bump to 4.0-1

fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186 )
On systems where /etc/sudoers.d might be updated often by some automated means, this check might raise a critical when a previously present file (during the ls) is no longer present (during its attempted read), so before raising a critical, re-check that it does exists first.
2025-07-16 22:02:17 +02:00 · 2023-07-10 07:21:13 +00:00 · 2023-07-03 17:05:45 +02:00 · 2023-05-05 12:32:22 +02:00 · 2023-05-02 18:06:59 +02:00 · 2023-05-02 18:01:53 +02:00
392 changed files with 8437 additions and 1844 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,7 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: "daily"
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -0,0 +1,17 @@
 ---
 name: Compile debian man
 on:
  - push
 jobs:
  compile-debian-man:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Produce debian man
        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
      - uses: EndBug/add-and-commit@v9
        with:
          add: 'debian/cis-hardening.8'
          message: 'Regenerate man pages (Github action)'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -0,0 +1,20 @@
 ---
 name: Run functionnal tests
 on:
  - pull_request
  - push
 jobs:
  functionnal-tests-docker-debian10:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -0,0 +1,64 @@
 ---
 name: Create Pre-Release
 on:
  push:
    branches:
      - master
 jobs:
  build:
    name: Create Pre-Release
    runs-on: ubuntu-latest
    steps:
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v3
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.2.1
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
        uses: metcalfc/changelog-generator@v4.1.0
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
      # CREATE RELEASE NAMED LATEST
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: latest
          release_name: Pre-release
          body: ${{ steps.changelog.outputs.changelog }}
          draft: false
          prerelease: true
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -0,0 +1,29 @@
 ---
 name: Run shell-linter
 on:
  - push
  - pull_request
 jobs:
  shellfmt:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Run the sh-checker
        uses: luizm/action-sh-checker@v0.7.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
        with:
          sh_checker_shellcheck_disable: true
          sh_checker_comment: true
          sh_checker_exclude: |
                              src/
                              debian/postrm
  shellcheck:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Run shellcheck
        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -0,0 +1,64 @@
 ---
 name: Create Release
 on:
  push:
    tags:
      - 'v*'
 jobs:
  build:
    name: Create Release
    runs-on: ubuntu-latest
    steps:
      # GET VERSION TAG
      - name: Get latest version number
        id: vars
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          ref: ${{ steps.vars.outputs.tag }}
      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
      - name: Generate changelog
        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
      - name: Abort if changelog is empty
        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.2.1
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # CREATE RELEASE
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ github.ref }}
          body_path: changelog.md
          draft: false
          prerelease: false
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/7
+++ b/7
@ -1,8 +1,9 @@
 Contributors of this project :
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
--- a/211
+++ b/211
@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
+Copyright 2020 OVHcloud
 All rights reserved.
-Redistribution and use in source and binary forms, with or without
+   Licensed under the Apache License, Version 2.0 (the "License");
-modification, are permitted provided that the following conditions are met:
+   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
-  * Redistributions of source code must retain the above copyright
+       http://www.apache.org/licenses/LICENSE-2.0
    notice, this list of conditions and the following disclaimer.
  * Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
  * Neither the name of OVH SAS nor the
    names of its contributors may be used to endorse or promote products
    derived from this software without specific prior written permission.
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
+   Unless required by applicable law or agreed to in writing, software
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   distributed under the License is distributed on an "AS IS" BASIS,
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+   See the License for the specific language governing permissions and
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+   limitations under the License.
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+   A copy of the license terms follows:
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+                                 Apache License
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
--- a/MANUAL.md
+++ b/MANUAL.md
@ -0,0 +1,160 @@
 % CIS-HARDENING(8)
 %
 % 2016
 # NAME
 cis-hardening - CIS Debian 9/10 Hardening
 # SYNOPSIS
 **hardening.sh** RUN_MODE [OPTIONS]
 # DESCRIPTION
 Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 # SCRIPTS CONFIGURATION
 Hardening scripts are in `bin/hardening`. Each script has a corresponding
 configuration file in `etc/conf.d/[script_name].cfg`.
 Each hardening script can be individually enabled from its configuration file.
 For example, this is the default configuration file for `disable_system_accounts`:
 ```
 # Configuration for script of same name
 status=disabled
 # Put here your exceptions concerning admin accounts shells separated by spaces
 EXCEPTIONS=""
 ```
 **status** parameter may take 3 values:
 - `disabled` (do nothing): The script will not run.
 - `audit` (RO): The script will check if any change should be applied.
 - `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
 Global configuration is in `etc/hardening.cfg`. This file controls the log level
 as well as the backup directory. Whenever a script is instructed to edit a file, it
 will create a timestamped backup in this directory.
 # RUN MODE
 `-h`, `--help`
 :   Display a friendly help message.
 `--apply`
 :   Apply hardening for enabled scripts.
    Beware that NO confirmation is asked whatsoever, which is why you're warmly
    advised to use `--audit` before, which can be regarded as a dry-run mode.
 `--audit`
 :   Audit configuration for enabled scripts.
    No modification will be made on the system, we'll only report on your system
    compliance for each script.
 `--audit-all`
 :   Same as `--audit`, but for *all* scripts, even disabled ones.
    This is a good way to peek at your compliance level if all scripts were enabled,
    and might be a good starting point.
 `--audit-all-enable-passed`
 :   Same as `--audit-all`, but in addition, will *modify* the individual scripts
    configurations to enable those which passed for your system.
    This is an easy way to enable scripts for which you're already compliant.
    However, please always review each activated script afterwards, this option
    should only be regarded as a way to kickstart a configuration from scratch.
    Don't run this if you have already customized the scripts enable/disable
    configurations, obviously.
 `--create-config-files-only`
 :   Create the config files in etc/conf.d
    Must be run as root, before running the audit with user secaudit
 `-set-hardening-level=level`
 :   Modifies the configuration to enable/disable tests given an hardening level,
    between 1 to 5. Don't run this if you have already customized the scripts
    enable/disable configurations.
    1: very basic policy, failure to pass tests at this level indicates severe
        misconfiguration of the machine that can have a huge security impact
    2: basic policy, some good practice rules that, once applied, shouldn't
        break anything on most systems
    3: best practices policy, passing all tests might need some configuration
        modifications (such as specific partitioning, etc.)
    4: high security policy, passing all tests might be time-consuming and
        require high adaptation of your workflow
    5: placebo, policy rules that might be very difficult to apply and maintain,
        with questionable security benefits
 `--allow-service=service`
 :   Use with `--set-hardening-level`.
    Modifies the policy to allow a certain kind of services on the machine, such
    as http, mail, etc. Can be specified multiple times to allow multiple services.
    Use --allow-service-list to get a list of supported services.
 # OPTIONS
 `--allow-service-list`
 :   Get a list of supported service.
 `--only test-number`
 :    Modifies the RUN_MODE to only work on the test_number script.
    Can be specified multiple times to work only on several scripts.
    The test number is the numbered prefix of the script,
    i.e. the test number of 1.2_script_name.sh is 1.2.
 `--sudo`
 :   This option lets you audit your system as a normal user, but allows sudo
    escalation to gain read-only access to root files. Note that you need to
    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
    the -n option instructs sudo not to prompt for a password.
    Finally note that `--sudo` mode only works for audit mode.
 `--set-log-level=level`
 :   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
    Default value is : info
 `--batch`
 :   While performing system audit, this option sets LOGLEVEL to 'ok' and
    captures all output to print only one line once the check is done, formatted like :
    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 `--allow-unsupported-distribution`
    Must be specified manually in the command line to allow the run on non compatible
    version or distribution. If you want to mute the warning change the LOGLEVEL
    in /etc/hardening.cfg
 # AUTHORS
 - Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
 - Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
 - Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 - Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
 # COPYRIGHT
 Copyright 2020 OVHcloud
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 # SEE ALSO
 - **Center for Internet Security**: https://www.cisecurity.org/
 - **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **Project repository**: https://github.com/ovh/debian-cis
--- a/README.md
+++ b/README.md
@ -1,44 +1,57 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 10/11 Hardening
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+<p align="center">
      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
 </p>
 ![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
 ![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
 ![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
 ![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
-13.15_check_duplicate_gid [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
+6.2.19_check_duplicate_gr [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
+      Total Available Checks : 232
-         Total Runned Checks : 191
+         Total Runned Checks : 166
-         Total Passed Checks : [ 170/191 ]
+         Total Passed Checks : [ 142/166 ]
-         Total Failed Checks : [  21/191 ]
+         Total Failed Checks : [  24/166 ]
-   Enabled Checks Percentage : 100.00 %
+   Enabled Checks Percentage : 71.00 %
-       Conformity Percentage : 89.01 %
+       Conformity Percentage : 85.00 %
 ```
-## Quickstart
+## :dizzy: Quickstart
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
-1.1_install_updates [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
-1.1_install_updates [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
-1.1_install_updates [INFO] Checking if apt needs an update
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
-1.1_install_updates [INFO] Fetching upgrades ...
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
-1.1_install_updates [ OK ] No upgrades available
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
-1.1_install_updates [ OK ] Check Passed
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
-## Usage
+## :hammer: Usage
 ### Configuration
@ -72,7 +85,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
 ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,16 +95,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
-## Hacking
+``--only <check_number>``: run only the selected checks.
 ``--set-hardening-level``: run all checks that are lower or equal to the selected level.
 Do NOT use this option if you have already started to customize your configuration.
 ``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
 to allow a certain kind of services on the machine, such as http, mail, etc.
 Can be specified multiple times to allow multiple services.
 Use --allow-service-list to get a list of supported services.
 ``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
 Default value is : info
 ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
 before running the audit with user secaudit, to have the rights setup well on the conf files.
 ``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
 the run on non compatible version or distribution. If you want to mute the warning change the
 LOGLEVEL in /etc/hardening.cfg
 ## :computer: Hacking
 **Getting the source**
@ -110,6 +145,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
 Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
 If the check replace somehow one that is in the CIS specifications,
 you can use the numerotation of the check it replaces inplace. For example we check
 the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
 Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
 (part of OVHcloud security policy)
 Code your check explaining what it does then if you want to test
@ -117,7 +161,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 Functional tests are available. They are to be run in a Docker environment.
@ -125,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian10` or `debian11`.
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@ -151,10 +195,49 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
 and that we will not test the apply function. It's because the check is very basic
 (like a package install) and that a test on it is not really necessary.
 Furthermore, some tests are disabled on docker because there not pertinent (kernel 
 modules, grub, partitions, ...)
 You can disable a check on docker with:
 ```bash
 if [ -f "/.dockerenv" ]; then
  skip "SKIPPED on docker"
 else
 ...
 fi
 ```
 ## :art: Coding style
 ### Shellcheck
 We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
 correctness of the scripts and to respect best practices.
 It can be used directly with the docker environnment to check all scripts 
 compliancy. By default it runs on every `.sh` it founds.
 ```console
 $ ./shellcheck/launch_shellcheck.sh [name of script...]
 ```
 ### Shellfmt
 We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
 consistent style in every script. 
 Identically to shellcheck, it can be run through a script with the following:
 ```console
 $ ./shellfmt/launch_shellfmt.sh
 ```
 It will automatically fix any styling problem on every script.
 ## :heavy_exclamation_mark: Disclaimer
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
@ -163,7 +246,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -171,13 +254,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-## Reference
+## :satellite: Reference
 - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
-## License
+## :page_facing_up: License
 3-Clause BSD
 Apache, Version 2.0
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -26,6 +26,9 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 usage() {
    cat <<EOF
@ -98,11 +101,24 @@ OPTIONS:
        the '-n' option instructs sudo not to prompt for a password.
        Finally note that '--sudo' mode only works for audit mode.
    --set-log-level <level>
        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
        Default value is : info
    --summary-json
        While performing system audit, this option sets LOGLEVEL to silent and
        only output a json summary at the end
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
    --allow-unsupported-distribution
        Must be specified manually in the command line to allow the run on non compatible
        version or distribution. If you want to mute the warning change the LOGLEVEL
        in /etc/hardening.cfg
 EOF
    exit 0
 }
@ -143,6 +159,10 @@ while [[ $# -gt 0 ]]; do
        SET_HARDENING_LEVEL="$2"
        shift
        ;;
    --set-log-level)
        ASK_LOGLEVEL=$2
        shift
        ;;
    --only)
        TEST_LIST[${#TEST_LIST[@]}]="$2"
        shift
@ -150,9 +170,16 @@ while [[ $# -gt 0 ]]; do
    --sudo)
        SUDO_MODE='--sudo'
        ;;
    --summary-json)
        SUMMARY_JSON='--summary-json'
        ASK_LOGLEVEL=silent
        ;;
    --batch)
        BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
        ;;
    --allow-unsupported-distribution)
        ALLOW_UNSUPPORTED_DISTRIBUTION=1
        ;;
    -h | --help)
        usage
@ -179,16 +206,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
-# shellcheck source=../lib/constants.sh
+
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=../lib/constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
-if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 if [ "$DISTRIBUTION" != "debian" ]; then
    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
        echo "Exiting now"
        exit 100
    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
    fi
 else
    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    fi
 fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
@ -244,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
    info "Treating $SCRIPT"
    if [ "$CREATE_CONFIG" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
    fi
    SCRIPT_EXITCODE=$?
@ -294,12 +358,24 @@ if [ "$BATCH_MODE" ]; then
    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
    else
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
    becho "$BATCH_SUMMARY"
 elif [ "$SUMMARY_JSON" ]; then
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
    else
        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
    fi
    printf '{'
    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
    printf '}\n'
 else
    printf "%40s\n" "################### SUMMARY ###################"
    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@ -307,8 +383,8 @@ else
    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
-    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.1 Disable Mounting of freevxfs Filesystems (Not Scored)
+# 1.1.1.1 Ensure Mounting of freevxfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -22,21 +22,31 @@ MODULE_NAME="freevxfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+            crit "$MODULE_NAME is enabled!"
        else
-        ok "$KERNEL_OPTION is disabled"
+            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.2 Disable Mounting of jffs2 Filesystems (Not Scored)
+# 1.1.1.2 Esnure mounting of jffs2 filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -22,21 +22,31 @@ MODULE_NAME="jffs2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.3 Disable Mounting of hfs Filesystems (Not Scored)
+# 1.1.1.3 Ensure mounting of hfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -18,25 +18,35 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable mounting of hfs filesystems."
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
+MODULE_NAME="hfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.4 Disable Mounting of hfsplus Filesystems (Not Scored)
+# 1.1.1.4 Ensure mounting of hfsplus filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -18,25 +18,35 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
+MODULE_NAME="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.1.7 Disable Mounting of squashfs Filesystems (Not Scored)
+# 1.1.1.5 Ensure mounting of squashfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
@ -18,28 +18,36 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable mounting of squashfs filesytems."
 KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
+MODULE_NAME="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
    :
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.6 Ensure mounting of udf filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_NAME="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -6,22 +6,25 @@
 #
 #
-# 1.1.1.5 Disable Mounting of udf Filesystems (Not Scored)
+# 1.1.1.7 Ensure mounting of FAT filesystems is limited (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
-HARDENING_LEVEL=2
+HARDENING_LEVEL=5
 # shellcheck disable=2034
-DESCRIPTION="Disable mounting of udf filesystems."
+DESCRIPTION="Limit mounting of FAT filesystems."
-KERNEL_OPTION="CONFIG_UDF_FS"
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-MODULE_FILE="udf"
+
 KERNEL_OPTION="CONFIG_VFAT_FS"
 MODULE_FILE="vfat"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    # TODO check if uefi enabled if yes check if only boot partition use FAT
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
--- a/bin/hardening/1.1.1.8_disable_cramfs.sh
+++ b/bin/hardening/1.1.1.8_disable_cramfs.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of cramfs filesystems."
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.1_var_log_noexec.sh
+++ b/bin/hardening/1.1.11.1_var_log_noexec.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with noexec option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.2_var_log_nosuid.sh
+++ b/bin/hardening/1.1.11.2_var_log_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.3_var_log_nodev.sh
+++ b/bin/hardening/1.1.11.3_var_log_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11_var_log_partition.sh
+++ b/bin/hardening/1.1.11_var_log_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.11 Create Separate Partition for /var/log (Scored)
+# 1.1.11 Ensure separate partition exists for /var/log (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.12.1_var_log_audit_noexec.sh
+++ b/bin/hardening/1.1.12.1_var_log_audit_noexec.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with noexec option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
+++ b/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12.3_var_log_audit_nodev.sh
+++ b/bin/hardening/1.1.12.3_var_log_audit_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
-# 1.1.12 Create Separate Partition for /var/log/audit (Scored)
+# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.13_home_partition.sh
+++ b/bin/hardening/1.1.13_home_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.13 Create Separate Partition for /home (Scored)
+# 1.1.13 Ensure separate partition exists for /home (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.14.1_home_nosuid.sh
+++ b/bin/hardening/1.1.14.1_home_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/home partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -24,7 +24,11 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.16 Ensure nosuid Option set on /run/shm Partition (Scored)
+# 1.1.16 Ensure nosuid option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -24,7 +24,11 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.17 Ensure noexec Option set on /run/shm Partition (Scored)
+# 1.1.17 Ensure noexec option set on /run/shm partition (Scored)
 #
 set -e # One error, it's over
@ -24,7 +24,11 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.18_removable_device_nodev.sh
+++ b/bin/hardening/1.1.18_removable_device_nodev.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.18 Add nodev Option to Removable Media Partitions (Not Scored)
+# 1.1.18 Ensure nodev option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.19_removable_device_nosuid.sh
+++ b/bin/hardening/1.1.19_removable_device_nosuid.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.19 Ensure nosuid Option set on Removable Media Partitions (Not Scored)
+# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.20_removable_device_noexec.sh
+++ b/bin/hardening/1.1.20_removable_device_noexec.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.20 Ensure noexec Option set on Removable Media Partitions (Not Scored)
+# 1.1.20 Ensure noexec option set on removable media partition (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.21 Ensure Sticky Bit set on All World-Writable Directories (Scored)
+# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
 #
 set -e # One error, it's over
@ -17,12 +17,32 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 EXCEPTIONS=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    if [ -n "$EXCEPTIONS" ]; then
        # maybe EXCEPTIONS allow us to filter out some FS
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
        # shellcheck disable=SC2001
@ -35,9 +55,16 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
        # shellcheck disable=SC2086
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        warn "Setting sticky bit on world writable directories"
        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -0,0 +1,78 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.23 Disable USB storage (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_USB_STORAGE"
 MODULE_NAME="usb-storage"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.6.1_var_nodev.sh
+++ b/bin/hardening/1.1.6.1_var_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.6.2_var_nosuid.sh
+++ b/bin/hardening/1.1.6.2_var_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.6_var_partition.sh
+++ b/bin/hardening/1.1.6_var_partition.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.1.6 Create Separate Partition for /var (Scored)
+# 1.1.6 Ensure separate partition exists for /var (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.3.1_install_sudo.sh
+++ b/bin/hardening/1.3.1_install_sudo.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.1 Ensure sudo is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
 PACKAGE='sudo'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.2_pty_sudo.sh
+++ b/bin/hardening/1.3.2_pty_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.2 Ensure sudo commands use pty (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
 PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        crit "Defaults use_pty not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults use_pty found in sudoers file"
    else
        warn "Defaults use_pty not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        use_pty" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.3.3_logfile_sudo.sh
+++ b/bin/hardening/1.3.3_logfile_sudo.sh
@ -0,0 +1,80 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.3.3 Ensure sudo log file exists (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure sudo log files exists."
 PATTERN="^\s*Defaults\s+logfile=\S+"
 LOGFILE="/var/log/sudo.log"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        crit "Defaults log file not found in sudoers files"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    FOUND=0
    for f in /etc/{sudoers,sudoers.d/*}; do
        does_pattern_exist_in_file_nocase "$f" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$FOUND" = 1 ]]; then
        ok "Defaults log file found in sudoers file"
    else
        warn "Defaults log file not found in sudoers files, fixing"
        add_line_file_before_pattern /etc/sudoers "Defaults        logfile=\"$LOGFILE\"" "# Host alias specification"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.4.1_install_tripwire.sh
+++ b/bin/hardening/1.4.1_install_tripwire.sh
@ -6,7 +6,7 @@
 #
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 set -e # One error, it's over
@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
 PACKAGE='tripwire'
 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/1.4.2_tripwire_cron.sh
+++ b/bin/hardening/1.4.2_tripwire_cron.sh
@ -6,7 +6,7 @@
 #
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 # Note : in CIS, AIDE has been chosen, however we chose tripwire
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.1 Ensure permissions on bootloader config are configured (Scored)
+# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
 #
 set -e # One error, it's over
@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
 PERMISSIONSOK='400 600'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -33,7 +34,7 @@ audit() {
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -51,7 +52,7 @@ apply() {
        chown "$USER":"$GROUP" "$FILE"
    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -63,25 +64,25 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    does_user_exist "$USER"
    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
-        exit 128
+        exit 2
    fi
    does_group_exist "$GROUP"
    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
-        exit 128
+        exit 2
    fi
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.2 Ensure bootloader password is set (Scored)
+# 1.5.2 Ensure bootloader password is set (Scored)
 #
 set -e # One error, it's over
@ -51,19 +51,18 @@ apply() {
    else
        ok "$PWD_PATTERN is present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
+        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.4.3 Ensure authentication required for single user mode (Scored)
+# 1.5.3 Ensure authentication required for single user mode (Scored)
 #
 set -e # One error, it's over
@ -38,7 +38,6 @@ apply() {
    else
        ok "$PATTERN is not present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.2 Ensure XD/NX support is enabled (Not Scored)
+# 1.6.1 Ensure XD/NX support is enabled (Not Scored)
 #
 set -e # One error, it's over
@ -35,6 +35,9 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        ok "Container detected, cannot read dmesg!"
    else
        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
@ -46,10 +49,14 @@ audit() {
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        ok "Container detected, cannot read dmesg!"
    else
        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
@ -61,6 +68,7 @@ apply() {
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -1,106 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.6.2.1 Activate AppArmor (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 PACKAGE='apparmor'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is absent!"
    else
        ok "$PACKAGE is installed"
    fi
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ "$ERROR" = 0 ]; then
        ok "$PACKAGE is configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
    else
        ok "$PACKAGE is installed"
    fi
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
        $SUDO_CMD update-grub
    else
        ok "$PACKAGE is configured"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
+++ b/bin/hardening/1.6.2_enable_randomized_vm_placement.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)
+# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.6.3.1_disable_apport.sh
+++ b/bin/hardening/1.6.3.1_disable_apport.sh
@ -0,0 +1,69 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.6.3.1 Ensure apport is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable apport to avoid confidential data leaks."
 PACKAGE='apport'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
    fi
    :
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
    fi
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.6.3_disable_prelink.sh
+++ b/bin/hardening/1.6.3_disable_prelink.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.4 Ensure prelink is disabled (Scored)
+# 1.6.3 Ensure prelink is disabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.6.4_restrict_core_dumps.sh
+++ b/bin/hardening/1.6.4_restrict_core_dumps.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.5.1 Ensure core dumps are restricted (Scored)
+# 1.6.4 Ensure core dumps are restricted (Scored)
 #
 set -e # One error, it's over
@ -29,7 +29,7 @@ audit() {
    LIMIT_FILES=""
    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
-            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+            LIMIT_FILES="$LIMIT_FILES $file"
        done
    fi
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
--- a/bin/hardening/1.7.1.1_install_apparmor.sh
+++ b/bin/hardening/1.7.1.1_install_apparmor.sh
@ -0,0 +1,70 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.1 Ensure AppArmor is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install AppArmor."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
        else
            ok "$PACKAGE is installed"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -0,0 +1,134 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.2.2 Ensure AppArmor is enabled in the bootloader configuration (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        is_pkg_installed "grub-common"
        if [ "$FNRET" != 0 ]; then
            if [ "$IS_CONTAINER" -eq 1 ]; then
                ok "Grub is not installed in container"
            else
                warn "Grub is not installed"
                exit 128
            fi
        else
            ERROR=0
            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
            # define custom IFS and save default one
            d_IFS=$IFS
            c_IFS=$'\n'
            IFS=$c_IFS
            for line in $RESULT; do
                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
                    crit "$line is not configured"
                    ERROR=1
                fi
            done
            IFS=$d_IFS
            if [ "$ERROR" = 0 ]; then
                ok "$PACKAGES are configured"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE is installed"
        else
            crit "$PACKAGE is absent, installing it"
            apt_install "$PACKAGE"
        fi
    done
    is_pkg_installed "grub-pc"
    if [ "$FNRET" != 0 ]; then
        if [ "$IS_CONTAINER" -eq 1 ]; then
            ok "Grub is not installed in container"
        else
            warn "You should use grub. Install it yourself"
        fi
    else
        ERROR=0
        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
        # define custom IFS and save default one
        d_IFS=$IFS
        c_IFS=$'\n'
        IFS=$c_IFS
        for line in $RESULT; do
            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
                crit "$line is not configured"
                ERROR=1
            fi
        done
        IFS=$d_IFS
        if [ $ERROR = 1 ]; then
            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
            $SUDO_CMD update-grub
        else
            ok "$PACKAGES are configured"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -0,0 +1,91 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce or complain AppArmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
        if [ -n "$RESULT_UNCONFINED" ]; then
            ok "No profiles are unconfined"
        else
            crit "Some processes are unconfined while they have defined profile"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
        aa-complain /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -0,0 +1,105 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce Apparmor profiles."
 PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
        if [ -n "$RESULT_UNCONFINED" ]; then
            ok "No profiles are unconfined"
        else
            crit "Some processes are unconfined while they have defined profile"
        fi
        if [ -n "$RESULT_COMPLAIN" ]; then
            ok "No profiles are in complain mode"
        else
            crit "Some processes are in complain mode"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
    done
    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
    else
        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        warn "Some processes are in complain mode, setting profiles to enforce mode"
        aa-enforce /etc/apparmor.d/*
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.8.1.1_remove_os_info_motd.sh
+++ b/bin/hardening/1.8.1.1_remove_os_info_motd.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.1 Ensure message of the day is configured properly (Scored)
+# 1.8.1.1 Ensure message of the day is configured properly (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.1.2_remove_os_info_issue.sh
+++ b/bin/hardening/1.8.1.2_remove_os_info_issue.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
+# 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
+++ b/bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
+# 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.1.4_motd_perms.sh
+++ b/bin/hardening/1.8.1.4_motd_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
+# 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.1.5_etc_issue_perms.sh
+++ b/bin/hardening/1.8.1.5_etc_issue_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
+# 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
+++ b/bin/hardening/1.8.1.6_etc_issue_net_perms.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.8.2_graphical_warning_banners.sh
+++ b/bin/hardening/1.8.2_graphical_warning_banners.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.7.2 Ensure GDM login banner is configured (Scored)
+# 1.8.2 Ensure GDM login banner is configured (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/1.9_install_updates.sh
+++ b/bin/hardening/1.9_install_updates.sh
@ -6,7 +6,7 @@
 #
 #
-# 1.8 Ensure updates, patches and additional security software are installed (Not Scored)
+# 1.9 Ensure updates, patches and additional security software are installed (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -0,0 +1,60 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure systemd-timesyncd."
 SERVICE_NAME="systemd-timesyncd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    status=$(systemctl is-enabled "$SERVICE_NAME")
    if [ "$status" = "enabled" ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -25,18 +25,12 @@ CONF_FILE='/etc/chrony/chrony.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
    else
        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
    fi
    fi
 }
 # This function will be called if the script status is on enabled mode
@ -46,7 +40,11 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        warn "$PACKAGE is not installed, not handling configuration"
        exit 2
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -20,18 +20,13 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed, checking configuration"
    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
@ -44,7 +39,6 @@ audit() {
    else
        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
    fi
    fi
 }
 # This function will be called if the script status is on enabled mode
@ -77,7 +71,11 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        warn "$PACKAGE is not installed, not handling configuration"
        exit 2
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -21,6 +21,11 @@ HARDENING_EXCEPTION=mail
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed net-tools
    if [ "$FNRET" != 0 ]; then
        warn "netsat not installed, cannot execute check"
        exit 2
    else
        info "Checking netport ports opened"
        RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
        RESULT=${RESULT:-}
@ -35,10 +40,16 @@ audit() {
                crit "MTA listens worldwide"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed net-tools
    if [ "$FNRET" != 0 ]; then
        warn "netsat not installed, cannot execute check"
        exit 2
    else
        info "Checking netport ports opened"
        RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
        RESULT=${RESULT:-}
@ -53,7 +64,7 @@ apply() {
                warn "MTA listens worldwide, correct this considering your MTA"
            fi
        fi
-    :
+    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/2.2.17_disable_nis.sh
+++ b/bin/hardening/2.2.17_disable_nis.sh
@ -0,0 +1,71 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 2.2.17 Ensure NIS Server is not enabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 PACKAGES='nis'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge "$PACKAGE" -y
            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/3.1.1_disable_ipv6.sh
+++ b/bin/hardening/3.1.1_disable_ipv6.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.7 Disable IPv6 (Not Scored)
+# 3.1.1 Disable IPv6 (Not Scored)
 #
 set -e # One error, it's over
@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        crit "ipv6 is enabled"
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
--- a/bin/hardening/3.1.2_disable_wireless.sh
+++ b/bin/hardening/3.1.2_disable_wireless.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.6 Ensure wireless interfaces are disabled (Not Scored)
+# 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.2.1_disable_send_packet_redirects.sh
+++ b/bin/hardening/3.2.1_disable_send_packet_redirects.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.1.2 Ensure packet redirect sending is disabled (Scored)
+# 3.2.1 Ensure packet redirect sending is disabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.2.2_disable_ip_forwarding.sh
+++ b/bin/hardening/3.2.2_disable_ip_forwarding.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.1.1 Ensure IP forwarding is disabled (Scored)
+# 3.2.2 Ensure IP forwarding is disabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.3.1_disable_source_routed_packets.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.1 Ensure source routed packets are not accepted (Scored)
+# 3.3.1 Ensure source routed packets are not accepted (Scored)
 #
 set -e # One error, it's over
@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
--- a/bin/hardening/3.3.2_disable_icmp_redirect.sh
+++ b/bin/hardening/3.3.2_disable_icmp_redirect.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+# 3.3.2 Ensure ICMP redirects are not accepted (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
+++ b/bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+# 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.4_log_martian_packets.sh
+++ b/bin/hardening/3.3.4_log_martian_packets.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.4 Ensure suspicious packets are logged (Scored)
+# 3.3.4 Ensure suspicious packets are logged (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.5_ignore_broadcast_requests.sh
+++ b/bin/hardening/3.3.5_ignore_broadcast_requests.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+# 3.3.5 Ensure broadcast ICMP requests are ignored (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.6_enable_bad_error_message_protection.sh
+++ b/bin/hardening/3.3.6_enable_bad_error_message_protection.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+# 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.7_enable_source_route_validation.sh
+++ b/bin/hardening/3.3.7_enable_source_route_validation.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+# 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
+++ b/bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+# 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+# 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
 #
 set -e # One error, it's over
@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -38,15 +36,15 @@ audit() {
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    else
        ok "ipv6 disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -62,6 +60,8 @@ apply() {
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    else
        ok "ipv6 disabled"
    fi
 }
--- a/bin/hardening/3.4.1_disable_dccp.sh
+++ b/bin/hardening/3.4.1_disable_dccp.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
 MODULE_NAME="dccp"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.2_disable_sctp.sh
+++ b/bin/hardening/3.4.2_disable_sctp.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
 MODULE_NAME="sctp"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.3_disable_rds.sh
+++ b/bin/hardening/3.4.3_disable_rds.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_RDS"
 MODULE_NAME="rds"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.4_disable_tipc.sh
+++ b/bin/hardening/3.4.4_disable_tipc.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_TIPC"
 MODULE_NAME="tipc"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.5.1.1_enable_firewall.sh
+++ b/bin/hardening/3.5.1.1_enable_firewall.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.5 Ensure Firewall is active (Scored)
+# 3.5.1.1 Ensure Firewall is active (Scored)
 #
 set -e # One error, it's over
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
 # At OVH, we use iptables
 PACKAGE='iptables'
--- a/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
@ -6,7 +6,7 @@
 #
 #
-# 3.5.1.1 Ensure default deny firewall policy (Scored)
+# 3.5.4.1.1 Ensure default deny firewall policy (Scored)
 #
 set -e # One error, it's over
@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
 PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
 FW_CMD="iptables"
 FW_TIMEOUT="10"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,9 +29,9 @@ audit() {
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
-        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
        if [[ -z "$ipt" ]]; then
-            crit "Empty return from $PACKAGE command. Aborting..."
+            crit "Empty return from $FW_CMD command. Aborting..."
            return
        fi
        for chain in $FW_CHAINS; do
--- a/bin/hardening/4.1.1.1_install_auditd.sh
+++ b/bin/hardening/4.1.1.1_install_auditd.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 4.1.1.1 Ensure auditing is installed (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Install auditd."
 PACKAGE="auditd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        warn "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/4.1.1.2_enable_auditd.sh
+++ b/bin/hardening/4.1.1.2_enable_auditd.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.2 Ensure auditd service is enabled (Scored)
+# 4.1.1.2 Ensure auditd service is enabled (Scored)
 #
 set -e # One error, it's over
--- a/bin/hardening/4.1.1.3_audit_bootloader.sh
+++ b/bin/hardening/4.1.1.3_audit_bootloader.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 set -e # One error, it's over
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -0,0 +1,99 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."
 FILE='/etc/default/grub'
 OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    else
        ok "$FILE exists, checking configuration"
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in $FILE"
            else
                ok "$PATTERN is present in $FILE"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist, creating it"
        touch "$FILE"
    else
        ok "$FILE exists"
    fi
    for GRUB_OPTION in $OPTIONS; do
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file "$FILE" "^$GRUB_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
                add_end_of_file "$FILE" "$GRUB_PARAM = $GRUB_VALUE"
            else
                info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE" "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
            fi
        else
            ok "$PATTERN is present in $FILE"
        fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/4.1.10_record_failed_access_file.sh
+++ b/bin/hardening/4.1.10_record_failed_access_file.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
 #
 set -e # One error, it's over
@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.12 Ensure use of privileged commands is collected (Scored)
+# 4.1.11 Ensure use of privileged commands is collected (Scored)
 #
 set -e # One error, it's over
@ -17,11 +17,12 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."
 # Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+# Find all files with setuid or setgid set
 AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.12_record_successful_mount.sh
+++ b/bin/hardening/4.1.12_record_successful_mount.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.13 Ensure successful file system mounts are collected (Scored)
+# 4.1.12 Ensure successful file system mounts are collected (Scored)
 #
 set -e # One error, it's over
@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
 -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.13_record_file_deletions.sh
+++ b/bin/hardening/4.1.13_record_file_deletions.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.14 Ensure file deletion events by users are collected (Scored)
+# 4.1.13 Ensure file deletion events by users are collected (Scored)
 #
 set -e # One error, it's over
@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.14_record_sudoers_edit.sh
+++ b/bin/hardening/4.1.14_record_sudoers_edit.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+# 4.1.14 Ensure changes to system administration scope (sudoers) is collected (Scored)
 #
 set -e # One error, it's over
@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
 AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
 -w /etc/sudoers.d/ -p wa -k sudoers'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.15_record_sudo_usage.sh
+++ b/bin/hardening/4.1.15_record_sudo_usage.sh
@ -6,7 +6,7 @@
 #
 #
-# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+# 4.1.15 Ensure system administrator actions (sudolog) are collected (Scored)
 #
 set -e # One error, it's over
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Collect system administration actions (sudolog)."
 AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,14 +28,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
        SEARCH_RES=0
        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
            else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/Show More
+++ b/Show More