ADD(4.2.1.6): add new syslog-ng check

ADD(4.2.2.x): add journald checks
ADD(4.1.1.4): add new check
2025-07-16 22:02:17 +02:00 · 2021-01-04 14:24:35 +01:00 · 2021-01-04 10:10:47 +01:00 · 2021-01-04 09:03:44 +01:00 · 2020-12-24 16:20:12 +01:00 · 2020-12-24 16:20:02 +01:00
350 changed files with 4229 additions and 1307 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -10,7 +10,7 @@
 # Main script : Execute hardening considering configuration
 #
-LONG_SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename "$0")
 SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
 DISABLED_CHECKS=0
 PASSED_CHECKS=0
@ -114,7 +114,7 @@ fi
 declare -a TEST_LIST ALLOWED_SERVICES_LIST
 # Arguments parsing
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
    ARG="$1"
    case $ARG in
    --audit)
@ -165,12 +165,13 @@ while [[ $# > 0 ]]; do
 done
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
@ -178,34 +179,37 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # shellcheck source=../lib/constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
-[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
+if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
 [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
 if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
    declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
        template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
        [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
    done
-    echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
+    echo "Supported services are:" "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")"
    exit 0
 fi
 # If --set-hardening-level is specified, don't run anything, just apply config for each script
-if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
+if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
    if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
        echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
        exit 1
    fi
-    for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
-        SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+        SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
        script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
        if [ -z "$script_level" ]; then
            echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
@ -213,22 +217,23 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
        fi
        wantedstatus=disabled
        [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
    done
    echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
    exit 0
 fi
-if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
    echo "For --create-config-files-only, please run as root"
    exit 1
 fi
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
+for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
-    if [ ${#TEST_LIST[@]} -gt 0 ]; then
+    if [ "${#TEST_LIST[@]}" -gt 0 ]; then
        # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
        # shellcheck disable=SC2001
        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
            # not in the list
@ -237,21 +242,21 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    fi
    info "Treating $SCRIPT"
-    if [ $CREATE_CONFIG = 1 ]; then
+    if [ "$CREATE_CONFIG" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        $SCRIPT --create-config-files-only $BATCH_MODE
+        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
-    elif [ $AUDIT = 1 ]; then
+    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $AUDIT_ALL = 1 ]; then
+    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
+    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
+        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
-    elif [ $APPLY = 1 ]; then
+    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        $SCRIPT
+        "$SCRIPT"
    fi
    SCRIPT_EXITCODE=$?
@ -261,9 +266,9 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    0)
        debug "$SCRIPT passed"
        PASSED_CHECKS=$((PASSED_CHECKS + 1))
-        if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
+        if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
-            SCRIPT_BASENAME=$(basename $SCRIPT .sh)
+            SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
-            sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
+            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
        fi
        ;;
@ -283,18 +288,18 @@ done
 TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
-if [ $BATCH_MODE ]; then
+if [ "$BATCH_MODE" ]; then
    BATCH_SUMMARY="AUDIT_SUMMARY "
    BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
    else
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
-    becho $BATCH_SUMMARY
+    becho "$BATCH_SUMMARY"
 else
    printf "%40s\n" "################### SUMMARY ###################"
    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -305,7 +310,7 @@ else
    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
-    if [ $TOTAL_TREATED_CHECKS != 0 ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
    else
        printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,14 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,14 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,14 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,14 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -0,0 +1,68 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=5
 # shellcheck disable=2034
 DESCRIPTION="Limit mounting of FAT filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_VFAT_FS"
 MODULE_FILE="vfat"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_kernel_option_enabled "$KERNEL_OPTION"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.10_var_tmp_noexec.sh
+++ b/bin/hardening/1.1.10_var_tmp_noexec.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.11 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 set -e # One error, it's over
@ -25,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 set -e # One error, it's over
@ -24,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.13 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 set -e # One error, it's over
@ -25,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.14_home_nodev.sh
+++ b/bin/hardening/1.1.14_home_nodev.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -27,19 +27,19 @@ audit() {
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -57,7 +57,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -27,19 +27,19 @@ audit() {
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -57,7 +57,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -27,19 +27,19 @@ audit() {
    PARTITION=$(readlink -e "$PARTITION")
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -57,7 +57,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
@ -28,13 +28,13 @@ audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -49,7 +49,7 @@ apply() {
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 set -e # One error, it's over
@ -28,13 +28,13 @@ audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -49,7 +49,7 @@ apply() {
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
@ -28,13 +28,13 @@ audit() {
    info "Verifying if there is $PARTITION like partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        ok "There is no partition like $PARTITION"
        FNRET=0
    else
        info "detected $PARTITION like"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
@ -49,7 +49,7 @@ apply() {
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
    fi
 }
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 set -e # One error, it's over
@ -20,11 +20,13 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
+    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    # shellcheck disable=SC2086
    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
-        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
+        # shellcheck disable=SC2001
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$RESULT" | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
    else
        ok "All world writable directories have a sticky bit"
@ -33,9 +35,9 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    if [ ! -z "$RESULT" ]; then
+    if [ -n "$RESULT" ]; then
-        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
--- a/bin/hardening/1.1.22_disable_automounting.sh
+++ b/bin/hardening/1.1.22_disable_automounting.sh
@ -36,7 +36,7 @@ apply() {
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is disabled"
    fi
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -0,0 +1,68 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.23 Disable USB storage (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_USB_STORAGE"
 MODULE_FILE="usb-storage"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
    else
        ok "$KERNEL_OPTION is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_kernel_option_enabled "$KERNEL_OPTION"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.2_tmp_partition.sh
+++ b/bin/hardening/1.1.2_tmp_partition.sh
@ -25,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.3_tmp_nodev.sh
+++ b/bin/hardening/1.1.3_tmp_nodev.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.4_tmp_nosuid.sh
+++ b/bin/hardening/1.1.4_tmp_nosuid.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.5_tmp_noexec.sh
+++ b/bin/hardening/1.1.5_tmp_noexec.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.6 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 set -e # One error, it's over
@ -25,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.7_var_tmp_partition.sh
+++ b/bin/hardening/1.1.7_var_tmp_partition.sh
@ -25,13 +25,13 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
--- a/bin/hardening/1.1.8_var_tmp_nodev.sh
+++ b/bin/hardening/1.1.8_var_tmp_nodev.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh
@ -26,19 +26,19 @@ audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
-        if [ $FNRET -gt 0 ]; then
+        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
-            if [ $FNRET -gt 0 ]; then
+            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
@ -56,7 +56,7 @@ apply() {
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
-        add_option_to_fstab $PARTITION $OPTION
+        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
--- a/bin/hardening/1.3.1_install_sudo.sh
+++ b/bin/hardening/1.3.1_install_sudo.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.1 Ensure sudo is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
 PACKAGE='sudo'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.2_pty_sudo.sh
+++ b/bin/hardening/1.3.2_pty_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.2 Ensure sudo commands use pty (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
 PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        crit "Defaults use_pty not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        warn "Defaults use_pty not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.3_logfile_sudo.sh
+++ b/bin/hardening/1.3.3_logfile_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.3 Ensure sudo log file exists (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo log files exists."
 PATTERN="^\s*Defaults\s+logfile=\S+"
 LOGFILE="/var/log/sudo.log"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        crit "Defaults log file not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        warn "Defaults log file not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.4.1_install_tripwire.sh
+++ b/bin/hardening/1.4.1_install_tripwire.sh
@ -6,7 +6,7 @@
 #
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 set -e # One error, it's over
@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
 PACKAGE='tripwire'
 # This function will be called if the script status is on enabled / audit mode
@ -37,7 +38,7 @@ apply() {
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
        info "Tripwire is now installed but not fully functionnal, please see readme to go further"
    fi
 }
--- a/bin/hardening/1.4.2_tripwire_cron.sh
+++ b/bin/hardening/1.4.2_tripwire_cron.sh
@ -6,7 +6,7 @@
 #
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 # Note : in CIS, AIDE has been chosen, however we chose tripwire
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'
@ -74,7 +76,7 @@ fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=/opt/debian-cis/lib/main.sh
+    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 set -e # One error, it's over
@ -48,7 +48,7 @@ apply() {
        ok "$FILE has correct ownership"
    else
        info "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
@ -68,17 +68,17 @@ check_config() {
        warn "Grub is not installed, not handling configuration"
        exit 128
    fi
-    does_user_exist $USER
+    does_user_exist "$USER"
    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
        exit 128
    fi
-    does_group_exist $GROUP
+    does_group_exist "$GROUP"
    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
        exit 128
    fi
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        exit 128
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 set -e # One error, it's over
@ -23,13 +23,13 @@ PWD_PATTERN="^password_pbkdf2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
    if [ "$FNRET" != 0 ]; then
        crit "$USER_PATTERN not present in $FILE"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
    if [ "$FNRET" != 0 ]; then
        crit "$PWD_PATTERN not present in $FILE"
    else
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE "$USER_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$USER_PATTERN not present in $FILE, please configure password for grub"
    else
        ok "$USER_PATTERN is present in $FILE"
    fi
-    does_pattern_exist_in_file $FILE "$PWD_PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PWD_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
    else
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.3 Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 set -e # One error, it's over
@ -22,7 +22,7 @@ PATTERN="^root:[*\!]:"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" != 1 ]; then
        crit "$PATTERN is present in $FILE"
    else
@ -32,7 +32,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" != 1 ]; then
        warn "$PATTERN is present in $FILE, please put a root password"
    else
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 set -e # One error, it's over
@ -35,7 +35,7 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
@ -50,7 +50,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg $PATTERN
+    does_pattern_exist_in_dmesg "$PATTERN"
    if [ "$FNRET" != 0 ]; then
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
--- a/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 set -e # One error, it's over
@ -37,7 +37,7 @@ apply() {
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
--- a/bin/hardening/1.6.3_disable_prelink.sh
+++ b/bin/hardening/1.6.3_disable_prelink.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.4 Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.6.4_restrict_core_dumps.sh
+++ b/bin/hardening/1.6.4_restrict_core_dumps.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.1 Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 set -e # One error, it's over
@ -27,14 +27,14 @@ SYSCTL_EXP_RESULT=0
 audit() {
    SEARCH_RES=0
    LIMIT_FILES=""
-    if $SUDO_CMD [ -d $LIMIT_DIR ]; then
+    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
-        for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf 2>/dev/null); do
+        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
        done
    fi
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
    for file in $LIMIT_FILE $LIMIT_FILES; do
-        does_pattern_exist_in_file $file $LIMIT_PATTERN
+        does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            debug "$LIMIT_PATTERN not present in $file"
        else
@ -43,7 +43,7 @@ audit() {
            break
        fi
    done
-    if [ $SEARCH_RES = 0 ]; then
+    if [ "$SEARCH_RES" = 0 ]; then
        crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
    fi
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
@ -58,7 +58,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
+    does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of  $LIMIT_FILE"
        add_end_of_file $LIMIT_FILE "* hard core 0"
@ -68,7 +68,7 @@ apply() {
    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
    if [ "$FNRET" != 0 ]; then
        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
    elif [ "$FNRET" = 255 ]; then
        warn "$SYSCTL_PARAM does not exist -- Typo?"
    else
--- a/bin/hardening/1.7.1.1_install_apparmor.sh
+++ b/bin/hardening/1.7.1.1_install_apparmor.sh
@ -0,0 +1,70 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.1 Ensure AppArmor is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install AppArmor."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.6.2.1 Activate AppArmor (Scored)
+# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 set -e # One error, it's over
@ -17,16 +17,18 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
-PACKAGE='apparmor'
+PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" != 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is absent!"
+        if [ "$FNRET" != 0 ]; then
-    else
+            crit "$PACKAGE is absent!"
-        ok "$PACKAGE is installed"
+        else
-    fi
+            ok "$PACKAGE is installed"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -36,26 +38,29 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
-        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
-    if [ $ERROR = 0 ]; then
+    if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" != 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
+        if [ "$FNRET" = 0 ]; then
-    else
+            ok "$PACKAGE is installed"
-        ok "$PACKAGE is installed"
+        else
-    fi
+            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@ -76,7 +81,7 @@ apply() {
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
        $SUDO_CMD update-grub
    else
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
    fi
 }
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -0,0 +1,87 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce or complain AppArmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
        aa-complain /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -0,0 +1,101 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce Apparmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        crit "Some processes are in complain mode"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        warn "Some processes are in complain mode, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.8.1.1_remove_os_info_motd.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 set -e # One error, it's over
@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
@ -32,10 +32,10 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
--- a/bin/hardening/1.8.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.8.1.2_remove_os_info_issue.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
@ -35,7 +35,7 @@ apply() {
    does_pattern_exist_in_file $FILE "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
--- a/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
@ -22,7 +22,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        crit "$PATTERN is present in $FILE"
    else
@ -32,10 +32,10 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file $FILE "$PATTERN"
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
    if [ "$FNRET" = 0 ]; then
        warn "$PATTERN is present in $FILE"
-        delete_line_in_file $FILE $PATTERN
+        delete_line_in_file "$FILE" "$PATTERN"
    else
        ok "$PATTERN is not present in $FILE"
    fi
--- a/bin/hardening/1.8.1.4_motd_perms.sh
+++ b/bin/hardening/1.8.1.4_motd_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 set -e # One error, it's over
@ -24,38 +24,38 @@ FILE='/etc/motd'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
-        touch $FILE
+        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
--- a/bin/hardening/1.8.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.8.1.5_etc_issue_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 set -e # One error, it's over
@ -24,38 +24,38 @@ FILE='/etc/issue'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
-        touch $FILE
+        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
--- a/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 set -e # One error, it's over
@ -24,38 +24,38 @@ FILE='/etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
        continue
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
-        touch $FILE
+        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown $USER:$GROUP $FILE
+        chown "$USER":"$GROUP" "$FILE"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
--- a/bin/hardening/1.8.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.8.2_graphical_warning_banners.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.2 Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.9_install_updates.sh
+++ b/bin/hardening/1.9_install_updates.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 set -e # One error, it's over
@ -23,7 +23,7 @@ audit() {
    apt_update_if_needed
    info "Fetching upgrades ..."
    apt_check_updates "CIS_APT"
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        crit "$RESULT"
        FNRET=1
    else
@ -34,7 +34,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    if [ $FNRET -gt 0 ]; then
+    if [ "$FNRET" -gt 0 ]; then
        info "Applying Upgrades..."
        DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
    else
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -0,0 +1,60 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure systemd-timesyncd."
 SERVICE_NAME="systemd-timesyncd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" = 0 ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -30,7 +30,7 @@ audit() {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $CONF_FILE $CONF_DEFAULT_PATTERN
+        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
        else
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -32,13 +32,13 @@ audit() {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
+        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
        else
            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
        fi
-        does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
+        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
        else
@ -54,22 +54,22 @@ apply() {
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
        info "Checking $PACKAGE configuration"
    fi
-    does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
-        backup_file $NTP_CONF_FILE
+        backup_file "$NTP_CONF_FILE"
-        add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
+        add_end_of_file "$NTP_CONF_FILE" "restrict -4 default kod notrap nomodify nopeer noquery"
    else
        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
    fi
-    does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
-        backup_file $NTP_INIT_FILE
+        backup_file "$NTP_INIT_FILE"
-        add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
+        add_line_file_before_pattern "$NTP_INIT_FILE" "$NTP_INIT_PATTERN" "^UGID"
    else
        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
    fi
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -32,7 +32,7 @@ audit() {
            ok "$PACKAGE is absent"
        fi
    done
-    is_service_enabled $SERVICE
+    is_service_enabled "$SERVICE"
    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
    else
@ -52,10 +52,10 @@ apply() {
            ok "$PACKAGE is absent"
        fi
    done
-    is_service_enabled $SERVICE
+    is_service_enabled "$SERVICE"
    if [ "$FNRET" = 0 ]; then
        crit "Service $SERVICE is enabled!"
-        systemctl disable $SERVICE
+        systemctl disable "$SERVICE"
    else
        ok "Service $SERVICE is disabled"
    fi
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -29,7 +29,7 @@ audit() {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if $(grep -q "127.0.0.1" <<<$RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            crit "MTA listens worldwide"
@ -47,7 +47,7 @@ apply() {
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
        info "Checking $RESULT"
-        if $(grep -q "127.0.0.1" <<<$RESULT); then
+        if grep -q "127.0.0.1" <<<"$RESULT"; then
            ok "MTA is configured to localhost only"
        else
            warn "MTA listens worldwide, correct this considering your MTA"
--- a/bin/hardening/2.2.16_disable_rsync.sh
+++ b/bin/hardening/2.2.16_disable_rsync.sh
@ -31,7 +31,7 @@ audit() {
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
        else
@ -47,11 +47,11 @@ apply() {
        ok "$PACKAGE is not installed"
    else
        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
+        does_pattern_exist_in_file "$RSYNC_DEFAULT_FILE" "^$RSYNC_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
-            backup_file $RSYNC_DEFAULT_FILE
+            backup_file "$RSYNC_DEFAULT_FILE"
-            replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN
+            replace_in_file "$RSYNC_DEFAULT_FILE" "$RSYNC_DEFAULT_PATTERN_TO_SEARCH" "$RSYNC_DEFAULT_PATTERN"
        else
            ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE"
        fi
--- a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh
+++ b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.2.2.5 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 set -e # One error, it's over
@ -15,16 +15,16 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
-DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
+DESCRIPTION="Disable NIS Server."
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    :
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    :
 }
 # This function will check config parameters required
--- a/bin/hardening/3.1.1_disable_ipv6.sh
+++ b/bin/hardening/3.1.1_disable_ipv6.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.7 Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 set -e # One error, it's over
@ -26,8 +26,8 @@ audit() {
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
@ -48,13 +48,13 @@ apply() {
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
                warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS"
            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.1.2_disable_wireless.sh
+++ b/bin/hardening/3.1.2_disable_wireless.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.6 Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.2.1_disable_send_packet_redirects.sh
+++ b/bin/hardening/3.2.1_disable_send_packet_redirects.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.1.2 Ensure packet redirect sending is disabled (Scored)
+# 3.2.1 Ensure packet redirect sending is disabled (Scored)
 #
 set -e # One error, it's over
@ -24,8 +24,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_red
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -41,13 +41,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.2.2_disable_ip_forwarding.sh
+++ b/bin/hardening/3.2.2_disable_ip_forwarding.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.1.1 Ensure IP forwarding is disabled (Scored)
+# 3.2.2 Ensure IP forwarding is disabled (Scored)
 #
 set -e # One error, it's over
@ -14,6 +14,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 HARDENING_EXCEPTION=gw
 # shellcheck disable=2034
 DESCRIPTION="Disable IP forwarding."
@ -44,7 +45,7 @@ apply() {
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.3.1_disable_source_routed_packets.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.1 Ensure source routed packets are not accepted (Scored)
+# 3.3.1 Ensure source routed packets are not accepted (Scored)
 #
 set -e # One error, it's over
@ -23,9 +23,9 @@ SYSCTL_PARAMS=''
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
        does_sysctl_param_exists "net.ipv6"
-        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
@ -42,13 +42,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.3.2_disable_icmp_redirect.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
 #
 set -e # One error, it's over
@ -23,9 +23,9 @@ SYSCTL_PARAMS=''
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
        does_sysctl_param_exists "net.ipv6"
-        if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
@ -43,13 +43,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
+++ b/bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.4_log_martian_packets.sh
+++ b/bin/hardening/3.3.4_log_martian_packets.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.4 Ensure suspicious packets are logged (Scored)
+# 3.3.4 Ensure suspicious packets are logged (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martia
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.5_ignore_broadcast_requests.sh
+++ b/bin/hardening/3.3.5_ignore_broadcast_requests.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+# 3.3.5 Ensure broadcast ICMP requests are ignored (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.6_enable_bad_error_message_protection.sh
+++ b/bin/hardening/3.3.6_enable_bad_error_message_protection.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.7_enable_source_route_validation.sh
+++ b/bin/hardening/3.3.7_enable_source_route_validation.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+# 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
+++ b/bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+# 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
 #
 set -e # One error, it's over
@ -22,8 +22,8 @@ SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
@ -39,13 +39,13 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+        SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-        SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+        SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
        debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
        has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
        if [ "$FNRET" != 0 ]; then
            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            sysctl -w net.ipv4.route.flush=1 >/dev/null
        elif [ "$FNRET" = 255 ]; then
            warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #
 set -e # One error, it's over
@ -26,8 +26,8 @@ audit() {
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
@ -48,13 +48,13 @@ apply() {
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
                warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
-                set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+                set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
                sysctl -w net.ipv4.route.flush=1 >/dev/null
            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
--- a/bin/hardening/3.5.1.1_enable_firewall.sh
+++ b/bin/hardening/3.5.1.1_enable_firewall.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.5 Ensure Firewall is active (Scored)
+# 3.5.1.1 Ensure Firewall is active (Scored)
 #
 set -e # One error, it's over
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
 # At OVH, we use iptables
 PACKAGE='iptables'
@ -39,7 +40,7 @@ apply() {
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
    fi
 }
--- a/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.5.1.1 Ensure default deny firewall policy (Scored)
+# 3.5.4.1.1 Ensure default deny firewall policy (Scored)
 #
 set -e # One error, it's over
@ -27,17 +27,17 @@ audit() {
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
-        ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
-        if [[ -z $ipt ]]; then
+        if [[ -z "$ipt" ]]; then
            crit "Empty return from $PACKAGE command. Aborting..."
            return
        fi
        for chain in $FW_CHAINS; do
            regex="Chain $chain \(policy ([A-Z]+)\)"
            # previous line will capture actual policy
-            if [[ $ipt =~ $regex ]]; then
+            if [[ "$ipt" =~ $regex ]]; then
                actual_policy=${BASH_REMATCH[1]}
-                if [[ $actual_policy = "$FW_POLICY" ]]; then
+                if [[ "$actual_policy" = "$FW_POLICY" ]]; then
                    ok "Policy correctly set to $FW_POLICY for chain $chain"
                else
                    crit "Policy set to $actual_policy for chain $chain, should be ${FW_POLICY}."
--- a/bin/hardening/4.1.1.1_install_auditd.sh
+++ b/bin/hardening/4.1.1.1_install_auditd.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 4.1.1.1 Ensure auditing is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Install auditd."
 PACKAGE="auditd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        warn "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/4.1.1.2_enable_auditd.sh
+++ b/bin/hardening/4.1.1.2_enable_auditd.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.2 Ensure auditd service is enabled (Scored)
+# 4.1.1.2 Ensure auditd service is enabled (Scored)
 #
 set -e # One error, it's over
@ -43,15 +43,15 @@ apply() {
        ok "$PACKAGE is installed"
    else
        warn "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
    fi
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" = 0 ]; then
        ok "$SERVICE_NAME is enabled"
    else
        warn "$SERVICE_NAME is not enabled, enabling it"
-        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
-        update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
    fi
 }
--- a/bin/hardening/4.1.1.3_audit_bootloader.sh
+++ b/bin/hardening/4.1.1.3_audit_bootloader.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 set -e # One error, it's over
@ -22,17 +22,17 @@ OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        for GRUB_OPTION in $OPTIONS; do
-            GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
-            GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
@ -44,28 +44,28 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
-        touch $FILE
+        touch "$FILE"
    else
        ok "$FILE exists"
    fi
    for GRUB_OPTION in $OPTIONS; do
-        GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
-        GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$GRUB_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
            else
                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
            fi
        else
            ok "$PATTERN is present in $FILE"
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -0,0 +1,99 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."
 FILE='/etc/default/grub'
 OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
                ok "$PATTERN is present in $FILE"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch "$FILE"
    else
        ok "$FILE exists"
    fi
    for GRUB_OPTION in $OPTIONS; do
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
            else
                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
            fi
        else
            ok "$PATTERN is present in $FILE"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/4.1.10_record_failed_access_file.sh
+++ b/bin/hardening/4.1.10_record_failed_access_file.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
 #
 set -e # One error, it's over
@ -32,7 +32,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.12 Ensure use of privileged commands is collected (Scored)
+# 4.1.11 Ensure use of privileged commands is collected (Scored)
 #
 set -e # One error, it's over
@ -19,9 +19,8 @@ DESCRIPTION="Collect use of privileged commands."
 # Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
-"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
+    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 -k privileged" }')
 FILE='/etc/audit/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
@ -33,7 +32,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +48,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.12_record_successful_mount.sh
+++ b/bin/hardening/4.1.12_record_successful_mount.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.13 Ensure successful file system mounts are collected (Scored)
+# 4.1.12 Ensure successful file system mounts are collected (Scored)
 #
 set -e # One error, it's over
@ -30,7 +30,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.13_record_file_deletions.sh
+++ b/bin/hardening/4.1.13_record_file_deletions.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.14 Ensure file deletion events by users are collected (Scored)
+# 4.1.13 Ensure file deletion events by users are collected (Scored)
 #
 set -e # One error, it's over
@ -30,7 +30,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.14_record_sudoers_edit.sh
+++ b/bin/hardening/4.1.14_record_sudoers_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+# 4.1.14 Ensure changes to system administration scope (sudoers) is collected (Scored)
 #
 set -e # One error, it's over
@ -30,7 +30,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -46,11 +46,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.15_record_sudo_usage.sh
+++ b/bin/hardening/4.1.15_record_sudo_usage.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+# 4.1.15 Ensure system administrator actions (sudolog) are collected (Scored)
 #
 set -e # One error, it's over
@ -29,7 +29,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.16_record_kernel_modules.sh
+++ b/bin/hardening/4.1.16_record_kernel_modules.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+# 4.1.16 Ensure kernel module loading and unloading is collected (Scored)
 #
 set -e # One error, it's over
@ -17,7 +17,7 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect kernel module loading and unloading."
-AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
+AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
@ -32,7 +32,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -48,11 +48,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.17_freeze_auditd_conf.sh
+++ b/bin/hardening/4.1.17_freeze_auditd_conf.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.18 Ensure the audit configuration is immutable (Scored)
+# 4.1.17 Ensure the audit configuration is immutable (Scored)
 #
 set -e # One error, it's over
@ -29,7 +29,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.2.1_audit_log_storage.sh
+++ b/bin/hardening/4.1.2.1_audit_log_storage.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.1.1 Ensure audit log storage size is configured (Scored)
+# 4.1.2.1 Ensure audit log storage size is configured (Scored)
 #
 set -e # One error, it's over
@ -23,12 +23,12 @@ VALUE=5
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
-        does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
+        does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in $FILE"
        else
@ -39,17 +39,17 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
    else
        ok "$FILE exists"
    fi
-    does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
+    does_pattern_exist_in_file "$FILE" "^${PATTERN}[[:space:]]"
    if [ "$FNRET" != 0 ]; then
        warn "$PATTERN is not present in $FILE, adding it"
-        add_end_of_file $FILE "$PATTERN = $VALUE"
+        add_end_of_file "$FILE" "$PATTERN = $VALUE"
    else
        ok "$PATTERN is present in $FILE"
    fi
--- a/bin/hardening/4.1.2.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.2.2_halt_when_audit_log_full.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+# 4.1.2.2 Ensure system is disabled when audit logs are full (Scored)
 #
 set -e # One error, it's over
@ -22,17 +22,17 @@ OPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        for AUDIT_OPTION in $OPTIONS; do
-            AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+            AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-            AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+            AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
-            PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
+            PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
            debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
@ -44,7 +44,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
@ -52,20 +52,20 @@ apply() {
        ok "$FILE exists"
    fi
    for AUDIT_OPTION in $OPTIONS; do
-        AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+        AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-        AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+        AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
        debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
-        PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
+        PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
+                add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
            else
                info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
+                replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
            fi
        else
            ok "$PATTERN is present in $FILE"
--- a/bin/hardening/4.1.2.3_keep_all_audit_logs.sh
+++ b/bin/hardening/4.1.2.3_keep_all_audit_logs.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+# 4.1.2.3 Ensure audit logs are not automatically deleted (Scored)
 #
 set -e # One error, it's over
@ -22,17 +22,17 @@ OPTIONS='max_log_file_action=keep_logs'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        for AUDIT_OPTION in $OPTIONS; do
-            AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+            AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-            AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+            AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
-            PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
+            PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
            debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
@ -44,7 +44,7 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist $FILE
+    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch $FILE
@ -52,20 +52,20 @@ apply() {
        ok "$FILE exists"
    fi
    for AUDIT_OPTION in $OPTIONS; do
-        AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
+        AUDIT_PARAM=$(echo "$AUDIT_OPTION" | cut -d= -f 1)
-        AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
+        AUDIT_VALUE=$(echo "$AUDIT_OPTION" | cut -d= -f 2)
        debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
-        PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
+        PATTERN="^${AUDIT_PARAM}[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
        does_pattern_exist_in_file $FILE "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
+            does_pattern_exist_in_file "$FILE" "^$AUDIT_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
+                add_end_of_file "$FILE" "$AUDIT_PARAM = $AUDIT_VALUE"
            else
                info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
+                replace_in_file "$FILE" "^${AUDIT_PARAM}[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
            fi
        else
            ok "$PATTERN is present in $FILE"
--- a/bin/hardening/4.1.3_record_date_time_edit.sh
+++ b/bin/hardening/4.1.3_record_date_time_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.4 Ensure events that modify date and time information are collected (Scored)
+# 4.1.3 Ensure events that modify date and time information are collected (Scored)
 #
 set -e # One error, it's over
@ -33,7 +33,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.4_record_user_group_edit.sh
+++ b/bin/hardening/4.1.4_record_user_group_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.5 Ensure events that modify user/group information are collected (Scored)
+# 4.1.4 Ensure events that modify user/group information are collected (Scored)
 #
 set -e # One error, it's over
@ -33,7 +33,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -49,11 +49,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.5_record_network_edit.sh
+++ b/bin/hardening/4.1.5_record_network_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+# 4.1.5 Ensure events that modify the system's network environment are collected (Scored)
 #
 set -e # One error, it's over
@ -34,7 +34,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.6_record_mac_edit.sh
+++ b/bin/hardening/4.1.6_record_mac_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.7 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
+# 4.1.6 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
 #
 set -e # One error, it's over
@ -29,7 +29,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -45,11 +45,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.7_record_login_logout.sh
+++ b/bin/hardening/4.1.7_record_login_logout.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.8 Ensure login and logout events are collected (Scored)
+# 4.1.7 Ensure login and logout events are collected (Scored)
 #
 set -e # One error, it's over
@ -31,7 +31,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.8_record_session_init.sh
+++ b/bin/hardening/4.1.8_record_session_init.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.9 Ensure session initiation information is collected (Scored)
+# 4.1.8 Ensure session initiation information is collected (Scored)
 #
 set -e # One error, it's over
@ -31,7 +31,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -47,11 +47,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.1.10_record_dac_edit.sh
+++ b/bin/hardening/4.1.10_record_dac_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+# 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
 #
 set -e # One error, it's over
@ -34,7 +34,7 @@ audit() {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
@ -50,11 +50,11 @@ apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE $AUDIT_VALUE
+        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval $(pkill -HUP -P 1 auditd)
+            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
--- a/bin/hardening/4.2.1.1_install_syslog-ng.sh
+++ b/bin/hardening/4.2.1.1_install_syslog-ng.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.2.3 Ensure Syslog-ng is installed (Scored)
+# 4.2.1.1 Ensure syslog-ng is installed (Scored)
 #
 set -e # One error, it's over
@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install syslog-ng to manage logs"
-# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
 PACKAGE='syslog-ng'
 # This function will be called if the script status is on enabled / audit mode
@ -37,7 +37,7 @@ apply() {
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        apt_install "$PACKAGE"
    fi
 }
--- a/bin/hardening/4.2.1.2_enable_syslog-ng.sh
+++ b/bin/hardening/4.2.1.2_enable_syslog-ng.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+# 4.2.1.2 Ensure syslog-ng service is enabled (Scored)
 #
 set -e # One error, it's over
@ -36,8 +36,8 @@ apply() {
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" != 0 ]; then
        info "Enabling $SERVICE_NAME"
-        update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
-        update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1
+        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is enabled"
    fi
--- a/Show More
+++ b/Show More