fix: debian package does not include "versions"

Related to #259: https://github.com/ovh/debian-cis/issues/259

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/compile-manual.yml

@@ -0,0 +1,17 @@
+---
+name: Compile debian man
+on:
+  - push
+jobs:
+  compile-debian-man:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Produce debian man
+        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
+      - uses: EndBug/add-and-commit@v9
+        with:
+          add: 'debian/cis-hardening.8'
+          message: 'Regenerate man pages (Github action)'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/functionnal-tests.yml

@@ -0,0 +1,27 @@
+---
+name: Run functionnal tests
+on:
+  - pull_request
+  - push
+jobs:
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10
+  functionnal-tests-docker-debian11:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian11
+        run: ./tests/docker_build_and_run_tests.sh debian11
+  functionnal-tests-docker-debian12:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian12
+        run: ./tests/docker_build_and_run_tests.sh debian12

.github/workflows/pre-release.yml

@@ -0,0 +1,64 @@
+---
+name: Create Pre-Release
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: Create Pre-Release
+    runs-on: ubuntu-latest
+    steps:
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v4
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v1.1
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # GET LATEST VERSION TAG
+      - name: Get latest version tag
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
+        id: get-latest-tag
+      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
+      - name: Generate changelog
+        id: changelog
+        uses: metcalfc/changelog-generator@v4.3.1
+        with:
+          myToken: ${{ secrets.GITHUB_TOKEN }}
+          head-ref: ${{ github.sha }}
+          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
+      # CREATE RELEASE NAMED LATEST
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: latest
+          release_name: Pre-release
+          body: ${{ steps.changelog.outputs.changelog }}
+          draft: false
+          prerelease: true
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening.deb
+          asset_content_type: application/vnd.debian.binary-package

.github/workflows/shellcheck_and_shellfmt.yml

@@ -0,0 +1,29 @@
+---
+name: Run shell-linter
+on:
+  - push
+  - pull_request
+jobs:
+  shellfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the sh-checker
+        uses: luizm/action-sh-checker@v0.8.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
+          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
+        with:
+          sh_checker_shellcheck_disable: true
+          sh_checker_comment: true
+          sh_checker_exclude: |
+                              src/
+                              debian/postrm
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run shellcheck
+        run: ./shellcheck/docker_build_and_run_shellcheck.sh

.github/workflows/tagged-release.yml

@@ -0,0 +1,64 @@
+---
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      # GET VERSION TAG
+      - name: Get latest version number
+        id: vars
+        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.vars.outputs.tag }}
+      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
+      - name: Generate changelog
+        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
+      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
+      - name: Abort if changelog is empty
+        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v1.1
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # CREATE RELEASE
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          body_path: changelog.md
+          draft: false
+          prerelease: false
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
+          asset_content_type: application/vnd.debian.binary-package

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"

AUTHORS

@@ -1,8 +1,9 @@
 Contributors of this project :
 
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>

LICENSE

@@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
-All rights reserved.
+Copyright 2020 OVHcloud
 
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
 
-  * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-  * Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
-  * Neither the name of OVH SAS nor the
-    names of its contributors may be used to endorse or promote products
-    derived from this software without specific prior written permission.
+       http://www.apache.org/licenses/LICENSE-2.0
 
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   A copy of the license terms follows:
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

MANUAL.md

@@ -0,0 +1,160 @@
+% CIS-HARDENING(8)
+%
+% 2016
+
+# NAME
+
+cis-hardening - CIS Debian 10/11/12 Hardening
+
+# SYNOPSIS
+
+**hardening.sh** RUN_MODE [OPTIONS]
+
+# DESCRIPTION
+
+Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
+
+# SCRIPTS CONFIGURATION
+
+Hardening scripts are in `bin/hardening`. Each script has a corresponding
+configuration file in `etc/conf.d/[script_name].cfg`.
+
+Each hardening script can be individually enabled from its configuration file.
+For example, this is the default configuration file for `disable_system_accounts`:
+
+```
+# Configuration for script of same name
+status=disabled
+# Put here your exceptions concerning admin accounts shells separated by spaces
+EXCEPTIONS=""
+```
+
+**status** parameter may take 3 values:
+
+- `disabled` (do nothing): The script will not run.
+- `audit` (RO): The script will check if any change should be applied.
+- `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
+
+Global configuration is in `etc/hardening.cfg`. This file controls the log level
+as well as the backup directory. Whenever a script is instructed to edit a file, it
+will create a timestamped backup in this directory.
+
+
+# RUN MODE
+
+`-h`, `--help`
+:   Display a friendly help message.
+
+`--apply`
+:   Apply hardening for enabled scripts.
+    Beware that NO confirmation is asked whatsoever, which is why you're warmly
+    advised to use `--audit` before, which can be regarded as a dry-run mode.
+
+`--audit`
+:   Audit configuration for enabled scripts.
+    No modification will be made on the system, we'll only report on your system
+    compliance for each script.
+
+`--audit-all`
+:   Same as `--audit`, but for *all* scripts, even disabled ones.
+    This is a good way to peek at your compliance level if all scripts were enabled,
+    and might be a good starting point.
+
+`--audit-all-enable-passed`
+:   Same as `--audit-all`, but in addition, will *modify* the individual scripts
+    configurations to enable those which passed for your system.
+    This is an easy way to enable scripts for which you're already compliant.
+    However, please always review each activated script afterwards, this option
+    should only be regarded as a way to kickstart a configuration from scratch.
+    Don't run this if you have already customized the scripts enable/disable
+    configurations, obviously.
+
+`--create-config-files-only`
+:   Create the config files in etc/conf.d
+    Must be run as root, before running the audit with user secaudit
+
+`-set-hardening-level=level`
+:   Modifies the configuration to enable/disable tests given an hardening level,
+    between 1 to 5. Don't run this if you have already customized the scripts
+    enable/disable configurations.
+    1: very basic policy, failure to pass tests at this level indicates severe
+        misconfiguration of the machine that can have a huge security impact
+    2: basic policy, some good practice rules that, once applied, shouldn't
+        break anything on most systems
+    3: best practices policy, passing all tests might need some configuration
+        modifications (such as specific partitioning, etc.)
+    4: high security policy, passing all tests might be time-consuming and
+        require high adaptation of your workflow
+    5: placebo, policy rules that might be very difficult to apply and maintain,
+        with questionable security benefits
+
+`--allow-service=service`
+:   Use with `--set-hardening-level`.
+    Modifies the policy to allow a certain kind of services on the machine, such
+    as http, mail, etc. Can be specified multiple times to allow multiple services.
+    Use --allow-service-list to get a list of supported services.
+
+# OPTIONS
+
+`--allow-service-list`
+:   Get a list of supported service.
+
+  
+`--only test-number`
+:    Modifies the RUN_MODE to only work on the test_number script.
+    Can be specified multiple times to work only on several scripts.
+    The test number is the numbered prefix of the script,
+    i.e. the test number of 1.2_script_name.sh is 1.2.
+
+`--sudo`
+:   This option lets you audit your system as a normal user, but allows sudo
+    escalation to gain read-only access to root files. Note that you need to
+    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+    the -n option instructs sudo not to prompt for a password.
+    Finally note that `--sudo` mode only works for audit mode.
+
+`--set-log-level=level`
+:   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+    Default value is : info
+
+`--batch`
+:   While performing system audit, this option sets LOGLEVEL to 'ok' and
+    captures all output to print only one line once the check is done, formatted like :
+    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
+`--allow-unsupported-distribution`
+    Must be specified manually in the command line to allow the run on non compatible
+    version or distribution. If you want to mute the warning change the LOGLEVEL
+    in /etc/hardening.cfg
+
+
+# AUTHORS
+
+- Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+- Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+- Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
+- Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
+
+# COPYRIGHT
+
+Copyright 2023 OVHcloud
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+# SEE ALSO
+
+- **Center for Internet Security**: https://www.cisecurity.org/
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
+- **Project repository**: https://github.com/ovh/debian-cis
+

README.md

@@ -1,44 +1,62 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 10/11/12 Hardening
 
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+
+<p align="center">
+      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
+</p>
+
+![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
+![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
+![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
+
+![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
+![License](https://img.shields.io/github/license/ovh/debian-cis)
+---
+
+Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
+
+NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
+in production at OVHcloud on Debian 12 Operating Systems.
 
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
-13.15_check_duplicate_gid [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Performing audit
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
-         Total Runned Checks : 191
-         Total Passed Checks : [ 170/191 ]
-         Total Failed Checks : [  21/191 ]
-   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 89.01 %
+      Total Available Checks : 232
+         Total Runned Checks : 166
+         Total Passed Checks : [ 142/166 ]
+         Total Failed Checks : [  24/166 ]
+   Enabled Checks Percentage : 71.00 %
+       Conformity Percentage : 85.00 %
 ```
 
-## Quickstart
+## :dizzy: Quickstart
 
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
-$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
-1.1_install_updates [INFO] Checking Configuration
-1.1_install_updates [INFO] Performing audit
-1.1_install_updates [INFO] Checking if apt needs an update
-1.1_install_updates [INFO] Fetching upgrades ...
-1.1_install_updates [ OK ] No upgrades available
-1.1_install_updates [ OK ] Check Passed
+$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening
+$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening
+$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening
+$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening
+$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
 
-## Usage
+## :hammer: Usage
 
 ### Configuration
 
@@ -72,7 +90,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
 
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
+
+ ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@@ -80,16 +100,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
 
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
-## Hacking
+``--only <check_number>``: run only the selected checks.
+
+``--set-hardening-level``: run all checks that are lower or equal to the selected level.
+Do NOT use this option if you have already started to customize your configuration.
+
+``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
+to allow a certain kind of services on the machine, such as http, mail, etc.
+Can be specified multiple times to allow multiple services.
+Use --allow-service-list to get a list of supported services.
+
+``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+Default value is : info
+
+``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
+before running the audit with user secaudit, to have the rights setup well on the conf files.
+
+``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
+the run on non compatible version or distribution. If you want to mute the warning change the
+LOGLEVEL in /etc/hardening.cfg
+
+## :computer: Hacking
 
 **Getting the source**
 
@@ -110,6 +150,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
+Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
+
+If the check replace somehow one that is in the CIS specifications,
+you can use the numerotation of the check it replaces inplace. For example we check
+the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
+
+Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
+(part of OVHcloud security policy)
+
 
 Code your check explaining what it does then if you want to test
 
@@ -117,7 +166,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 
 Functional tests are available. They are to be run in a Docker environment.
 
@@ -125,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian10` or `debian11`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@@ -151,19 +200,72 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
 
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
+and that we will not test the apply function. It's because the check is very basic
+(like a package install) and that a test on it is not really necessary.
+
+Furthermore, some tests are disabled on docker because there not pertinent (kernel 
+modules, grub, partitions, ...)
+You can disable a check on docker with:
+```bash
+if [ -f "/.dockerenv" ]; then
+  skip "SKIPPED on docker"
+else
+...
+fi
+```
+
+## :art: Coding style
+### Shellcheck
+
+We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
+correctness of the scripts and to respect best practices.
+It can be used directly with the docker environnment to check all scripts 
+compliancy. By default it runs on every `.sh` it founds.
+
+```console
+$ ./shellcheck/launch_shellcheck.sh [name of script...]
+```
+
+### Shellfmt
+
+We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
+consistent style in every script. 
+Identically to shellcheck, it can be run through a script with the following:
+
+```console
+$ ./shellfmt/launch_shellfmt.sh
+```
+It will automatically fix any styling problem on every script.
+
+
+## :heavy_exclamation_mark: Disclaimer
 
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
+A word about numbering, implementation and sustainability over time of this repository:
+This project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF
+has evolved, changing it's numbering, deleting obsolete checks.
+In order to keep retro-compatiblity with the last maintained Debian, the numbering
+has not been changed along with the PDF, because the configuration scripts are named after it.
+Changing the numbering might break automation for admins using it for years, and handling
+this issue without breaking anything would require a huge refactoring.
+As a consequence, please do not worry about numbering, the checks are there,
+but the numbering accross PDFs might differ.
+Please also note that all the check inside CIS Benchmark PDF might not be implemented
+in this set of scripts.
+We did choose the most relevant to us at OVHcloud, do not hesitate to make a
+Pull Request in order to add the missing script you might find relevant for you.
+
 Additionally, quoting the License:
 
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@@ -171,13 +273,12 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-## Reference
+
+## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 
-## License
-
-3-Clause BSD
+## :page_facing_up: License
 
+Apache, Version 2.0

bin/hardening.sh

@@ -10,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #
 
-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@@ -26,6 +26,10 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+SUMMARY_JSON=''
+ASK_LOGLEVEL=''
+ALLOW_UNSUPPORTED_DISTRIBUTION=0
+USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -78,7 +82,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
-    
+
     --create-config-files-only
         Create the config files in etc/conf.d
         Must be run as root, before running the audit with user secaudit
@@ -98,11 +102,31 @@ OPTIONS:
         the '-n' option instructs sudo not to prompt for a password.
         Finally note that '--sudo' mode only works for audit mode.
 
+    --set-log-level <level>
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
+        Default value is : info
+
+    --set-version <version>
+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11
+          --set-version ovh_legacy
+
+    --summary-json
+        While performing system audit, this option sets LOGLEVEL to silent and
+        only output a json summary at the end
+
     --batch
         While performing system audit, this option sets LOGLEVEL to 'ok' and
         captures all output to print only one line once the check is done, formatted like :
         OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
+    --allow-unsupported-distribution
+        Must be specified manually in the command line to allow the run on non compatible
+        version or distribution. If you want to mute the warning change the LOGLEVEL
+        in /etc/hardening.cfg
+
 EOF
     exit 0
 }
@@ -114,7 +138,7 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST
 
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
     ARG="$1"
     case $ARG in
     --audit)
@@ -143,6 +167,14 @@ while [[ $# > 0 ]]; do
         SET_HARDENING_LEVEL="$2"
         shift
         ;;
+    --set-log-level)
+        ASK_LOGLEVEL=$2
+        shift
+        ;;
+    --set-version)
+        USED_VERSION=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -150,9 +182,16 @@ while [[ $# > 0 ]]; do
     --sudo)
         SUDO_MODE='--sudo'
         ;;
+    --summary-json)
+        SUMMARY_JSON='--summary-json'
+        ASK_LOGLEVEL=silent
+        ;;
     --batch)
         BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
+        ;;
+    --allow-unsupported-distribution)
+        ALLOW_UNSUPPORTED_DISTRIBUTION=1
         ;;
     -h | --help)
         usage
@@ -165,47 +204,99 @@ while [[ $# > 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ] && [ "$SET_HARDENING_LEVEL" -eq 0 ]; then
     usage
 fi
 
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ] || [ -z "${CIS_CONF_DIR}" ] || [ -z "${CIS_CHECKS_DIR}" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR, CIS_CONF_DIR, CIS_CHECKS_DIR variables, aborting."
     exit 128
 fi
 
-[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
-[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
-[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
-[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
+# shellcheck source=../etc/hardening.cfg
+[ -r "${CIS_CONF_DIR}"/hardening.cfg ] && . "${CIS_CONF_DIR}"/hardening.cfg
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
+# shellcheck source=../lib/common.sh
+[ -r "${CIS_LIB_DIR}"/common.sh ] && . "${CIS_LIB_DIR}"/common.sh
+# shellcheck source=../lib/utils.sh
+[ -r "${CIS_LIB_DIR}"/utils.sh ] && . "${CIS_LIB_DIR}"/utils.sh
+# shellcheck source=../lib/constants.sh
+[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
-if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
+# ensure the CIS version exists
+does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
+if [ "$FNRET" -ne 0 ]; then
+    echo "$USED_VERSION is not a valid version"
+    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+    exit 1
+fi
+
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
+# print warning, otherwise quit
+
+# update path for the remaining of the script
+CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
+
+if [ "$DISTRIBUTION" != "debian" ]; then
+    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+        echo "Exiting now"
+        exit 100
+    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+    fi
+else
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    fi
+fi
 
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
     declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
         template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
         [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
     done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
     exit 0
 fi
 
 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
     if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
         echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
         exit 1
     fi
 
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+    for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
         script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
         if [ -z "$script_level" ]; then
             echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
@@ -213,45 +304,46 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
         fi
         wantedstatus=disabled
         [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
     done
     echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
     exit 0
 fi
 
-if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
     echo "For --create-config-files-only, please run as root"
     exit 1
 fi
 
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
-    if [ ${#TEST_LIST[@]} -gt 0 ]; then
+for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi
     fi
 
     info "Treating $SCRIPT"
-    if [ $CREATE_CONFIG = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        $SCRIPT --create-config-files-only $BATCH_MODE
-    elif [ $AUDIT = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
-    elif [ $AUDIT_ALL = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
-    elif [ $APPLY = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+    if [ "$CREATE_CONFIG" = 1 ]; then
+        debug "$SCRIPT --create-config-files-only"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+    elif [ "$AUDIT" = 1 ]; then
+        debug "$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL" = 1 ]; then
+        debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+        debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+    elif [ "$APPLY" = 1 ]; then
+        debug "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
     fi
 
     SCRIPT_EXITCODE=$?
@@ -261,10 +353,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     0)
         debug "$SCRIPT passed"
         PASSED_CHECKS=$((PASSED_CHECKS + 1))
-        if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
-            SCRIPT_BASENAME=$(basename $SCRIPT .sh)
-            sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
-            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
+            sed -i -re 's/^status=.+/status=enabled/' "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in ${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
         fi
         ;;
     1)
@@ -283,18 +375,30 @@ done
 
 TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
 
-if [ $BATCH_MODE ]; then
+if [ "$BATCH_MODE" ]; then
     BATCH_SUMMARY="AUDIT_SUMMARY "
     BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
     BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
     BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
     else
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
     fi
-    becho $BATCH_SUMMARY
+    becho "$BATCH_SUMMARY"
+elif [ "$SUMMARY_JSON" ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    else
+        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
+    fi
+    printf '{'
+    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
+    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
+    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
+    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
+    printf '}\n'
 else
     printf "%40s\n" "################### SUMMARY ###################"
     printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@@ -302,10 +406,10 @@ else
     printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
     printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
 
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
-    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
     printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
         printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
     else
         printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -1,66 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of jffs2 filesystems."
-
-KERNEL_OPTION="CONFIG_JFFS2_FS"
-MODULE_NAME="jffs2"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -1,66 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of hfs filesystems."
-
-KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -1,66 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of hfsplus filesystems."
-
-KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.1.5_disable_udf.sh

@@ -1,66 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of udf filesystems."
-
-KERNEL_OPTION="CONFIG_UDF_FS"
-MODULE_FILE="udf"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.1.6_disable_cramfs.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.6 Disable Mounting of cramfs Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of cramfs filesystems."
-
-KERNEL_OPTION="CONFIG_CRAMFS"
-MODULE_NAME="cramfs"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-    :
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-    :
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.1.7_disable_squashfs.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable mounting of squashfs filesytems."
-
-KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
-    else
-        ok "$KERNEL_OPTION is disabled"
-    fi
-    :
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
-    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
-    fi
-    :
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "All world writable directories have a sticky bit"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
-    else
-        ok "All world writable directories have a sticky bit, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -1,106 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.6.2.1 Activate AppArmor (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Activate AppArmor to enforce permissions control."
-
-PACKAGE='apparmor'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is absent!"
-    else
-        ok "$PACKAGE is installed"
-    fi
-
-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
-        fi
-    done
-    IFS=$d_IFS
-    if [ $ERROR = 0 ]; then
-        ok "$PACKAGE is configured"
-
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
-    else
-        ok "$PACKAGE is installed"
-    fi
-
-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
-        fi
-    done
-    IFS=$d_IFS
-
-    if [ $ERROR = 1 ]; then
-        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
-        $SUDO_CMD update-grub
-    else
-        ok "$PACKAGE is configured"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/2.2.15_mta_localhost.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 2.2.15 Ensure Mail Transfer Agent is configured for Local-Only Mode (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
-# shellcheck disable=2034
-HARDENING_EXCEPTION=mail
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking netport ports opened"
-    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
-    else
-        info "Checking $RESULT"
-        if $(grep -q "127.0.0.1" <<<$RESULT); then
-            ok "MTA is configured to localhost only"
-        else
-            crit "MTA listens worldwide"
-        fi
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
-    else
-        info "Checking $RESULT"
-        if $(grep -q "127.0.0.1" <<<$RESULT); then
-            ok "MTA is configured to localhost only"
-        else
-            warn "MTA listens worldwide, correct this considering your MTA"
-        fi
-    fi
-    :
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/3.4.1_disable_dccp.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 3.4.1 Ensure DCCP is disabled (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Not implemented yet"
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    info "Not implemented yet"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/3.4.4_disable_tipc.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 3.4.4 Ensure TIPC is disabled (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Not implemented yet"
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    info "Not implemented yet"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.12_record_privileged_commands.sh

@@ -1,86 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.12 Ensure use of privileged commands is collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect use of privileged commands."
-
-# Find all files with setuid or setgid set
-SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
-"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
--k privileged" }')
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.13_record_successful_mount.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.13 Ensure successful file system mounts are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect sucessfull file system mounts."
-
-AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
--a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.14_record_file_deletions.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.14 Ensure file deletion events by users are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collects file deletion events by users."
-
-AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
--a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.15_record_sudoers_edit.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect changes to system administration scopre."
-
-AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
--w /etc/sudoers.d/ -p wa -k sudoers'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.16_record_sudo_usage.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect system administration actions (sudolog)."
-
-AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.17_record_kernel_modules.sh

@@ -1,85 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect kernel module loading and unloading."
-
-AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
--w /sbin/rmmod -p x -k modules
--w /sbin/modprobe -p x -k modules
--a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.18_freeze_auditd_conf.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.18 Ensure the audit configuration is immutable (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Make the audit configuration immutable."
-
-AUDIT_PARAMS='-e 2'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.4_record_date_time_edit.sh

@@ -1,86 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.4 Ensure events that modify date and time information are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Record events that modify date and time information."
-
-AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
--a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
--a always,exit -F arch=b64 -S clock_settime -k time-change
--a always,exit -F arch=b32 -S clock_settime -k time-change
--w /etc/localtime -p wa -k time-change'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.5_record_user_group_edit.sh

@@ -1,86 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.5 Ensure events that modify user/group information are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Record events that modify user/group information."
-
-AUDIT_PARAMS='-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.6_record_network_edit.sh

@@ -1,87 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Record events that modify the system's network environment."
-
-AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
--a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/network -p wa -k system-locale'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.7_record_mac_edit.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.7 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
-
-AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.8_record_login_logout.sh

@@ -1,84 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.8 Ensure login and logout events are collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collect login and logout events."
-
-AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
--w /var/log/lastlog -p wa -k logins
--w /var/log/tallylog -p wa -k logins'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.1.9_record_session_init.sh

@@ -1,84 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.1.9 Ensure session initiation information is collected (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=4
-# shellcheck disable=2034
-DESCRIPTION="Collec sessions initiation information."
-
-AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
--w /var/log/wtmp -p wa -k session
--w /var/log/btmp -p wa -k session'
-FILE='/etc/audit/audit.rules'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-    IFS=$d_IFS
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            eval $(pkill -HUP -P 1 auditd)
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.2.2.1_enable_syslog-ng.sh

@@ -1,69 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Ensure syslog-ng service is activated."
-
-SERVICE_NAME="syslog-ng"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
-        ok "$SERVICE_NAME is enabled"
-    else
-        crit "$SERVICE_NAME is disabled"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" != 0 ]; then
-        info "Enabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
-        update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1
-    else
-        ok "$SERVICE_NAME is enabled"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh

@@ -1,164 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# Note: this is not exacly the same check as the one described in CIS PDF
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Create and set permissions on syslog-ng logfiles."
-
-PERMISSIONS=''
-USER=''
-GROUP=''
-EXCEPTIONS=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            warn "$FILE does not exist"
-        else
-            FOUND_EXC=0
-            if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
-                debug "$FILE is found in exceptions"
-                debug "Setting special user:group:perm"
-                FOUND_EXC=1
-                local user_bak="$USER"
-                local group_bak="$GROUP"
-                local perm_bak="$PERMISSIONS"
-                USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
-                GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
-                PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
-            fi
-            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct ownership ($USER:$GROUP)"
-            else
-                crit "$FILE ownership was not set to $USER:$GROUP"
-            fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
-            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct permissions ($PERMISSIONS)"
-            else
-                crit "$FILE permissions were not set to $PERMISSIONS"
-            fi
-            if [ "$FOUND_EXC" = 1 ]; then
-                debug "Resetting user:group:perm"
-                USER="$user_bak"
-                GROUP="$group_bak"
-                PERMISSIONS="$perm_bak"
-            fi
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            info "$FILE does not exist"
-            filedir=$(dirname "${FILE#/var/log/}")
-            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
-                debug "Creating /var/log/$filedir for $FILE"
-                debug "mkdir -p /var/log/$filedir"
-                mkdir -p /var/log/"$filedir"
-            fi
-            touch "$FILE"
-        fi
-        FOUND_EXC=0
-        if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
-            debug "$FILE is found in exceptions"
-            debug "Setting special user:group:perm"
-            FOUND_EXC=1
-            local user_bak="$USER"
-            local group_bak="$GROUP"
-            local perm_bak="$PERMISSIONS"
-            USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
-            GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
-            PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
-        fi
-        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown "$USER":"$GROUP" "$FILE"
-        fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0"$PERMISSIONS" "$FILE"
-        fi
-        if [ "$FOUND_EXC" = 1 ]; then
-            debug "Resetting user:group:perm"
-            USER="$user_bak"
-            GROUP="$group_bak"
-            PERMISSIONS="$perm_bak"
-        fi
-    done
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=audit
-SYSLOG_BASEDIR='/etc/syslog-ng'
-PERMISSIONS='640'
-USER='root'
-GROUP='adm'
-# Put exceptions here with file:user:group:permissions
-# example: /dev/null:root:root:666
-EXCEPTIONS=''
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist "$USER"
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.2.2.4_syslog-ng_remote_host.sh

@@ -1,88 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
-
-PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
-    fi
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=audit
-SYSLOG_BASEDIR='/etc/syslog-ng'
-EOF
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 4.2.2.5 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Not implemented yet"
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    info "Not implemented yet"
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.1.2_crontab_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="User/Group set to root and permissions to 600 on /etc/crontab ."
-
-FILE='/etc/crontab'
-PERMISSIONS='600'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.1.3_cron_hourly_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="User/Group set to root and permissions to 700 on /etc/cron.hourly ."
-
-FILE='/etc/cron.hourly'
-PERMISSIONS='700'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.1.4_cron_daily_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.daily ."
-
-FILE='/etc/cron.daily'
-PERMISSIONS='700'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.1.5_cron_weekly_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.weekly ."
-
-FILE='/etc/cron.weekly'
-PERMISSIONS='700'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.1.6_cron_monthly_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ."
-
-FILE='/etc/cron.monthly'
-PERMISSIONS='700'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.2.1_sshd_conf_perm_ownership.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=1
-# shellcheck disable=2034
-DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
-
-FILE='/etc/ssh/sshd_config'
-PERMISSIONS='600'
-USER='root'
-GROUP='root'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_file_exist $FILE
-    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch $FILE
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    does_user_exist $USER
-    if [ "$FNRET" != 0 ]; then
-        crit "$USER does not exist"
-        exit 128
-    fi
-    does_group_exist $GROUP
-    if [ "$FNRET" != 0 ]; then
-        crit "$GROUP does not exist"
-        exit 128
-    fi
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# OVH Security audit
-#
-
-#
-# 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
-
-CONF_FILE="/etc/pam.d/common-password"
-CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # Check conf file for default SHA512 hash
-    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
-        crit "$CONF_FILE is not readable"
-    else
-        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
-        if [ "$FNRET" = 0 ]; then
-            ok "$CONF_LINE is present in $CONF_FILE"
-        else
-            crit "$CONF_LINE is not present in $CONF_FILE"
-        fi
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
-        crit "$CONF_FILE is not readable"
-    else
-        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
-        if [ "$FNRET" = 0 ]; then
-            ok "$CONF_LINE is present in $CONF_FILE"
-        else
-            warn "$CONF_LINE is not present in $CONF_FILE"
-            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
-        fi
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -1,69 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 6.1.10 Ensure no world writable files exist (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Ensure no world writable files exist"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        crit "Some world writable files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No world writable files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
-        warn "chmoding o-w all files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
-    else
-        ok "No world writable files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/6.1.11_find_unowned_files.sh

@@ -1,80 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 6.1.11 Ensure no unowned files or directories exist
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Ensure no unowned files or directories exist"
-
-USER='root'
-EXCLUDED=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
-    else
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        crit "Some unowned files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No unowned files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
-    else
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
-    else
-        ok "No unowned files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -1,80 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# 6.1.12 Ensure no ungrouped files or directories exist (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Ensure no ungrouped files or directories exist"
-
-GROUP='root'
-EXCLUDED=''
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
-    else
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        crit "Some ungrouped files are present"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
-        crit "$FORMATTED_RESULT"
-    else
-        ok "No ungrouped files found"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    if [ ! -z $EXCLUDED ]; then
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
-    else
-        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
-    fi
-    if [ ! -z "$RESULT" ]; then
-        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
-    else
-        ok "No ungrouped files found, nothing to apply"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    # No param for this function
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.3.2_acc_sudoers_no_all.sh

@@ -1,101 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# OVH Security audit
-#
-
-#
-# Checks there are no carte-blanche authorization in sudoers file(s).
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
-
-FILE="/etc/sudoers"
-DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
-# improves readability in audit report
-REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
-EXCEPT=""
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    FILES=""
-    if $SUDO_CMD [ ! -r "$FILE" ]; then
-        crit "$FILE is not readable"
-        return
-    fi
-    FILES="$FILE"
-    if $SUDO_CMD [ ! -d "$DIRECTORY" ]; then
-        debug "$DIRECTORY does not exist"
-    elif $SUDO_CMD [ ! -x "$DIRECTORY" ]; then
-        crit "Cannot browse $DIRECTORY"
-    else
-        FILES="$FILES $($SUDO_CMD ls -1 $DIRECTORY | sed s=^=$DIRECTORY/=)"
-    fi
-    for file in $FILES; do
-        if $SUDO_CMD [ ! -r "$file" ]; then
-            crit "$file is not readable"
-        else
-            # shellcheck disable=2001
-            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
-                ok "There is no carte-blanche sudo permission in $file"
-            else
-                # shellcheck disable=2001
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
-                for line in $RET; do
-                    if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
-                        # shellcheck disable=2001
-                        ok "$(echo "$line" | sed 's/#/ /g') is present in $file but was EXCUSED because $(echo "$line" | cut -d '#' -f 1) is part of exceptions."
-                        continue
-                    fi
-                    # shellcheck disable=2001
-                    crit "$(echo "$line" | sed 's/#/ /g') is present in $file"
-                done
-            fi
-        fi
-    done
-
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    :
-}
-
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=audit
-# Put EXCEPTION account names here, space separated
-EXCEPT="root %root %sudo %wheel"
-EOF
-}
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.3.4_acc_logindefs_sha512.sh

@@ -1,77 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# OVH Security audit
-#
-
-#
-# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
-
-CONF_FILE="/etc/login.defs"
-CONF_LINE="ENCRYPT_METHOD SHA512"
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    # Check conf file for default SHA512 hash
-    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
-        crit "$CONF_FILE is not readable"
-    else
-        does_pattern_exist_in_file $CONF_FILE "^ *${CONF_LINE/ /[[:space:]]+}"
-        if [ "$FNRET" = 0 ]; then
-            ok "$CONF_LINE is present in $CONF_FILE"
-        else
-            crit "$CONF_LINE is not present in $CONF_FILE"
-        fi
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    does_pattern_exist_in_file $CONF_FILE "^ *${CONF_LINE/ /[[:space:]]+}"
-    if [ "$FNRET" = 0 ]; then
-        ok "$CONF_LINE is present in $CONF_FILE"
-    else
-        warn "$CONF_LINE is not present in $CONF_FILE, adding it"
-        does_pattern_exist_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)"
-        if [ "$FNRET" != 0 ]; then
-            add_end_of_file $CONF_FILE "$CONF_LINE"
-        else
-            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-            replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
-        fi
-        /etc/init.d/ssh reload >/dev/null 2>&1
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.5.8_ssh_sys_sandbox.sh

@@ -1,98 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# Check UsePrivilegeSeparation set to sandbox.
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Check UsePrivilegeSeparation set to sandbox."
-
-PACKAGE='openssh-server'
-OPTIONS='UsePrivilegeSeparation=sandbox'
-FILE='/etc/ssh/sshd_config'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
-            if [ "$FNRET" = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-        PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase $FILE "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN is present in $FILE"
-        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM"
-            if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-            fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.5.9_ssh_loglevel.sh

@@ -1,98 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# SSH log level is set to VERBOSE
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-DESCRIPTION="SSH log level is set to VERBOSE"
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-
-PACKAGE='openssh-server'
-OPTIONS='LogLevel=VERBOSE'
-FILE='/etc/ssh/sshd_config'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
-            if [ "$FNRET" = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
-    for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-        SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-        PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase $FILE "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN is present in $FILE"
-        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM"
-            if [ "$FNRET" != 0 ]; then
-                add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-            fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/acc_logindefs_sha512.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# OVH Security audit
+#
+
+#
+# Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)"
+
+CONF_FILE="/etc/login.defs"
+# CONF_LINE and CONF_LINE_REGEX are defined in _set_vars_jit below
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    _set_vars_jit
+    # Check conf file for default SHA512 hash
+    if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE_REGEX/ /[[:space:]]+}"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE_REGEX is present in $CONF_FILE"
+        else
+            crit "$CONF_LINE_REGEX is not present in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    _set_vars_jit
+    does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE_REGEX/ /[[:space:]]+}"
+    if [ "$FNRET" = 0 ]; then
+        ok "$CONF_LINE_REGEX is present in $CONF_FILE"
+    else
+        warn "$CONF_LINE is not present in $CONF_FILE, adding it"
+        does_pattern_exist_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)"
+        if [ "$FNRET" != 0 ]; then
+            add_end_of_file "$CONF_FILE" "$CONF_LINE"
+        else
+            info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
+            replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
+# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
+# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
+_set_vars_jit() {
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
+    else
+        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
+        CONF_LINE="ENCRYPT_METHOD SHA512"
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/acc_pam_sha512.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure password hashing algorithm is SHA-512 (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Check that the algorithm declared in PAM for password changes is sha512 (or yescrypt for Debian 11+)"
+
+CONF_FILE="/etc/pam.d/common-password"
+# CONF_LINE is defined in _set_vars_jit below
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    _set_vars_jit
+    # Check conf file for default SHA512 hash
+    if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        # shellcheck disable=SC2001
+        does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            crit "$CONF_LINE is not present in $CONF_FILE"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    _set_vars_jit
+    if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        # shellcheck disable=SC2001
+        does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            warn "$CONF_LINE is not present in $CONF_FILE"
+            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
+            else
+                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+            fi
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
+# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
+# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
+_set_vars_jit() {
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
+    else
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/acc_shadow_sha512.sh

@@ -6,14 +6,16 @@
 #
 
 #
-# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted"
 FILE="/etc/shadow"
 
 # This function will be called if the script status is on enabled / audit mode
@@ -34,13 +36,21 @@ audit() {
         elif [[ $passwd =~ ^!.*$ ]]; then
             pw_found+="$user "
             ok "User $user has a disabled password."
-        # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
-        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+        # yescrypt: Check password against $y$<salt>$<base64>
+        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
             pw_found+="$user "
-            ok "User $user has suitable SHA512 hashed password."
+            ok "User $user has suitable yescrypt hashed password."
+        # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
+        elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+            pw_found+="$user "
+            ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            crit "User $user has a password that is not SHA512 hashed."
+            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
+            else
+                crit "User $user has a password that is not sha512crypt hashed."
+            fi
         fi
     done
     if [[ -z "$users_reviewed" ]]; then
@@ -67,17 +77,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/acc_sudoers_no_all.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# OVH Security audit
+#
+
+#
+# Check there are no carte-blanche authorization in sudoers file(s).
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
+
+FILE="/etc/sudoers"
+DIRECTORY="/etc/sudoers.d"
+# spaces will be expanded to [[:space:]]* when using the regex
+# improves readability in audit report
+REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
+EXCEPT=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # expand spaces to [[:space:]]*
+    # shellcheck disable=2001
+    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
+    matched_files=""
+
+    # check for pattern in $FILE
+    if $SUDO_CMD grep -Eq "$REGEX" "$FILE"; then
+        # Will log/warn below, once we've scanned everything,
+        # because we must also check for patterns that are excused
+        matched_files="$FILE"
+    elif [ $? -gt 1 ]; then
+        # ret > 1 means other grep error we must report
+        crit "Couldn't grep for pattern in $FILE"
+    else
+        # no match, it's ok
+        :
+    fi
+
+    # check for pattern in whole $DIRECTORY
+    if $SUDO_CMD [ ! -d "$DIRECTORY" ]; then
+        debug "$DIRECTORY does not exist"
+    elif $SUDO_CMD [ ! -x "$DIRECTORY" ]; then
+        crit "Cannot browse $DIRECTORY"
+    else
+        info "Will check for $($SUDO_CMD ls -f "$DIRECTORY" | wc -l) files within $DIRECTORY"
+        matched_files="$matched_files $($SUDO_CMD grep -REl "$REGEX" "$DIRECTORY" || true)"
+    fi
+
+    # now check for pattern exceptions, and crit for each file otherwise
+    for file in $matched_files; do
+        RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
+        for line in $RET; do
+            if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
+                # shellcheck disable=2001
+                ok "$(echo "$line" | sed 's/#/ /g') is present in $file but was EXCUSED because $(echo "$line" | cut -d '#' -f 1) is part of exceptions."
+                continue
+            fi
+            # shellcheck disable=2001
+            crit "$(echo "$line" | sed 's/#/ /g') is present in $file"
+        done
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+
+# Put EXCEPTION account names here, space separated
+EXCEPT="root %root %sudo %wheel"
+EOF
+}
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/audit_backlog_limit.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure audit_backlog_limit is sufficient (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure audit_backlog_limit to be sufficient."
+
+FILE='/etc/default/grub'
+OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for GRUB_OPTION in $OPTIONS; do
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
+            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for GRUB_OPTION in $OPTIONS; do
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
+            else
+                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/audit_bootloader.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -18,21 +18,21 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."
 
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
         for GRUB_OPTION in $OPTIONS; do
-            GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
-            GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
             debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 crit "$PATTERN is not present in $FILE"
             else
@@ -44,28 +44,28 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
-        touch $FILE
+        touch "$FILE"
     else
         ok "$FILE exists"
     fi
     for GRUB_OPTION in $OPTIONS; do
-        GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
-        GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
         debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$GRUB_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
             else
                 info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
             fi
         else
             ok "$PATTERN is present in $FILE"
@@ -83,17 +83,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/audit_log_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.1 Ensure audit log storage size is configured (Scored)
+# Ensure audit log storage size is configured (Scored)
 #
 
 set -e # One error, it's over
@@ -23,12 +23,12 @@ VALUE=5
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
     else
         ok "$FILE exists, checking configuration"
-        does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
+        does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
         if [ "$FNRET" != 0 ]; then
             crit "$PATTERN is not present in $FILE"
         else
@@ -39,17 +39,17 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         warn "$FILE does not exist, creating it"
         touch $FILE
     else
         ok "$FILE exists"
     fi
-    does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
+    does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
     if [ "$FNRET" != 0 ]; then
         warn "$PATTERN is not present in $FILE, adding it"
-        add_end_of_file $FILE "$PATTERN = $VALUE"
+        add_end_of_file "$FILE" "$PATTERN = $VALUE"
     else
         ok "$PATTERN is present in $FILE"
     fi
@@ -65,17 +65,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/bootloader_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over
@@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -33,7 +34,7 @@ audit() {
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -48,10 +49,10 @@ apply() {
         ok "$FILE has correct ownership"
     else
         info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -63,25 +64,25 @@ apply() {
 # This function will check config parameters required
 check_config() {
 
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
         warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
     fi
-    does_user_exist $USER
+    does_user_exist "$USER"
     if [ "$FNRET" != 0 ]; then
         crit "$USER does not exist"
-        exit 128
+        exit 2
     fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
     if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
-        exit 128
+        exit 2
     fi
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
-        exit 128
+        exit 2
     fi
 }
 
@@ -90,17 +91,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/bootloader_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over
@@ -23,13 +23,13 @@ PWD_PATTERN="^password_pbkdf2"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
     if [ "$FNRET" != 0 ]; then
         crit "$USER_PATTERN not present in $FILE"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
     if [ "$FNRET" != 0 ]; then
         crit "$PWD_PATTERN not present in $FILE"
     else
@@ -39,31 +39,30 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$USER_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$USER_PATTERN is present in $FILE"
     fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
     else
         ok "$PWD_PATTERN is present in $FILE"
     fi
-    :
 }
 
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
+        warn "Grub is not installed, not handling configuration"
+        exit 2
     fi
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
-        exit 128
+        exit 2
     fi
 }
 
@@ -72,17 +71,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_distribution.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# OVH Security audit
+#
+
+#
+# Ensure that the distribution version is debian and that the version is 9 or 10
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="Check the distribution and the distribution version"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$DISTRIBUTION" != "debian" ]; then
+        crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    else
+        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is too recent and is not yet supported."
+        elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
+        else
+            ok "Your distribution is debian and the version is supported"
+
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
+    echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/check_duplicate_gid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.17 Ensure no duplicate GIDs exist (Scored)
+# Ensure no duplicate GIDs exist (Scored)
 #
 
 set -e # One error, it's over
@@ -33,7 +33,7 @@ audit() {
         fi
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "No duplicate GIDs"
     fi
 }
@@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_duplicate_groupname.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.19 Ensure no duplicate group names exist (Scored)
+# Ensure no duplicate group names exist (Scored)
 #
 
 set -e # One error, it's over
@@ -21,19 +21,20 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
+    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
     for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
-        GROUPNAME=$(awk -F: {'print $2'} <<<$LINE)
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
+        OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
+        GROUPNAME=$(awk -F: '{print $2}' <<<"$LINE")
+        if [ "$OCC_NUMBER" -gt 1 ]; then
+            # shellcheck disable=2034
+            USERS=$(awk -F: '($3 == n) { print $1 }' n="$GROUPNAME" /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate groupname $GROUPNAME"
         fi
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "No duplicate groupnames"
     fi
 }
@@ -53,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_duplicate_uid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.16 Ensure no duplicate UIDs exist (Scored)
+# Ensure no duplicate UIDs exist (Scored)
 #
 
 set -e # One error, it's over
@@ -41,7 +41,7 @@ audit() {
         fi
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "No duplicate UIDs${FOUND_EXCEPTIONS:+ apart from configured exceptions:}${FOUND_EXCEPTIONS}"
     fi
 }
@@ -72,17 +72,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_duplicate_username.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.18 Ensure no duplicate user names exist (Scored)
+# Ensure no duplicate user names exist (Scored)
 #
 
 set -e # One error, it's over
@@ -21,19 +21,20 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'})
+    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk '{print $1":"$2}')
     for LINE in $RESULT; do
         debug "Working on line $LINE"
-        OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE)
-        USERNAME=$(awk -F: {'print $2'} <<<$LINE)
-        if [ $OCC_NUMBER -gt 1 ]; then
-            USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
+        OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE")
+        USERNAME=$(awk -F: '{print $2}' <<<"$LINE")
+        if [ "$OCC_NUMBER" -gt 1 ]; then
+            # shellcheck disable=2034
+            USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERNAME" /etc/passwd | xargs)
             ERRORS=$((ERRORS + 1))
             crit "Duplicate username $USERNAME"
         fi
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "No duplicate usernames"
     fi
 }
@@ -53,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_user_dir_perm.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.8 Check Permissions on User Home Directories (Scored)
+# Ensure users' home directories permissions are 750 or more restrictive (Scored
 #
 
 set -e # One error, it's over
@@ -21,38 +21,39 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
-        if echo "$EXCEPTIONS" | grep -q $dir; then
+        if echo "$EXCEPTIONS" | grep -q "$dir"; then
             debug "$dir is confirmed as an exception"
+            # shellcheck disable=SC2001
             RESULT=$(sed "s!$dir!!" <<<"$RESULT")
         else
             debug "$dir not found in exceptions"
         fi
-        if [ -d $dir ]; then
-            dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
-            if [ $(echo $dirperm | cut -c6) != "-" ]; then
+        if [ -d "$dir" ]; then
+            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
+            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                 crit "Group Write permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c8) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                 crit "Other Read permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c9) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                 crit "Other Write permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
-            if [ $(echo $dirperm | cut -c10) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                 crit "Other Execute permission set on directory $dir"
                 ERRORS=$((ERRORS + 1))
             fi
         fi
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "No incorrect permissions on home directories"
     fi
 
@@ -60,33 +61,34 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
-        if echo "$EXCEPTIONS" | grep -q $dir; then
+        if echo "$EXCEPTIONS" | grep -q "$dir"; then
             debug "$dir is confirmed as an exception"
+            # shellcheck disable=SC2001
             RESULT=$(sed "s!$dir!!" <<<"$RESULT")
         else
             debug "$dir not found in exceptions"
         fi
-        if [ -d $dir ]; then
-            dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
-            if [ $(echo $dirperm | cut -c6) != "-" ]; then
+        if [ -d "$dir" ]; then
+            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
+            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                 warn "Group Write permission set on directory $dir"
-                chmod g-w $dir
+                chmod g-w "$dir"
             fi
-            if [ $(echo $dirperm | cut -c8) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                 warn "Other Read permission set on directory $dir"
-                chmod o-r $dir
+                chmod o-r "$dir"
             fi
-            if [ $(echo $dirperm | cut -c9) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                 warn "Other Write permission set on directory $dir"
-                chmod o-w $dir
+                chmod o-w "$dir"
             fi
-            if [ $(echo $dirperm | cut -c10) != "-" ]; then
+            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                 warn "Other Execute permission set on directory $dir"
-                chmod o-x $dir
+                chmod o-x "$dir"
             fi
         fi
     done
@@ -113,17 +115,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/check_user_dot_file_perm.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
+# Ensure users' dot files are not group or world writable (Scored)
 #
 
 set -e # One error, it's over
@@ -21,16 +21,16 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $DIR"
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
+        for FILE in "$DIR"/.[A-Za-z0-9]*; do
+            if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
+                FILEPERM=$(stat -c "%A" "$FILE")
+                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                     crit "Group Write permission set on FILE $FILE"
                     ERRORS=$((ERRORS + 1))
                 fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
                     crit "Other Write permission set on FILE $FILE"
                     ERRORS=$((ERRORS + 1))
                 fi
@@ -38,24 +38,24 @@ audit() {
         done
     done
 
-    if [ $ERRORS = 0 ]; then
+    if [ "$ERRORS" = 0 ]; then
         ok "Dot file permission in users directories are correct"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
-        for FILE in $DIR/.[A-Za-z0-9]*; do
-            if [ ! -h "$FILE" -a -f "$FILE" ]; then
-                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
-                if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
+    for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+        for FILE in "$DIR"/.[A-Za-z0-9]*; do
+            if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
+                FILEPERM=$(stat -c "%A" "$FILE")
+                if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
                     warn "Group Write permission set on FILE $FILE"
-                    chmod g-w $FILE
+                    chmod g-w "$FILE"
                 fi
-                if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
+                if [ "$(echo "$FILEPERM" | cut -c9)" != "-" ]; then
                     warn "Other Write permission set on FILE $FILE"
-                    chmod o-w $FILE
+                    chmod o-w "$FILE"
                 fi
             fi
         done
@@ -72,17 +72,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/configure_chrony.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.1.3 Ensure chrony is configured (Scored)
+# Ensure chrony is configured (Scored)
 #
 
 set -e # One error, it's over
@@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
-        if [ "$FNRET" != 0 ]; then
-            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
-        else
-            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
-        fi
+        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
     fi
 }
 
@@ -46,7 +40,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter
@@ -54,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/configure_logrotate.sh

@@ -1,11 +1,12 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #
 
 #
-# 4.3 Ensure logrotate is configured (Not Scored)
+# Ensure logrotate is configured (Not Scored)
 #
 
 set -e # One error, it's over
@@ -16,6 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable."
 
+# shellcheck disable=2034
 SERVICE_NAME="syslog-ng"
 
 # This function will be called if the script status is on enabled / audit mode
@@ -40,17 +42,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/configure_ntp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.1.2 Ensure ntp is configured (Scored)
+# Ensure ntp is configured (Scored)
 #
 
 set -e # One error, it's over
@@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
-        else
-            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
-        fi
-        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-        else
-            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
-        fi
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
     fi
 }
 
@@ -54,22 +48,22 @@ apply() {
         ok "$PACKAGE is installed"
     else
         crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
         info "Checking $PACKAGE configuration"
     fi
-    does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
-        backup_file $NTP_CONF_FILE
-        add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
+        backup_file "$NTP_CONF_FILE"
+        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
     else
         ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
     fi
-    does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
-        backup_file $NTP_INIT_FILE
-        add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
+        backup_file "$NTP_INIT_FILE"
+        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
     else
         ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
     fi
@@ -77,7 +71,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter
@@ -85,17 +83,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/configure_ssh_max_startups.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure SSH MaxStartups is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure SSHMaxStartups."
+
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of maxstartups 
+# 0: Number of unauthenticated connections before we start dropping
+# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
+# 60: Maximum number of connections at which we start dropping everything
+# Settles sshd maxstartups
+OPTIONS='maxstartups=10:30:60'
+EOF
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/configure_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.2 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
+# Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ."
 
+# shellcheck disable=2034
 SERVICE_NAME="syslog-ng"
 
 # This function will be called if the script status is on enabled / audit mode
@@ -41,17 +42,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/configure_systemd-timesyncd.sh

@@ -6,25 +6,32 @@
 #
 
 #
-# 3.4.2 Ensure SCTP is disabled (Not Scored)
+# Ensure systemd-timesyncd is configured (Not Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-HARDENING_LEVEL=2
+HARDENING_LEVEL=4
 # shellcheck disable=2034
-DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
+DESCRIPTION="Configure systemd-timesyncd."
+
+SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
+        ok "$SERVICE_NAME is enabled"
+    else
+        crit "$SERVICE_NAME is disabled"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    :
 }
 
 # This function will check config parameters required
@@ -37,17 +44,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/cron_d_perm_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+# Ensure permissions on /etc/cron.d are configured (Scored)
 #
 
 set -e # One error, it's over
@@ -40,17 +40,17 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
-        touch $FILE
+        touch "$FILE"
     fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"
     else
         warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
     fi
     has_file_correct_permissions "$FILE" "$PERMISSIONS"
     if [ "$FNRET" = 0 ]; then
@@ -63,12 +63,12 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    does_user_exist $USER
+    does_user_exist "$USER"
     if [ "$FNRET" != 0 ]; then
         crit "$USER does not exist"
         exit 128
     fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
     if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
         exit 128
@@ -80,17 +80,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/cron_daily_perm_ownership.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure permissions on /etc/cron.daily are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.daily ."
+
+FILE='/etc/cron.daily'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/cron_hourly_perm_ownership.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure permissions on /etc/cron.hourly are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User/Group set to root and permissions to 700 on /etc/cron.hourly ."
+
+FILE='/etc/cron.hourly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/cron_monthly_perm_ownership.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure permissions on /etc/cron.monthly are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ."
+
+FILE='/etc/cron.monthly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/cron_users.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+# Ensure at/cron is restricted to authorized users (Scored)
 #
 
 set -e # One error, it's over
@@ -20,13 +20,14 @@ DESCRIPTION="Restrict at/cron to authorized users."
 FILES_ABSENT='/etc/cron.deny /etc/at.deny'
 FILES_PRESENT='/etc/cron.allow /etc/at.allow'
 PERMISSIONS='644'
+PERMISSIONSOK='644 640 600 440 400'
 USER='root'
 GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for FILE in $FILES_ABSENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" = 0 ]; then
             crit "$FILE exists"
         else
@@ -34,9 +35,9 @@ audit() {
         fi
     done
     for FILE in $FILES_PRESENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            crit "$FILE is absent"
+            crit "$FILE is absent, should exist"
         else
             has_file_correct_ownership "$FILE" "$USER" "$GROUP"
             if [ "$FNRET" = 0 ]; then
@@ -44,7 +45,7 @@ audit() {
             else
                 crit "$FILE ownership was not set to $USER:$GROUP"
             fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
             if [ "$FNRET" = 0 ]; then
                 ok "$FILE has correct permissions"
             else
@@ -57,28 +58,28 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     for FILE in $FILES_ABSENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" = 0 ]; then
             warn "$FILE exists"
-            rm $FILE
+            rm "$FILE"
         else
             ok "$FILE is absent"
         fi
     done
     for FILE in $FILES_PRESENT; do
-        does_file_exist $FILE
+        does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            warn "$FILE is absent"
-            touch $FILE
+            warn "$FILE is absent, fixing (touch)"
+            touch "$FILE"
         fi
         has_file_correct_ownership "$FILE" "$USER" "$GROUP"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct ownership"
         else
             warn "fixing $FILE ownership to $USER:$GROUP"
-            chown $USER:$GROUP $FILE
+            chown "$USER":"$GROUP" "$FILE"
         fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
@@ -90,12 +91,12 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    does_user_exist $USER
+    does_user_exist "$USER"
     if [ "$FNRET" != 0 ]; then
         crit "$USER does not exist"
         exit 128
     fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
     if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
         exit 128
@@ -107,17 +108,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/cron_weekly_perm_ownership.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure permissions on /etc/cron.weekly are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.weekly ."
+
+FILE='/etc/cron.weekly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/crontab_perm_ownership.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure permissions on /etc/crontab are configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="User/Group set to root and permissions to 600 on /etc/crontab ."
+
+FILE='/etc/crontab'
+PERMISSIONS='600'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        info "$FILE does not exist"
+        touch "$FILE"
+    else
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist "$GROUP"
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/default_root_group.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+# Ensure default group for the root account is GID 0 (Scored)
 #
 
 set -e # One error, it's over
@@ -22,7 +22,7 @@ EXPECTED_GID='0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
+    if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then
         ok "Root group has GID $EXPECTED_GID"
     else
         crit "Root group GID should be $EXPECTED_GID"
@@ -31,11 +31,11 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
+    if [ "$(grep "^root:" /etc/passwd | cut -f4 -d:)" = 0 ]; then
         ok "Root group GID is $EXPECTED_GID"
     else
         warn "Root group GID is not $EXPECTED_GID -- Fixing"
-        usermod -g $EXPECTED_GID $USER
+        usermod -g "$EXPECTED_GID" "$USER"
     fi
 }
 
@@ -49,17 +49,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/default_timeout.sh

@@ -2,11 +2,11 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening /!\ Not in the Guide
+# CIS Debian Hardening
 #
 
 #
-# 99.1 Set Timeout on ttys
+# Ensure default usershell timeout is 900 seconds or less
 #
 
 set -e # One error, it's over
@@ -26,31 +26,31 @@ FILE='/etc/profile.d/CIS_99.1_timeout.sh'
 audit() {
     SEARCH_RES=0
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ $SEARCH_RES = 1 ]; then break; fi
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
         if test -d "$FILE_SEARCHED"; then
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         fi
     done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
         crit "$PATTERN is not present in $FILES_TO_SEARCH"
     fi
 }
@@ -59,37 +59,36 @@ audit() {
 apply() {
     SEARCH_RES=0
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ $SEARCH_RES = 1 ]; then break; fi
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
         if test -d "$FILE_SEARCHED"; then
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         fi
     done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
-        touch $FILE
-        chmod 644 $FILE
-        add_end_of_file $FILE "$PATTERN$VALUE"
-        add_end_of_file $FILE "readonly TMOUT"
-        add_end_of_file $FILE "export TMOUT"
+        touch "$FILE"
+        chmod 644 "$FILE"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
+        add_end_of_file "$FILE" "export TMOUT"
     else
         ok "$PATTERN is present in $FILES_TO_SEARCH"
     fi
@@ -105,17 +104,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/default_umask.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+# Ensure default user umask is 027 or more restrictive (Scored)
 #
 
 set -e # One error, it's over
@@ -26,15 +26,16 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh'
 audit() {
     SEARCH_RES=0
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ $SEARCH_RES = 1 ]; then break; fi
-        if test -d $FILE_SEARCHED; then
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
             debug "$FILE_SEARCHED is a directory"
-            for file_in_dir in $(ls $FILE_SEARCHED); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+            for file_in_dir in "$FILE_SEARCHED"/*; do
+                [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir
+                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
@@ -49,7 +50,7 @@ audit() {
             fi
         fi
     done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
         crit "$PATTERN is not present in $FILES_TO_SEARCH"
     fi
 }
@@ -58,15 +59,16 @@ audit() {
 apply() {
     SEARCH_RES=0
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ $SEARCH_RES = 1 ]; then break; fi
-        if test -d $FILE_SEARCHED; then
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
             debug "$FILE_SEARCHED is a directory"
-            for file_in_dir in $(ls $FILE_SEARCHED); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+            for file_in_dir in "$FILE_SEARCHED"/*; do
+                [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir
+                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
@@ -81,11 +83,11 @@ apply() {
             fi
         fi
     done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
-        touch $FILE
-        chmod 644 $FILE
-        add_end_of_file $FILE "$PATTERN"
+        touch "$FILE"
+        chmod 644 "$FILE"
+        add_end_of_file "$FILE" "$PATTERN"
     fi
 }
 
@@ -99,17 +101,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_apport.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure apport is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable apport to avoid confidential data leaks."
+
+PACKAGE='apport'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed!"
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed, purging it"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_automounting.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.22 Disable Automounting (Scored)
+# Disable Automounting (Scored)
 #
 
 set -e # One error, it's over
@@ -36,7 +36,7 @@ apply() {
     is_service_enabled "$SERVICE_NAME"
     if [ "$FNRET" = 0 ]; then
         info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
     else
         ok "$SERVICE_NAME is disabled"
     fi
@@ -52,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_avahi_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.3 Ensure Avahi Server is not enabled (Scored)
+# Ensure Avahi Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_bsd_inetd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.1.2 Ensure bsd-inetd is not enabled (Scored)
+# Ensure bsd-inetd is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_cramfs.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure Mounting of cramfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of cramfs filesystems."
+
+KERNEL_OPTION="CONFIG_CRAMFS"
+MODULE_NAME="cramfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_dccp.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure DCCP is disabled (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
+MODULE_NAME="dccp"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_dhcp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.5 Ensure DHCP Server is not enabled (Scored)
+# Ensure DHCP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_dns_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.8 Ensure DNS Server is not enabled (Scored)
+# Ensure DNS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_freevxfs.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure Mounting of freevxfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of freevxfs filesystems."
+
+KERNEL_OPTION="CONFIG_VXFS_FS"
+MODULE_NAME="freevxfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_ftp.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.9 Ensure FTP Server is not enabled (Scored)
+# Ensure FTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_hfs.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure mounting of hfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfs filesystems."
+
+KERNEL_OPTION="CONFIG_HFS_FS"
+MODULE_NAME="hfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_hfsplus.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure mounting of hfsplus filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of hfsplus filesystems."
+
+KERNEL_OPTION="CONFIG_HFSPLUS_FS"
+MODULE_NAME="hfsplus"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_http_proxy.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)
+# Ensure HTTP Proxy Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/disable_http_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.10 Ensure HTTP Server is not enabled (Scored)
+# Ensure HTTP Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi