ADD(4.2.1.6): add new syslog-ng check

renamed:    bin/hardening/6.2.7_users_valid_homedir.sh -> bin/hardening/6.2.3_users_valid_homedir.sh
	renamed:    bin/hardening/6.2.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    bin/hardening/6.2.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    bin/hardening/6.2.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    bin/hardening/6.2.6_sanitize_root_path.sh -> bin/hardening/6.2.7_sanitize_root_path.sh
	renamed:    tests/hardening/6.2.7_users_valid_homedir.sh -> tests/hardening/6.2.3_users_valid_homedir.sh
	renamed:    tests/hardening/6.2.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    tests/hardening/6.2.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    tests/hardening/6.2.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    tests/hardening/6.2.6_sanitize_root_path.sh -> tests/hardening/6.2.7_sanitize_root_path.sh

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 

bin/hardening/1.1.1.6_disable_udf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=5
+# shellcheck disable=2034
+DESCRIPTION="Limit mounting of FAT filesystems."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_VFAT_FS"
+MODULE_FILE="vfat"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11_var_log_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.11 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -1,11 +1,12 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #
 
 #
-# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.13_home_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.13 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.23 Disable USB storage (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable USB storage."
+
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_USB_STORAGE"
+MODULE_FILE="usb-storage"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        crit "$KERNEL_OPTION is enabled!"
+    else
+        ok "$KERNEL_OPTION is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    else
+        ok "$KERNEL_OPTION is disabled, nothing to do"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.6_var_partition.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.1.6 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.3.1_install_sudo.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.1 Ensure sudo is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
+
+PACKAGE='sudo'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.3.2_pty_sudo.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.2 Ensure sudo commands use pty (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
+
+PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        crit "Defaults use_pty not found in sudoers files"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults use_pty found in sudoers file"
+    else
+        warn "Defaults use_pty not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.3.3_logfile_sudo.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.3.3 Ensure sudo log file exists (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure sudo log files exists."
+
+PATTERN="^\s*Defaults\s+logfile=\S+"
+LOGFILE="/var/log/sudo.log"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        crit "Defaults log file not found in sudoers files"
+    fi
+}
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    for f in /etc/{sudoers,sudoers.d/*}; do
+        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$FOUND" = 1 ]]; then
+        ok "Defaults log file found in sudoers file"
+    else
+        warn "Defaults log file not found in sudoers files, fixing"
+        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.4.1_install_tripwire.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
 
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 PACKAGE='tripwire'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/1.4.2_tripwire_cron.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.2_bootloader_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.5.3_root_password.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.4.3 Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.1_enable_nx_support.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.2_enable_randomized_vm_placement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.3_disable_prelink.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.4 Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.1 Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.7.1.1_install_apparmor.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.1 Ensure AppArmor is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Install AppArmor."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.6.2.1 Activate AppArmor (Scored)
+# 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 
 set -e # One error, it's over
@@ -17,16 +17,18 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 
-PACKAGE='apparmor'
+PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is absent!"
-    else
-        ok "$PACKAGE is installed"
-    fi
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -43,19 +45,22 @@ audit() {
     done
     IFS=$d_IFS
     if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
 
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
-    else
-        ok "$PACKAGE is installed"
-    fi
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -76,7 +81,7 @@ apply() {
         $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
         $SUDO_CMD update-grub
     else
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
     fi
 }
 

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce or complain AppArmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGES is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
+        aa-complain /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Enforce Apparmor profiles."
+
+PACKAGES='apparmor apparmor-utils'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        crit "Some processes are in complain mode"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        warn "Some processes are in complain mode, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.8.1.1_remove_os_info_motd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.2_remove_os_info_issue.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.3_remove_os_info_issue_net.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.4_motd_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.5_etc_issue_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.1.6_etc_issue_net_perms.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.8.2_graphical_warning_banners.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.7.2 Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/1.9_install_updates.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure systemd-timesyncd."
+
+SERVICE_NAME="systemd-timesyncd"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" = 0 ]; then
+        ok "$SERVICE_NAME is enabled"
+    else
+        crit "$SERVICE_NAME is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.17_disable_nis.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.5 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+# 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 
 set -e # One error, it's over
@@ -15,16 +15,16 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
-DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
+DESCRIPTION="Disable NIS Server."
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    :
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    :
 }
 
 # This function will check config parameters required

bin/hardening/3.1.1_disable_ipv6.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.7 Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.1.2_disable_wireless.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.6 Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.2.1_disable_send_packet_redirects.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.2 Ensure packet redirect sending is disabled (Scored)
+# 3.2.1 Ensure packet redirect sending is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.2.2_disable_ip_forwarding.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.1.1 Ensure IP forwarding is disabled (Scored)
+# 3.2.2 Ensure IP forwarding is disabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.1_disable_source_routed_packets.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.1 Ensure source routed packets are not accepted (Scored)
+# 3.3.1 Ensure source routed packets are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.2_disable_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.3_disable_secure_icmp_redirect.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.4_log_martian_packets.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.4 Ensure suspicious packets are logged (Scored)
+# 3.3.4 Ensure suspicious packets are logged (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.5_ignore_broadcast_requests.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+# 3.3.5 Ensure broadcast ICMP requests are ignored (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.6_enable_bad_error_message_protection.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.7_enable_source_route_validation.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+# 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.8_enable_tcp_syn_cookies.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+# 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/3.5.1.1_enable_firewall.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.5 Ensure Firewall is active (Scored)
+# 3.5.1.1 Ensure Firewall is active (Scored)
 #
 
 set -e # One error, it's over
@@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
 
-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
+# At OVH, we use iptables
 
 PACKAGE='iptables'
 

bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 3.5.1.1 Ensure default deny firewall policy (Scored)
+# 3.5.4.1.1 Ensure default deny firewall policy (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.1_install_auditd.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.1.1.1 Ensure auditing is installed (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Install auditd."
+
+PACKAGE="auditd"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        warn "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.1.1.2_enable_auditd.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.2 Ensure auditd service is enabled (Scored)
+# 4.1.1.2 Ensure auditd service is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.3_audit_bootloader.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.4_audit_backlog_limit.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=4
+# shellcheck disable=2034
+DESCRIPTION="Configure audit_backlog_limit to be sufficient."
+
+FILE='/etc/default/grub'
+OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for GRUB_OPTION in $OPTIONS; do
+            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for GRUB_OPTION in $OPTIONS; do
+        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
+        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
+        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
+            else
+                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.1.10_record_failed_access_file.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.11_record_privileged_commands.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.12 Ensure use of privileged commands is collected (Scored)
+# 4.1.11 Ensure use of privileged commands is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.12_record_successful_mount.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.13 Ensure successful file system mounts are collected (Scored)
+# 4.1.12 Ensure successful file system mounts are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.13_record_file_deletions.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.14 Ensure file deletion events by users are collected (Scored)
+# 4.1.13 Ensure file deletion events by users are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.14_record_sudoers_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+# 4.1.14 Ensure changes to system administration scope (sudoers) is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.15_record_sudo_usage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+# 4.1.15 Ensure system administrator actions (sudolog) are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.16_record_kernel_modules.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+# 4.1.16 Ensure kernel module loading and unloading is collected (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,7 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect kernel module loading and unloading."
 
-AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
+AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'

bin/hardening/4.1.17_freeze_auditd_conf.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.18 Ensure the audit configuration is immutable (Scored)
+# 4.1.17 Ensure the audit configuration is immutable (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.1_audit_log_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.1 Ensure audit log storage size is configured (Scored)
+# 4.1.2.1 Ensure audit log storage size is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.2_halt_when_audit_log_full.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+# 4.1.2.2 Ensure system is disabled when audit logs are full (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.2.3_keep_all_audit_logs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+# 4.1.2.3 Ensure audit logs are not automatically deleted (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.3_record_date_time_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.4 Ensure events that modify date and time information are collected (Scored)
+# 4.1.3 Ensure events that modify date and time information are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.4_record_user_group_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.5 Ensure events that modify user/group information are collected (Scored)
+# 4.1.4 Ensure events that modify user/group information are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.5_record_network_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+# 4.1.5 Ensure events that modify the system's network environment are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.6_record_mac_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.7 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
+# 4.1.6 Ensure that events that modify the system's Mandatory Access Controls are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.7_record_login_logout.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.8 Ensure login and logout events are collected (Scored)
+# 4.1.7 Ensure login and logout events are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.8_record_session_init.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.9 Ensure session initiation information is collected (Scored)
+# 4.1.8 Ensure session initiation information is collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.9_record_dac_edit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+# 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.1_install_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.3 Ensure Syslog-ng is installed (Scored)
+# 4.2.1.1 Ensure syslog-ng is installed (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install syslog-ng to manage logs"
 
-# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
 PACKAGE='syslog-ng'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/4.2.1.2_enable_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+# 4.2.1.2 Ensure syslog-ng service is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.3_configure_syslog-ng.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.2 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
+# 4.2.1.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh

@@ -6,19 +6,19 @@
 #
 
 #
-# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
+# 4.2.1.4 Create and Set Permissions on syslog-ng Log Files (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-# Note: this is not exacly the same check as the one described in CIS PDF
-
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 
+# Note: this is not exacly the same check as the one described in CIS PDF
+
 PERMISSIONS=''
 USER=''
 GROUP=''

bin/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+# 4.2.1.5 Ensure syslog-ng is configured to send logs to a remote log host (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.1.6 Ensure remote syslog-ng messages are only accepted on designated log hosts. (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
+
+REMOTE_HOST=""
+PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    FOUND=0
+    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    for FILE in $FILES; do
+        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$REMOTE_HOST" ]]; then
+        info "This is the remote host, checking that it only accepts logs from specified zone"
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES"
+        fi
+    else
+        info "This is the not the remote host checking that it doesn't accept remote logs"
+        if [ "$FOUND" = 1 ]; then
+            crit "$PATTERN is present in $FILES"
+        else
+            ok "$PATTERN is not present in $FILES"
+        fi
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    FOUND=0
+    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    for FILE in $FILES; do
+        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            FOUND=1
+        fi
+    done
+
+    if [[ "$REMOTE_HOST" ]]; then
+        info "This is the remote host, checking that it only accepts logs from specified zone"
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
+        fi
+    else
+        info "This is the not the remote host checking that it doesn't accept remote logs"
+        if [ "$FOUND" = 1 ]; then
+            warn "$PATTERN is present in $FILES, "
+        else
+            ok "$PATTERN is not present in $FILES"
+        fi
+
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+SYSLOG_BASEDIR='/etc/syslog-ng'
+# Put here if it's the remote host or not
+REMOTE_HOST=false
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.2.1_journald_logs.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure journald to send logs to syslog-ng."
+
+FILE='/etc/systemd/journald.conf'
+OPTIONS='ForwardToSyslog=yes'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for JOURNALD_OPTION in $OPTIONS; do
+            JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+            JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+            PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for JOURNALD_OPTION in $OPTIONS; do
+        JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+        JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+            else
+                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.2.2_journald_compress.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.2.2 Ensure journald is configured to compress large files (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure journald to send logs to syslog-ng."
+
+FILE='/etc/systemd/journald.conf'
+OPTIONS='Compress=yes'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for JOURNALD_OPTION in $OPTIONS; do
+            JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+            JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+            PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for JOURNALD_OPTION in $OPTIONS; do
+        JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+        JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+            else
+                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.2.3_journald_write_persistent.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure journald to write to a persistent location."
+
+FILE='/etc/systemd/journald.conf'
+OPTIONS='Storage=persistent'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    else
+        ok "$FILE exists, checking configuration"
+        for JOURNALD_OPTION in $OPTIONS; do
+            JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+            JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+            PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in $FILE"
+            else
+                ok "$PATTERN is present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist, creating it"
+        touch "$FILE"
+    else
+        ok "$FILE exists"
+    fi
+    for JOURNALD_OPTION in $OPTIONS; do
+        JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1)
+        JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2)
+        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
+        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
+            if [ "$FNRET" != 0 ]; then
+                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+            else
+                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+            fi
+        else
+            ok "$PATTERN is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/4.2.3_logs_permissions.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+# 4.2.3 Ensure permissions on all logfiles are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.3_configure_logrotate.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #

bin/hardening/4.4_logrotate_permissions.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 4.4 Ensure logrotate assigns approriate permissions (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure logrotate to assign appropriate permissions."
+
+FILE="/etc/logrotate.conf"
+PATTERN="^\s*create\s+\S+"
+PERMISSIONS=0640
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        crit "Logrotate permissions are not configured"
+    else
+        if grep -E "$PATTERN" "$FILE" | grep -E -v "\s(0)?[0-6][04]0\s"; then
+            crit "Logrotate permissions are not set to $PERMISSIONS"
+        else
+            ok "Logrotate permissions are well configured"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    does_pattern_exist_in_file "$FILE" "$PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        warn "Logrotate permissions are not configured, fixing it"
+        add_end_of_file "$FILE" "create $PERMISSIONS root utmp"
+    else
+        RESULT=$(grep -E "$PATTERN" "$FILE" | grep -E -v "\s(0)?[0-6][04]0\s")
+        if [[ -n "$RESULT" ]]; then
+            warn "Logrotate permissions are not set to $PERMISSIONS, fixing it"
+            d_IFS=$IFS
+            c_IFS=$'\n'
+            IFS=$c_IFS
+            for SOURCE in $RESULT; do
+                replace_in_file "$FILE" "$SOURCE" "create $PERMISSIONS root utmp"
+            done
+            IFS=$d_IFS
+        else
+            ok "Logrotate permissions are well configured"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.14_ssh_cry_mac.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -7,7 +7,6 @@
 
 #
 # 5.2.16 Ensure SSH Idle Timeout Interval is configured (Scored)
-# FIXME: the implementation of this script doesn't do what it says
 #
 
 set -e # One error, it's over

bin/hardening/5.2.20_enable_ssh_pam.sh

@@ -2,23 +2,23 @@
 
 # run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# CIS Debian Hardening
 #
 
 #
-# SSH log level is set to VERBOSE
+# 5.2.20 Ensure SSH PAM is enabled (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-DESCRIPTION="SSH log level is set to VERBOSE"
+HARDENING_LEVEL=3
 # shellcheck disable=2034
-HARDENING_LEVEL=2
+DESCRIPTION="Enable SSH PAM."
 
 PACKAGE='openssh-server'
-OPTIONS='LogLevel=VERBOSE'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
+            does_pattern_exist_in_file $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,19 +55,19 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
                 info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
                 replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
             fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
+            /etc/init.d/ssh reload
         fi
     done
 }
@@ -77,6 +77,16 @@ check_config() {
     :
 }
 
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of usepam
+# Settles sshd usepam
+OPTIONS='usepam=yes'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default

bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.21 Ensure SSH AllowTCPForwarding is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Disable SSH AllowTCPForwarding."
+
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of AllowTCPForwarding
+# Settles sshd allowtcpforwarding
+OPTIONS='AllowTCPForwarding=no'
+EOF
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/5.2.22_configure_ssh_max_startups.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.22 Ensure SSH MaxStartups is configured (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Configure SSHMaxStartups."
+
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of maxstartups 
+# 0: Number of unauthenticated connections before we start dropping
+# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
+# 60: Maximum number of connections at which we start dropping everything
+# Settles sshd maxstartups
+OPTIONS='maxstartups=10:30:60'
+EOF
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi