES='snmpd'
@ -20,8 +24,8 @@ PACKAGES='snmpd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=mail
 # This function will be called if the script status is on enabled / audit mode
@ -59,6 +63,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +73,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.16_disable_rsync.sh
+++ b/bin/hardening/2.2.16_disable_rsync.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure rsync service is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=rsync
 PACKAGE='rsync'
@ -22,13 +26,13 @@ RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
@ -38,13 +42,13 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
            backup_file $RSYNC_DEFAULT_FILE
            replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
@ -61,6 +65,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -70,8 +75,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.18_disable_telnet_server.sh
+++ b/bin/hardening/2.2.18_disable_telnet_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # Legacy CIS Debian Hardening
 #
@ -13,7 +14,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
 # Based on  aptitude search '~Ptelnet-server'
@ -24,15 +27,15 @@ PATTERN='^telnet'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, checking configuration"
            does_file_exist $FILE
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                ok "$FILE does not exist"
            else
                does_pattern_exist_in_file $FILE $PATTERN
-                if [ $FNRET = 0 ]; then
+                if [ "$FNRET" = 0 ]; then
                    crit "$PATTERN exists, $PACKAGE services are enabled!"
                else
                    ok "$PATTERN is not present in $FILE"
@ -47,21 +50,21 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
            apt-get autoremove
        else
            ok "$PACKAGE is absent"
        fi
        does_file_exist $FILE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            ok "$FILE does not exist"
        else
            info "$FILE exists, checking patterns"
            does_pattern_exist_in_file $FILE $PATTERN
-            if [ $FNRET = 0 ]; then
+            if [ "$FNRET" = 0 ]; then
                warn "$PATTERN is present in $FILE, purging it"
                backup_file $FILE
                ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
@ -80,6 +83,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -89,8 +93,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure the X Window system is not installed."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=x11
 # Based on aptitude search '~Pxserver'
@ -21,8 +25,8 @@ PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -33,11 +37,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,6 +55,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Avahi server is not enabled."
 PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
@ -19,8 +22,8 @@ PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -31,11 +34,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=cups
 PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
@ -20,8 +24,8 @@ PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-comm
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure DHCP server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dhcp
 PACKAGES='udhcpd isc-dhcp-server'
@ -20,8 +24,8 @@ PACKAGES='udhcpd isc-dhcp-server'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure LDAP is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ldap
 PACKAGES='slapd'
@ -20,8 +24,8 @@ PACKAGES='slapd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 PACKAGES='rpcbind nfs-kernel-server'
@ -20,8 +24,8 @@ PACKAGES='rpcbind nfs-kernel-server'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 PACKAGES='bind9 unbound'
@ -20,8 +24,8 @@ PACKAGES='bind9 unbound'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -32,11 +36,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +54,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +64,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=ftp
 # Based on aptitude search '~Pftp-server'
@ -21,8 +25,8 @@ PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd prof
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
@ -33,11 +37,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -51,6 +55,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,8 +65,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 PACKAGE='nis'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
@ -29,11 +32,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
+        apt-get purge "$PACKAGE" -y
-        apt-get autoremove
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
@ -46,6 +49,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -55,8 +59,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
 # Based on aptitude search '~Prsh-client', exluding ssh-client OFC
@ -20,8 +23,8 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -32,11 +35,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -50,6 +53,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,8 +63,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure talk client is not installed."
 PACKAGES='talk inetutils-talk'
@ -19,8 +22,8 @@ PACKAGES='talk inetutils-talk'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -31,11 +34,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure telnet client is not installed."
 PACKAGES='telnet'
@ -19,8 +22,8 @@ PACKAGES='telnet'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -31,11 +34,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure ldap client is not installed."
 PACKAGES='ldap-utils'
@ -19,8 +22,8 @@ PACKAGES='ldap-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed"
        else
            ok "$PACKAGE is absent"
@ -31,11 +34,11 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
-        is_pkg_installed $PACKAGE
+        is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
+            apt-get purge "$PACKAGE" -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
@ -49,6 +52,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,8 +62,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,8 +12,10 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 HARDENING_EXCEPTION=gw
 # shellcheck disable=2034
 DESCRIPTION="Disable IP forwarding."
 SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
@ -22,11 +25,11 @@ SYSCTL_EXP_RESULT=0
 audit() {
    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
        does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -38,12 +41,12 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -58,6 +61,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,8 +71,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh
+++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption."
 #net.ipv4.conf.all.send_redirects = 0
@ -24,10 +27,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -41,12 +44,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -61,6 +64,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -70,8 +74,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable source routed packet acceptance."
 # set in config file
 SYSCTL_PARAMS=''
@ -20,14 +23,14 @@ SYSCTL_PARAMS=''
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
        does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -42,12 +45,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -70,6 +73,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,8 +83,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption."
 # set in config file
 SYSCTL_PARAMS=''
@ -20,15 +23,15 @@ SYSCTL_PARAMS=''
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
        does_sysctl_param_exists "net.ipv6"
-        if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -43,12 +46,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -71,6 +74,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -80,8 +84,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
+++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions."
 SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.4_log_martian_packets.sh
+++ b/bin/hardening/3.2.4_log_martian_packets.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Log suspicious packets, like spoofed packets."
 SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh
+++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
 SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist --Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh
+++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
 SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.7_enable_source_route_validation.sh
+++ b/bin/hardening/3.2.7_enable_source_route_validation.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable RFC-recommended source route validation."
 SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
+++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
 SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
@ -22,10 +25,10 @@ audit () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -39,12 +42,12 @@ apply () {
        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            sysctl -w net.ipv4.route.flush=1 >/dev/null
-        elif [ $FNRET = 255 ]; then
+        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
        else
            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable IPv6 router advertisements."
 SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
@ -19,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -41,19 +44,19 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
                sysctl -w net.ipv4.route.flush=1 >/dev/null
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,6 +72,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -78,8 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.3.1_install_tcp_wrapper.sh
+++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,15 +12,17 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services."
 PACKAGE='tcpd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
@ -28,8 +31,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-        is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
@ -44,6 +47,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -53,8 +57,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.3.2_hosts_allow.sh
+++ b/bin/hardening/3.3.2_hosts_allow.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create /etc/hosts.allow ."
 FILE='/etc/hosts.allow'
@ -19,7 +22,7 @@ FILE='/etc/hosts.allow'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exist"
@ -29,7 +32,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
        warn "You may want to fill it with allowed networks"
@ -45,6 +48,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -54,8 +58,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.3.3_hosts_deny.sh
+++ b/bin/hardening/3.3.3_hosts_deny.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create /etc/hosts.deny ."
 FILE='/etc/hosts.deny'
@ -20,12 +23,12 @@ PATTERN='ALL: ALL'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in $FILE, we have to deny everything"
        else
            ok "$PATTERN is present in $FILE"
@ -36,14 +39,14 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
    else
        ok "$FILE exists"
    fi
    does_pattern_exist_in_file $FILE "$PATTERN"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PATTERN is not present in $FILE, we have to deny everything"
        add_end_of_file $FILE "$PATTERN"
        warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.3.4_hosts_allow_permissions.sh
+++ b/bin/hardening/3.3.4_hosts_allow_permissions.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check 644 permissions and root:root ownership on /hosts.allow ."
 FILE='/etc/hosts.allow'
@ -21,14 +24,14 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
@ -37,12 +40,12 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -53,6 +56,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -62,8 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.3.5_hosts_deny_permissions.sh
+++ b/bin/hardening/3.3.5_hosts_deny_permissions.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check 644 permissions and root:root ownership on /etc/hosts.deny ."
 FILE='/etc/hosts.deny'
@ -21,14 +24,14 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
    fi
-    has_file_correct_ownership $FILE $USER $GROUP
+    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
@ -37,12 +40,12 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions $FILE $PERMISSIONS
+    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0$PERMISSIONS $FILE
+        chmod 0"$PERMISSIONS" "$FILE"
    fi
 }
@ -53,6 +56,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -62,8 +66,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.4.1_disable_dccp.sh
+++ b/bin/hardening/3.4.1_disable_dccp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.4.2_disable_sctp.sh
+++ b/bin/hardening/3.4.2_disable_sctp.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.4.3_disable_rds.sh
+++ b/bin/hardening/3.4.3_disable_rds.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.4.4_disable_tipc.sh
+++ b/bin/hardening/3.4.4_disable_tipc.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -40,8 +44,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
@ -1,4 +1,5 @@
 #!/bin/bash
 # run-shellcheck
 #
 # OVH Security audit
@ -22,7 +23,7 @@ FW_POLICY="DROP"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
@ -60,6 +61,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -70,7 +72,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/3.5_enable_firewall.sh
+++ b/bin/hardening/3.5_enable_firewall.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
 # Quick note here : CIS recommends your iptables rules to be persistent.
@ -21,8 +24,8 @@ PACKAGE='iptables'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
@ -31,8 +34,8 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
-        is_pkg_installed $PACKAGE
+    is_pkg_installed "$PACKAGE"
-        if [ $FNRET = 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
@ -47,6 +50,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -56,8 +60,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.6_disable_wireless.sh
+++ b/bin/hardening/3.6_disable_wireless.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Deactivate wireless interfaces."
 # This function will be called if the script status is on enabled / audit mode
@ -31,6 +34,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -43,6 +47,7 @@ fi
 #    echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
 #    exit 128
 #else
 # shellcheck source=../../debian/default
 #    . /etc/default/cis-hardening
 #    if [ -z ${CIS_ROOT_DIR:-} ]; then
 #        echo "No CIS_ROOT_DIR variable, aborting"
@ -51,8 +56,9 @@ fi
 #fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/3.7_disable_ipv6.sh
+++ b/bin/hardening/3.7_disable_ipv6.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable IPv6."
 SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
@ -19,17 +22,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -41,19 +44,19 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
                warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
-            elif [ $FNRET = 255 ]; then
+            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
@ -69,6 +72,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -78,8 +82,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/4.1.1.1_audit_log_storage.sh
+++ b/bin/hardening/4.1.1.1_audit_log_storage.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure audit log storage size."
 FILE='/etc/audit/auditd.conf'
@ -21,12 +24,12 @@ VALUE=5
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in $FILE"
        else
            ok "$PATTERN is present in $FILE"
@ -37,14 +40,14 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
    else
        ok "$FILE exists"
    fi
    does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$PATTERN is not present in $FILE, adding it"
        add_end_of_file $FILE "$PATTERN = $VALUE"
    else
@ -59,6 +62,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -68,8 +72,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,16 +12,18 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Disable system on audit log full."
 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
@ -30,7 +33,7 @@ audit () {
            PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
            debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
                ok "$PATTERN is present in $FILE"
@ -42,7 +45,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
    else
@ -54,10 +57,10 @@ apply () {
        debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
        PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
                add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
            else
@ -75,8 +78,18 @@ check_config() {
    :
 }
 create_config() {
    cat <<EOF
 # shellcheck disable=2034
 status=audit
 # Put here the conf for auditd
 OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -86,8 +99,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh
+++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Keep all auditing information."
 FILE='/etc/audit/auditd.conf'
@ -20,7 +23,7 @@ OPTIONS='max_log_file_action=keep_logs'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
@ -30,7 +33,7 @@ audit () {
            PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
            debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
                ok "$PATTERN is present in $FILE"
@ -42,7 +45,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist $FILE
-    if [ $FNRET != 0 ]; then
+    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
    else
@ -54,10 +57,10 @@ apply () {
        debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
        PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
-            if [ $FNRET != 0 ]; then
+            if [ "$FNRET" != 0 ]; then
                info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
                add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
            else
@ -77,6 +80,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -86,8 +90,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/4.1.10_record_dac_edit.sh
+++ b/bin/hardening/4.1.10_record_dac_edit.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
@ -11,7 +12,9 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect discretionary access control (DAC) permission modification events."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
@ -33,7 +36,7 @@ audit () {
        IFS=$d_IFS
        does_pattern_exist_in_file $FILE $AUDIT_VALUE
        IFS=$c_IFS
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
        else
            ok "$AUDIT_VALUE is present in $FILE"
@ -48,7 +51,7 @@ apply () {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ $FNRET != 0 ]; then
+        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
            add_end_of_file $FILE $AUDIT_VALUE
            eval $(pkill -HUP -P 1 auditd)
@ -65,6 +68,7 @@ check_config() {
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -74,8 +78,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thibault Ayanides	106fa5fc8a	Update changelog	2020-12-04 14:24:34 +01:00
Thibault Ayanides	3a342b784a	IMP(shfmt): add shell formatter	2020-12-04 14:08:01 +01:00
Thibault Ayanides	bc1aa65b91	IMP(shellcheck): quote variable in tests (SC2086)	2020-11-30 13:05:41 +01:00
Thibault Ayanides	dba1dae963	IMP(shellcheck): quoting harmless variables (SC2086)	2020-11-27 09:29:11 +01:00
Thibault Ayanides	4add6ddc33	IMP(shellcheck): add prefix to define shell (SC2148)	2020-11-27 09:22:47 +01:00
Thibault Ayanides	c17d04ecc2	IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables)	2020-11-27 09:18:00 +01:00
Thibault Ayanides	cccc0881e9	IMP(shellcheck): add run-shellcheck prefix	2020-11-23 17:10:37 +01:00
Thibault Ayanides	9c3aa51982	Update changelog	2020-11-30 15:16:36 +01:00
Thibault Ayanides	b994ca11a7	FIX(main): fix small bug in main The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus	2020-11-30 15:10:39 +01:00
Thibault Ayanides	f4e0aafacc	IMP(5.2.3): fix possible permissions for 5.2.3	2020-11-30 14:27:20 +01:00
Thibault Ayanides	d40a85085d	FIX: fix issue, we had to run audit twice First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.	2020-11-20 10:05:14 +01:00
Thibault Ayanides	467e5f178c	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 13:02:02 +01:00
Thibault Ayanides	d244a2e810	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 12:56:10 +01:00
Thibault Ayanides	84bff4ac88	fixup! Move to most recent docker image for buster	2020-11-16 17:07:08 +01:00
Thibault Ayanides	d640a467e2	fixup! IMP(4.1.x): add tests for each checks	2020-11-16 16:54:51 +01:00
Thibault Ayanides	9bfb7efca1	Update changelog	2020-11-16 16:39:47 +01:00
Thibault Ayanides	7b8cca20d6	FIX(4.1.1.2): fix auditd apply	2020-11-09 11:48:48 +01:00
Thibault Ayanides	a6de243808	Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant	2020-11-09 09:00:34 +01:00
Thibault Ayanides	7e8c976722	Add disclaimer when checks don't require comprehensive checks modified: tests/hardening/1.1.1.1_disable_freevxfs.sh modified: tests/hardening/1.1.1.2_disable_jffs2.sh modified: tests/hardening/1.1.1.3_disable_hfs.sh modified: tests/hardening/1.1.1.4_disable_hfsplus.sh modified: tests/hardening/1.1.1.5_disable_udf.sh modified: tests/hardening/1.1.1.6_disable_cramfs.sh modified: tests/hardening/1.1.1.7_disable_squashfs.sh modified: tests/hardening/1.1.10_var_tmp_noexec.sh modified: tests/hardening/1.1.11_var_log_partition.sh modified: tests/hardening/1.1.12_var_log_audit_partition.sh modified: tests/hardening/1.1.13_home_partition.sh modified: tests/hardening/1.1.14_home_nodev.sh modified: tests/hardening/1.1.18_removable_device_nodev.sh modified: tests/hardening/1.1.19_removable_device_nosuid.sh modified: tests/hardening/1.1.20_removable_device_noexec.sh modified: tests/hardening/1.1.2_tmp_partition.sh modified: tests/hardening/1.1.3_tmp_nodev.sh modified: tests/hardening/1.1.4_tmp_nosuid.sh modified: tests/hardening/1.1.5_tmp_noexec.sh modified: tests/hardening/1.1.6_var_partition.sh modified: tests/hardening/1.1.7_var_tmp_partition.sh modified: tests/hardening/1.1.8_var_tmp_nodev.sh modified: tests/hardening/1.1.9_var_tmp_nosuid.sh modified: tests/hardening/1.8_install_updates.sh modified: tests/hardening/2.2.10_disable_http_server.sh modified: tests/hardening/2.2.11_disable_imap_pop.sh modified: tests/hardening/2.2.12_disable_samba.sh modified: tests/hardening/2.2.13_disable_http_proxy.sh modified: tests/hardening/2.2.14_disable_snmp_server.sh modified: tests/hardening/2.2.2_disable_xwindow_system.sh modified: tests/hardening/2.2.3_disable_avahi_server.sh modified: tests/hardening/2.2.4_disable_print_server.sh modified: tests/hardening/2.2.5_disable_dhcp.sh modified: tests/hardening/2.2.6_disable_ldap.sh modified: tests/hardening/2.2.7_disable_nfs_rpc.sh modified: tests/hardening/2.2.8_disable_dns_server.sh modified: tests/hardening/2.2.9_disable_ftp.sh modified: tests/hardening/2.3.1_disable_nis.sh modified: tests/hardening/2.3.2_disable_rsh_client.sh modified: tests/hardening/2.3.3_disable_talk_client.sh modified: tests/hardening/2.3.4_telnet_client_not_installed.sh modified: tests/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 16:20:10 +01:00
Thibault Ayanides	ffd5b28840	FIX: fix apt autoremove to be non interactive modified: bin/hardening/2.2.10_disable_http_server.sh modified: bin/hardening/2.2.11_disable_imap_pop.sh modified: bin/hardening/2.2.12_disable_samba.sh modified: bin/hardening/2.2.14_disable_snmp_server.sh modified: bin/hardening/2.2.2_disable_xwindow_system.sh modified: bin/hardening/2.2.3_disable_avahi_server.sh modified: bin/hardening/2.2.4_disable_print_server.sh modified: bin/hardening/2.2.5_disable_dhcp.sh modified: bin/hardening/2.2.6_disable_ldap.sh modified: bin/hardening/2.2.7_disable_nfs_rpc.sh modified: bin/hardening/2.2.8_disable_dns_server.sh modified: bin/hardening/2.2.9_disable_ftp.sh modified: bin/hardening/2.3.1_disable_nis.sh modified: bin/hardening/2.3.2_disable_rsh_client.sh modified: bin/hardening/2.3.3_disable_talk_client.sh modified: bin/hardening/2.3.4_telnet_client_not_installed.sh modified: bin/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 14:51:26 +01:00
Thibault Ayanides	ce1e87b1a3	IMP(4.5): rename to 1.6.1.2 improve test	2020-11-06 11:09:22 +01:00
Thibault Ayanides	b5865947ba	Move to most recent docker image for buster	2020-11-06 10:11:46 +01:00
Thibault Ayanides	ee4b2417c2	IMP(4.1.x): add tests for each checks	2020-11-02 15:47:27 +01:00
Thibault Ayanides	5568065c35	IMP(4.1.3): skip on docker (bootloader)	2020-11-02 15:46:45 +01:00
Thibault Ayanides	91a2824246	IMP(5.6): add test	2020-10-30 09:48:36 +01:00
Thibault Ayanides	47f8b7b677	IMP(5.4.4): add test	2020-10-30 09:48:27 +01:00
Thibault Ayanides	728011f846	IMP(5.4.3): add purposely failing test	2020-10-30 09:40:28 +01:00
Thibault Ayanides	17e43753b9	IMP(5.4.1.1-3): add tests and rename some variables	2020-10-30 09:39:42 +01:00
Thibault Ayanides	9aac4c3504	IMP(5.3.4): improve check	2020-10-29 16:47:34 +01:00
Thibault Ayanides	8af91dd6a8	IMP(5.3.1,5.3.2): add tests and upgrade PAM conf	2020-10-29 16:45:15 +01:00
Thibault Ayanides	feefee28e4	IMP(5.3.1): add test and config function for check	2020-10-29 15:35:56 +01:00
Thibault Ayanides	774af39a34	IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh	2020-10-29 11:18:31 +01:00