Fix badges on README

Add shellcheck, shellfmt, release, prerelease, functionnal tests

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/compile-manual.yml

@@ -0,0 +1,17 @@
+---
+name: Compile debian man
+on:
+  - push
+jobs:
+  compile-debian-man:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Produce debian man
+        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
+      - uses: EndBug/add-and-commit@v6
+        with:
+          add: 'debian/cis-hardening.8'
+          message: 'Regenerate man pages (Github action)'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/functionnal-tests.yml

@@ -0,0 +1,20 @@
+---
+name: Run functionnal tests
+on:
+  - pull_request
+  - push
+jobs:
+  functionnal-tests-docker-debian9:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian9
+        run: ./tests/docker_build_and_run_tests.sh debian9
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10

.github/workflows/pre-release.yml

@@ -0,0 +1,64 @@
+---
+name: Create Pre-Release
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: Create Pre-Release
+    runs-on: ubuntu-latest
+    steps:
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.2
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # GET LATEST VERSION TAG
+      - name: Get latest version tag
+        uses: actions-ecosystem/action-get-latest-tag@v1
+        id: get-latest-tag
+      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
+      - name: Generate changelog
+        id: changelog
+        uses: metcalfc/changelog-generator@v0.4.4
+        with:
+          myToken: ${{ secrets.GITHUB_TOKEN }}
+          head-ref: ${{ github.sha }}
+          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
+      # CREATE RELEASE NAMED LATEST
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: latest
+          release_name: Pre-release
+          body: ${{ steps.changelog.outputs.changelog }}
+          draft: false
+          prerelease: true
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening.deb
+          asset_content_type: application/vnd.debian.binary-package

.github/workflows/shellcheck_and_shellfmt.yml

@@ -0,0 +1,22 @@
+---
+name: Run shell-linter
+on:
+  - push
+  - pull_request
+jobs:
+  sh-checker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the sh-checker
+        uses: luizm/action-sh-checker@v0.1.10
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
+          SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
+          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
+        with:
+          sh_checker_comment: true
+          sh_checker_exclude: |
+                              src/
+                              debian/postrm

.github/workflows/tagged-release.yml

@@ -0,0 +1,66 @@
+---
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    name: Create Release
+    # only runs on master
+    if: github.event.base_ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    steps:
+      # GET VERSION TAG
+      - name: Get latest version number
+        id: vars
+        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.vars.outputs.tag }}
+      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
+      - name: Generate changelog
+        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
+      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
+      - name: Abort if changelog is empty
+        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.2
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # CREATE RELEASE
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          body_path: changelog.md
+          draft: false
+          prerelease: false
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
+          asset_content_type: application/vnd.debian.binary-package

AUTHORS

@@ -1,8 +1,9 @@
 Contributors of this project :
 
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>

LICENSE

@@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
-All rights reserved.
+Copyright 2020 OVHcloud
 
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
 
-  * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-  * Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
-  * Neither the name of OVH SAS nor the
-    names of its contributors may be used to endorse or promote products
-    derived from this software without specific prior written permission.
+       http://www.apache.org/licenses/LICENSE-2.0
 
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   A copy of the license terms follows:
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

MANUAL.md

@@ -0,0 +1,151 @@
+% CIS-HARDENING(8)
+%
+% 2016
+
+# NAME
+
+cis-hardening - CIS Debian 9/10 Hardening
+
+# SYNOPSIS
+
+**hardening.sh** RUN_MODE [OPTIONS]
+
+# DESCRIPTION
+
+Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
+
+# SCRIPTS CONFIGURATION
+
+Hardening scripts are in `bin/hardening`. Each script has a corresponding
+configuration file in `etc/conf.d/[script_name].cfg`.
+
+Each hardening script can be individually enabled from its configuration file.
+For example, this is the default configuration file for `disable_system_accounts`:
+
+```
+# Configuration for script of same name
+status=disabled
+# Put here your exceptions concerning admin accounts shells separated by spaces
+EXCEPTIONS=""
+```
+
+**status** parameter may take 3 values:
+
+- `disabled` (do nothing): The script will not run.
+- `audit` (RO): The script will check if any change should be applied.
+- `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
+
+Global configuration is in `etc/hardening.cfg`. This file controls the log level
+as well as the backup directory. Whenever a script is instructed to edit a file, it
+will create a timestamped backup in this directory.
+
+
+# RUN MODE
+
+`-h`, `--help`
+:   Display a friendly help message.
+
+`--apply`
+:   Apply hardening for enabled scripts.
+    Beware that NO confirmation is asked whatsoever, which is why you're warmly
+    advised to use `--audit` before, which can be regarded as a dry-run mode.
+
+`--audit`
+:   Audit configuration for enabled scripts.
+    No modification will be made on the system, we'll only report on your system
+    compliance for each script.
+
+`--audit-all`
+:   Same as `--audit`, but for *all* scripts, even disabled ones.
+    This is a good way to peek at your compliance level if all scripts were enabled,
+    and might be a good starting point.
+
+`--audit-all-enable-passed`
+:   Same as `--audit-all`, but in addition, will *modify* the individual scripts
+    configurations to enable those which passed for your system.
+    This is an easy way to enable scripts for which you're already compliant.
+    However, please always review each activated script afterwards, this option
+    should only be regarded as a way to kickstart a configuration from scratch.
+    Don't run this if you have already customized the scripts enable/disable
+    configurations, obviously.
+
+`--create-config-files-only`
+:   Create the config files in etc/conf.d
+    Must be run as root, before running the audit with user secaudit
+
+`-set-hardening-level=level`
+:   Modifies the configuration to enable/disable tests given an hardening level,
+    between 1 to 5. Don't run this if you have already customized the scripts
+    enable/disable configurations.
+    1: very basic policy, failure to pass tests at this level indicates severe
+        misconfiguration of the machine that can have a huge security impact
+    2: basic policy, some good practice rules that, once applied, shouldn't
+        break anything on most systems
+    3: best practices policy, passing all tests might need some configuration
+        modifications (such as specific partitioning, etc.)
+    4: high security policy, passing all tests might be time-consuming and
+        require high adaptation of your workflow
+    5: placebo, policy rules that might be very difficult to apply and maintain,
+        with questionable security benefits
+
+`--allow-service=service`
+:   Use with `--set-hardening-level`.
+    Modifies the policy to allow a certain kind of services on the machine, such
+    as http, mail, etc. Can be specified multiple times to allow multiple services.
+    Use --allow-service-list to get a list of supported services.
+
+# OPTIONS
+
+`--allow-service-list`
+:   Get a list of supported service.
+
+  
+`--only test-number`
+:    Modifies the RUN_MODE to only work on the test_number script.
+    Can be specified multiple times to work only on several scripts.
+    The test number is the numbered prefix of the script,
+    i.e. the test number of 1.2_script_name.sh is 1.2.
+
+`--sudo`
+:   This option lets you audit your system as a normal user, but allows sudo
+    escalation to gain read-only access to root files. Note that you need to
+    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+    the -n option instructs sudo not to prompt for a password.
+    Finally note that `--sudo` mode only works for audit mode.
+
+`--batch`
+:   While performing system audit, this option sets LOGLEVEL to 'ok' and
+    captures all output to print only one line once the check is done, formatted like :
+    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
+
+# AUTHORS
+
+- Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+- Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+- Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
+- Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
+
+# COPYRIGHT
+
+Copyright 2020 OVHcloud
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+# SEE ALSO
+
+- **Center for Internet Security**: https://www.cisecurity.org/
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
+- **Project repository**: https://github.com/ovh/debian-cis
+

README.md

@@ -1,44 +1,60 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 9/10 Hardening
 
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
+report issues if you find any !
+
+
+<p align="center">
+      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
+</p>
+
+![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
+![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
+![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
+
+![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
+![License](https://img.shields.io/github/license/ovh/debian-cis)
+---
+
+Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
-13.15_check_duplicate_gid [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Performing audit
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
-         Total Runned Checks : 191
-         Total Passed Checks : [ 170/191 ]
-         Total Failed Checks : [  21/191 ]
-   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 89.01 %
+      Total Available Checks : 232
+         Total Runned Checks : 166
+         Total Passed Checks : [ 142/166 ]
+         Total Failed Checks : [  24/166 ]
+   Enabled Checks Percentage : 71.00 %
+       Conformity Percentage : 85.00 %
 ```
 
-## Quickstart
+## :dizzy: Quickstart
 
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
 $ bin/hardening/1.1_install_updates.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
-1.1_install_updates [INFO] Checking Configuration
-1.1_install_updates [INFO] Performing audit
-1.1_install_updates [INFO] Checking if apt needs an update
-1.1_install_updates [INFO] Fetching upgrades ...
-1.1_install_updates [ OK ] No upgrades available
-1.1_install_updates [ OK ] Check Passed
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
 
-## Usage
+## :hammer: Usage
 
 ### Configuration
 
@@ -72,7 +88,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
 
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
+
+ ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@@ -80,16 +98,29 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
 
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
-## Hacking
+``--only <check_number>``: run only the selected checks.
+
+``--set-hardening-level``: run all checks that are lower or equal to the selected level.
+Do NOT use this option if you have already started to customize your configuration.
+
+``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
+to allow a certain kind of services on the machine, such as http, mail, etc.
+Can be specified multiple times to allow multiple services.
+Use --allow-service-list to get a list of supported services.
+
+``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
+before running the audit with user secaudit, to have the rights setup well on the conf files.
+
+## :computer: Hacking
 
 **Getting the source**
 
@@ -110,6 +141,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
+Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
+
+If the check replace somehow one that is in the CIS specifications,
+you can use the numerotation of the check it replaces inplace. For example we check
+the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
+
+Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
+(part of OVHcloud security policy)
+
 
 Code your check explaining what it does then if you want to test
 
@@ -117,7 +157,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 
 Functional tests are available. They are to be run in a Docker environment.
 
@@ -125,7 +165,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian9` or `debian10`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@@ -151,10 +191,49 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
 
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
+and that we will not test the apply function. It's because the check is very basic
+(like a package install) and that a test on it is not really necessary.
+
+Furthermore, some tests are disabled on docker because there not pertinent (kernel 
+modules, grub, partitions, ...)
+You can disable a check on docker with:
+```bash
+if [ -f "/.dockerenv" ]; then
+  skip "SKIPPED on docker"
+else
+...
+fi
+```
+
+## :art: Coding style
+### Shellcheck
+
+We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
+correctness of the scripts and to respect best practices.
+It can be used directly with the docker environnment to check all scripts 
+compliancy. By default it runs on every `.sh` it founds.
+
+```console
+$ ./shellcheck/launch_shellcheck.sh [name of script...]
+```
+
+### Shellfmt
+
+We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
+consistent style in every script. 
+Identically to shellcheck, it can be run through a script with the following:
+
+```console
+$ ./shellfmt/launch_shellfmt.sh
+```
+It will automatically fix any styling problem on every script.
+
+
+## :heavy_exclamation_mark: Disclaimer
 
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
@@ -163,7 +242,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@@ -171,13 +250,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-## Reference
+## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 
-## License
-
-3-Clause BSD
+## :page_facing_up: License
 
+Apache, Version 2.0

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 

bin/hardening/1.1.1.6_disable_udf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=5
+# shellcheck disable=2034
+DESCRIPTION="Limit mounting of FAT filesystems."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_VFAT_FS"
+MODULE_FILE="vfat"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11_var_log_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.11 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -1,11 +1,12 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #
 
 #
-# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.13_home_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.13 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.23 Disable USB storage (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable USB storage."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_USB_STORAGE"
+MODULE_FILE="usb-storage"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.6_var_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.6 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.3.1_install_sudo.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.1 Ensure sudo is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
+
+PACKAGE='sudo'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.3.2_pty_sudo.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.2 Ensure sudo commands use pty (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
+
+PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        crit "Defaults use_pty not found in sudoers files"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        warn "Defaults use_pty not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.3.3_logfile_sudo.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.3 Ensure sudo log file exists (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo log files exists."
+
+PATTERN="^\s*Defaults\s+logfile=\S+"
+LOGFILE="/var/log/sudo.log"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        crit "Defaults log file not found in sudoers files"
+    fi
+}
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        warn "Defaults log file not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.4.1_install_tripwire.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
 
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 PACKAGE='tripwire'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/1.4.2_tripwire_cron.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.2_bootloader_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.3_root_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.3 Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.1_enable_nx_support.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.2_enable_randomized_vm_placement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.3_disable_prelink.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.4 Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.1 Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.7.1.1_install_apparmor.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure AppArmor is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Install AppArmor."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.6.2.1 Activate AppArmor (Scored)
+# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 
 set -e # One error, it's over
@@ -17,16 +17,18 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 
-PACKAGE='apparmor'
+PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is absent!"
-    else
-        ok "$PACKAGE is installed"
-    fi
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -43,19 +45,22 @@ audit() {
     done
     IFS=$d_IFS
     if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
 
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
-    else
-        ok "$PACKAGE is installed"
-    fi
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -76,7 +81,7 @@ apply() {
         $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
         $SUDO_CMD update-grub
     else
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
     fi
 }
 

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce or complain AppArmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGES is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
+        aa-complain /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce Apparmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        crit "Some processes are in complain mode"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        warn "Some processes are in complain mode, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.8.1.1_remove_os_info_motd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.2_remove_os_info_issue.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.3_remove_os_info_issue_net.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.4_motd_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.5_etc_issue_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.6_etc_issue_net_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.2_graphical_warning_banners.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.2 Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.9_install_updates.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure systemd-timesyncd."
+
+SERVICE_NAME="systemd-timesyncd"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
+        ok "$SERVICE_NAME is enabled"
+    else
+        crit "$SERVICE_NAME is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.17_disable_nis.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.5 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -15,16 +15,16 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
-DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
+DESCRIPTION="Disable NIS Server."
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    :
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    :
 }
 
 # This function will check config parameters required

bin/hardening/3.1.1_disable_ipv6.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.7 Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.1.2_disable_wireless.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.6 Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.2.1_disable_send_packet_redirects.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.2 Ensure packet redirect sending is disabled (Scored)
+# 3.2.1 Ensure packet redirect sending is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.2.2_disable_ip_forwarding.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.1 Ensure IP forwarding is disabled (Scored)
+# 3.2.2 Ensure IP forwarding is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.1_disable_source_routed_packets.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.1 Ensure source routed packets are not accepted (Scored)
+# 3.3.1 Ensure source routed packets are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.2_disable_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.3_disable_secure_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.4_log_martian_packets.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.4 Ensure suspicious packets are logged (Scored)
+# 3.3.4 Ensure suspicious packets are logged (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.5_ignore_broadcast_requests.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+# 3.3.5 Ensure broadcast ICMP requests are ignored (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.6_enable_bad_error_message_protection.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.7_enable_source_route_validation.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+# 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.8_enable_tcp_syn_cookies.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+# 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.5.1.1_enable_firewall.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.5 Ensure Firewall is active (Scored)
+# 3.5.1.1 Ensure Firewall is active (Scored)
 #
 
 set -e # One error, it's over
@@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
 
-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
+# At OVH, we use iptables
 
 PACKAGE='iptables'
 

bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.5.1.1 Ensure default deny firewall policy (Scored)
+# 3.5.4.1.1 Ensure default deny firewall policy (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.1_install_auditd.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.1.1.1 Ensure auditing is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Install auditd."
+
+PACKAGE="auditd"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        warn "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.1.1.2_enable_auditd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.2 Ensure auditd service is enabled (Scored)
+# 4.1.1.2 Ensure auditd service is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.3_audit_bootloader.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.4_audit_backlog_limit.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure audit_backlog_limit to be sufficient."
+
+FILE='/etc/default/grub'
+OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for GRUB_OPTION in $OPTIONS; do
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for GRUB_OPTION in $OPTIONS; do
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
+            else
+                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.1.10_record_failed_access_file.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.11_record_privileged_commands.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.12 Ensure use of privileged commands is collected (Scored)
+# 4.1.11 Ensure use of privileged commands is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.12_record_successful_mount.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.13 Ensure successful file system mounts are collected (Scored)
+# 4.1.12 Ensure successful file system mounts are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.13_record_file_deletions.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.14 Ensure file deletion events by users are collected (Scored)
+# 4.1.13 Ensure file deletion events by users are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.14_record_sudoers_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+# 4.1.14 Ensure changes to system administration scope (sudoers) is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.15_record_sudo_usage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+# 4.1.15 Ensure system administrator actions (sudolog) are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.16_record_kernel_modules.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+# 4.1.16 Ensure kernel module loading and unloading is collected (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,7 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect kernel module loading and unloading."
 
-AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
+AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'

bin/hardening/4.1.17_freeze_auditd_conf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.18 Ensure the audit configuration is immutable (Scored)
+# 4.1.17 Ensure the audit configuration is immutable (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.1_audit_log_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.1 Ensure audit log storage size is configured (Scored)
+# 4.1.2.1 Ensure audit log storage size is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.2_halt_when_audit_log_full.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+# 4.1.2.2 Ensure system is disabled when audit logs are full (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.3_keep_all_audit_logs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+# 4.1.2.3 Ensure audit logs are not automatically deleted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.3_record_date_time_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.4 Ensure events that modify date and time information are collected (Scored)
+# 4.1.3 Ensure events that modify date and time information are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.4_record_user_group_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.5 Ensure events that modify user/group information are collected (Scored)
+# 4.1.4 Ensure events that modify user/group information are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.5_record_network_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+# 4.1.5 Ensure events that modify the system's network environment are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.6_record_mac_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.7 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
+# 4.1.6 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.7_record_login_logout.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.8 Ensure login and logout events are collected (Scored)
+# 4.1.7 Ensure login and logout events are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.8_record_session_init.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.9 Ensure session initiation information is collected (Scored)
+# 4.1.8 Ensure session initiation information is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.9_record_dac_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+# 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.1_install_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.3 Ensure Syslog-ng is installed (Scored)
+# 4.2.1.1 Ensure syslog-ng is installed (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install syslog-ng to manage logs"
 
-# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
 PACKAGE='syslog-ng'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/4.2.1.2_enable_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+# 4.2.1.2 Ensure syslog-ng service is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.3_configure_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.2 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
+# 4.2.1.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh

@@ -6,19 +6,19 @@
 #
 
 #
-# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
+# 4.2.1.4 Create and Set Permissions on syslog-ng Log Files (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-# Note: this is not exacly the same check as the one described in CIS PDF
-
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 
+# Note: this is not exacly the same check as the one described in CIS PDF
+
 PERMISSIONS=''
 USER=''
 GROUP=''

bin/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+# 4.2.1.5 Ensure syslog-ng is configured to send logs to a remote log host (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.1.6 Ensure remote syslog-ng messages are only accepted on designated log hosts. (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
+
+REMOTE_HOST=""
+PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    for FILE in $FILES; do
+        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$REMOTE_HOST" ]]; then
+        info "This is the remote host, checking that it only accepts logs from specified zone"
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES"
+        fi
+    else
+        info "This is the not the remote host checking that it doesn't accept remote logs"
+        if [ "$FOUND" = 1 ]; then
+            crit "$PATTERN is present in $FILES"
+        else
+            ok "$PATTERN is not present in $FILES"
+        fi
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    for FILE in $FILES; do
+        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$REMOTE_HOST" ]]; then
+        info "This is the remote host, checking that it only accepts logs from specified zone"
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
+        fi
+    else
+        info "This is the not the remote host checking that it doesn't accept remote logs"
+        if [ "$FOUND" = 1 ]; then
+            warn "$PATTERN is present in $FILES, "
+        else
+            ok "$PATTERN is not present in $FILES"
+        fi
+
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+SYSLOG_BASEDIR='/etc/syslog-ng'
+# Put here if it's the remote host or not
+REMOTE_HOST=false
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.2.1_journald_logs.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure journald to send logs to syslog-ng."
+
+FILE='/etc/systemd/journald.conf'
+OPTIONS='ForwardToSyslog=yes'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for JOURNALD_OPTION in $OPTIONS; do
+            JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+            JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+            PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for JOURNALD_OPTION in $OPTIONS; do
+        JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+        JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+            else
+                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.2.2_journald_compress.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.2.2 Ensure journald is configured to compress large files (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure journald to send logs to syslog-ng."
+
+FILE='/etc/systemd/journald.conf'
+OPTIONS='Compress=yes'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for JOURNALD_OPTION in $OPTIONS; do
+            JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+            JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+            PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for JOURNALD_OPTION in $OPTIONS; do
+        JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+        JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+            else
+                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi