CI: Fix release action (#147)

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

.github/workflows/compile-manual.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Produce debian man
         run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
-      - uses: EndBug/add-and-commit@v6
+      - uses: EndBug/add-and-commit@v8.0.2
         with:
           add: 'debian/cis-hardening.8'
           message: 'Regenerate man pages (Github action)'

.github/workflows/functionnal-tests.yml

@@ -8,13 +8,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the tests debian9
         run: ./tests/docker_build_and_run_tests.sh debian9
   functionnal-tests-docker-debian10:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the tests debian10
         run: ./tests/docker_build_and_run_tests.sh debian10
+  functionnal-tests-docker-debian11:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Run the tests debian11
+        run: ./tests/docker_build_and_run_tests.sh debian11

.github/workflows/pre-release.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       # BUILD THE .DEB PACKAGE
       - name: Build
         run: |
@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.2
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
         with:
           delete_release: true
           tag_name: latest
@@ -29,12 +29,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # GET LATEST VERSION TAG
       - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.5.0
         id: get-latest-tag
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v0.4.4
+        uses: metcalfc/changelog-generator@v3.0.0
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -4,19 +4,26 @@ on:
   - push
   - pull_request
 jobs:
-  sh-checker:
+  shellfmt:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.1.10
+        uses: luizm/action-sh-checker@v0.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
-          SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
         with:
+          sh_checker_shellcheck_disable: true
           sh_checker_comment: true
           sh_checker_exclude: |
                               src/
                               debian/postrm
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Run shellcheck
+        run: ./shellcheck/docker_build_and_run_shellcheck.sh

.github/workflows/tagged-release.yml

@@ -7,8 +7,6 @@ on:
 jobs:
   build:
     name: Create Release
-    # only runs on master
-    if: github.event.base_ref == 'refs/heads/master'
     runs-on: ubuntu-latest
     steps:
       # GET VERSION TAG
@@ -17,7 +15,7 @@ jobs:
         run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           ref: ${{ steps.vars.outputs.tag }}
       # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@@ -35,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.2
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
         with:
           delete_release: true
           tag_name: latest

MANUAL.md

@@ -115,11 +115,20 @@ will create a timestamped backup in this directory.
     the -n option instructs sudo not to prompt for a password.
     Finally note that `--sudo` mode only works for audit mode.
 
+`--set-log-level=level`
+:   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+    Default value is : info
+
 `--batch`
 :   While performing system audit, this option sets LOGLEVEL to 'ok' and
     captures all output to print only one line once the check is done, formatted like :
     OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
+`--allow-unsupported-distribution`
+    Must be specified manually in the command line to allow the run on non compatible
+    version or distribution. If you want to mute the warning change the LOGLEVEL
+    in /etc/hardening.cfg
+
 
 # AUTHORS
 

README.md

@@ -1,7 +1,7 @@
 # :lock: CIS Debian 9/10 Hardening
 
-:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
-report issues if you find any !
+:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
+report issues if you find any!
 
 
 <p align="center">
@@ -44,7 +44,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
 hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
 1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
 1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
@@ -117,9 +117,16 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
 Can be specified multiple times to allow multiple services.
 Use --allow-service-list to get a list of supported services.
 
+``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+Default value is : info
+
 ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
 before running the audit with user secaudit, to have the rights setup well on the conf files.
 
+``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
+the run on non compatible version or distribution. If you want to mute the warning change the
+LOGLEVEL in /etc/hardening.cfg
+
 ## :computer: Hacking
 
 **Getting the source**

bin/hardening.sh

@@ -26,6 +26,9 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+SUMMARY_JSON=''
+ASK_LOGLEVEL=''
+ALLOW_UNSUPPORTED_DISTRIBUTION=0
 
 usage() {
     cat <<EOF
@@ -78,7 +81,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
-    
+
     --create-config-files-only
         Create the config files in etc/conf.d
         Must be run as root, before running the audit with user secaudit
@@ -98,11 +101,24 @@ OPTIONS:
         the '-n' option instructs sudo not to prompt for a password.
         Finally note that '--sudo' mode only works for audit mode.
 
+    --set-log-level <level>
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
+        Default value is : info
+
+    --summary-json
+        While performing system audit, this option sets LOGLEVEL to silent and
+        only output a json summary at the end
+
     --batch
         While performing system audit, this option sets LOGLEVEL to 'ok' and
         captures all output to print only one line once the check is done, formatted like :
         OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
+    --allow-unsupported-distribution
+        Must be specified manually in the command line to allow the run on non compatible
+        version or distribution. If you want to mute the warning change the LOGLEVEL
+        in /etc/hardening.cfg
+
 EOF
     exit 0
 }
@@ -143,6 +159,10 @@ while [[ $# -gt 0 ]]; do
         SET_HARDENING_LEVEL="$2"
         shift
         ;;
+    --set-log-level)
+        ASK_LOGLEVEL=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -150,9 +170,16 @@ while [[ $# -gt 0 ]]; do
     --sudo)
         SUDO_MODE='--sudo'
         ;;
+    --summary-json)
+        SUMMARY_JSON='--summary-json'
+        ASK_LOGLEVEL=silent
+        ;;
     --batch)
         BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
+        ;;
+    --allow-unsupported-distribution)
+        ALLOW_UNSUPPORTED_DISTRIBUTION=1
         ;;
     -h | --help)
         usage
@@ -179,16 +206,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
-# shellcheck source=../lib/constants.sh
-[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
+# shellcheck source=../lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 
-if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
+# print warning, otherwise quit
+
+if [ "$DISTRIBUTION" != "debian" ]; then
+    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+        echo "Exiting now"
+        exit 100
+    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+    fi
+else
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    fi
+fi
 
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
@@ -244,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
     info "Treating $SCRIPT"
     if [ "$CREATE_CONFIG" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
     elif [ "$AUDIT" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$APPLY" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
     fi
 
     SCRIPT_EXITCODE=$?
@@ -294,12 +358,24 @@ if [ "$BATCH_MODE" ]; then
     BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
     BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
     if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
     else
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
     fi
     becho "$BATCH_SUMMARY"
+elif [ "$SUMMARY_JSON" ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    else
+        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
+    fi
+    printf '{'
+    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
+    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
+    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
+    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
+    printf '}\n'
 else
     printf "%40s\n" "################### SUMMARY ###################"
     printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
@@ -307,8 +383,8 @@ else
     printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
     printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
 
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
-    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
     printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
     if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
         printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
+MODULE_NAME="hfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
+MODULE_NAME="hfsplus"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -17,31 +17,37 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
+MODULE_NAME="squashfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.6_disable_udf.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_UDF_FS"
-MODULE_FILE="udf"
+MODULE_NAME="udf"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -24,6 +24,7 @@ MODULE_FILE="vfat"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # TODO check if uefi enabled if yes check if only boot partition use FAT
     is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
     if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -24,7 +24,11 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
     FNRET=0
     is_a_partition "$PARTITION"
     if [ "$FNRET" -gt 0 ]; then

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -24,7 +24,11 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
     FNRET=0
     is_a_partition "$PARTITION"
     if [ "$FNRET" -gt 0 ]; then

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -24,7 +24,11 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
     FNRET=0
     is_a_partition "$PARTITION"
     if [ "$FNRET" -gt 0 ]; then

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -17,12 +17,20 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
+EXCEPTIONS=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         # shellcheck disable=SC2001
@@ -35,9 +43,16 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        warn "Setting sticky bit on world writable directories"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"
     fi

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 
 KERNEL_OPTION="CONFIG_USB_STORAGE"
-MODULE_FILE="usb-storage"
+MODULE_NAME="usb-storage"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -33,7 +34,7 @@ audit() {
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -51,7 +52,7 @@ apply() {
         chown "$USER":"$GROUP" "$FILE"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -63,25 +64,25 @@ apply() {
 # This function will check config parameters required
 check_config() {
 
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
         warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
     fi
     does_user_exist "$USER"
     if [ "$FNRET" != 0 ]; then
         crit "$USER does not exist"
-        exit 128
+        exit 2
     fi
     does_group_exist "$GROUP"
     if [ "$FNRET" != 0 ]; then
         crit "$GROUP does not exist"
-        exit 128
+        exit 2
     fi
     does_file_exist "$FILE"
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
-        exit 128
+        exit 2
     fi
 }
 

bin/hardening/1.5.2_bootloader_password.sh

@@ -51,19 +51,18 @@ apply() {
     else
         ok "$PWD_PATTERN is present in $FILE"
     fi
-    :
 }
 
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
+        warn "Grub is not installed, not handling configuration"
+        exit 2
     fi
     if [ "$FNRET" != 0 ]; then
         crit "$FILE does not exist"
-        exit 128
+        exit 2
     fi
 }
 

bin/hardening/1.5.3_root_password.sh

@@ -38,7 +38,6 @@ apply() {
     else
         ok "$PATTERN is not present in $FILE"
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.6.1_enable_nx_support.sh

@@ -35,31 +35,39 @@ nx_supported_and_enabled() {
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ "$FNRET" != 0 ]; then
-        nx_supported_and_enabled
-        if [ "$FNRET" != 0 ]; then
-            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
-        else
-            ok "NX is supported and enabled"
-        fi
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
     else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ "$FNRET" != 0 ]; then
-        nx_supported_and_enabled
-        if [ "$FNRET" != 0 ]; then
-            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
-        else
-            ok "NX is supported and enabled"
-        fi
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
     else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
     fi
 }
 

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -29,7 +29,7 @@ audit() {
     LIMIT_FILES=""
     if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
         for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
-            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+            LIMIT_FILES="$LIMIT_FILES $file"
         done
     fi
     debug "Files to search $LIMIT_FILE $LIMIT_FILES"

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
     for PACKAGE in $PACKAGES; do
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" != 0 ]; then
             crit "$PACKAGE is absent!"
+            ERROR=1
         else
             ok "$PACKAGE is installed"
         fi
     done
 
-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
-        fi
-    done
-    IFS=$d_IFS
     if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGES are configured"
+        is_pkg_installed "grub-common"
+        if [ "$FNRET" != 0 ]; then
+            if [ "$IS_CONTAINER" -eq 1 ]; then
+                ok "Grub is not installed in container"
+            else
+                warn "Grub is not installed"
+                exit 128
+            fi
+        else
+            ERROR=0
+            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
 
+            # define custom IFS and save default one
+            d_IFS=$IFS
+            c_IFS=$'\n'
+            IFS=$c_IFS
+            for line in $RESULT; do
+                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
+                    crit "$line is not configured"
+                    ERROR=1
+                fi
+            done
+            IFS=$d_IFS
+            if [ "$ERROR" = 0 ]; then
+                ok "$PACKAGES are configured"
+
+            fi
+        fi
     fi
 }
 
@@ -62,26 +76,35 @@ apply() {
         fi
     done
 
-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
+    is_pkg_installed "grub-pc"
+    if [ "$FNRET" != 0 ]; then
+        if [ "$IS_CONTAINER" -eq 1 ]; then
+            ok "Grub is not installed in container"
+        else
+            warn "You should use grub. Install it yourself"
         fi
-    done
-    IFS=$d_IFS
-
-    if [ $ERROR = 1 ]; then
-        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
-        $SUDO_CMD update-grub
     else
-        ok "$PACKAGES are configured"
+        ERROR=0
+        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+        # define custom IFS and save default one
+        d_IFS=$IFS
+        c_IFS=$'\n'
+        IFS=$c_IFS
+        for line in $RESULT; do
+            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+                crit "$line is not configured"
+                ERROR=1
+            fi
+        done
+        IFS=$d_IFS
+
+        if [ $ERROR = 1 ]; then
+            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
+            $SUDO_CMD update-grub
+        else
+            ok "$PACKAGES are configured"
+        fi
     fi
 }
 

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
     for PACKAGE in $PACKAGES; do
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" != 0 ]; then
             crit "$PACKAGE is absent!"
+            ERROR=1
         else
             ok "$PACKAGE is installed"
         fi
     done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
 
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
 
-    if [ -n "$RESULT_UNCONFINED" ]; then
-        ok "No profiles are unconfined"
-
-    else
-        crit "Some processes are unconfined while they have defined profile"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi
     fi
 }
 
@@ -46,6 +49,7 @@ apply() {
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" != 0 ]; then
             crit "$PACKAGES is absent!"
+            apt_install "$PACKAGE"
         else
             ok "$PACKAGE is installed"
         fi

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
     for PACKAGE in $PACKAGES; do
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" != 0 ]; then
             crit "$PACKAGE is absent!"
+            ERROR=1
         else
             ok "$PACKAGE is installed"
         fi
     done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
 
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi
 
-    if [ -n "$RESULT_UNCONFINED" ]; then
-        ok "No profiles are unconfined"
-    else
-        crit "Some processes are unconfined while they have defined profile"
-    fi
-
-    if [ -n "$RESULT_COMPLAIN" ]; then
-        ok "No profiles are in complain mode"
-    else
-        crit "Some processes are in complain mode"
+        if [ -n "$RESULT_COMPLAIN" ]; then
+            ok "No profiles are in complain mode"
+        else
+            crit "Some processes are in complain mode"
+        fi
     fi
 }
 
@@ -52,13 +55,14 @@ apply() {
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" != 0 ]; then
             crit "$PACKAGE is absent!"
+            apt_install "$PACKAGE"
         else
             ok "$PACKAGE is installed"
         fi
     done
 
-    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
 
     if [ -n "$RESULT_UNCONFINED" ]; then
         ok "No profiles are unconfined"

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
         ok "$SERVICE_NAME is enabled"
     else
         crit "$SERVICE_NAME is disabled"

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
-        else
-            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
-        fi
+        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
     fi
 }
 
@@ -46,7 +40,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/2.2.1.4_configure_ntp.sh

@@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
-        else
-            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
-        fi
-        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-        else
-            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
-        fi
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
     fi
 }
 
@@ -77,7 +71,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/2.2.15_mta_localhost.sh

@@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking netport ports opened"
-    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
+    is_pkg_installed net-tools
+    if [ "$FNRET" != 0 ]; then
+        warn "netsat not installed, cannot execute check"
+        exit 2
     else
-        info "Checking $RESULT"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
-            ok "MTA is configured to localhost only"
+        info "Checking netport ports opened"
+        RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
+        RESULT=${RESULT:-}
+        debug "Result is $RESULT"
+        if [ -z "$RESULT" ]; then
+            ok "Nothing listens on 25 port, probably unix socket configured"
         else
-            crit "MTA listens worldwide"
+            info "Checking $RESULT"
+            if grep -q "127.0.0.1" <<<"$RESULT"; then
+                ok "MTA is configured to localhost only"
+            else
+                crit "MTA listens worldwide"
+            fi
         fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
+    is_pkg_installed net-tools
+    if [ "$FNRET" != 0 ]; then
+        warn "netsat not installed, cannot execute check"
+        exit 2
     else
-        info "Checking $RESULT"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
-            ok "MTA is configured to localhost only"
+        info "Checking netport ports opened"
+        RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+        RESULT=${RESULT:-}
+        debug "Result is $RESULT"
+        if [ -z "$RESULT" ]; then
+            ok "Nothing listens on 25 port, probably unix socket configured"
         else
-            warn "MTA listens worldwide, correct this considering your MTA"
+            info "Checking $RESULT"
+            if grep -q "127.0.0.1" <<<"$RESULT"; then
+                ok "MTA is configured to localhost only"
+            else
+                warn "MTA listens worldwide, correct this considering your MTA"
+            fi
         fi
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/2.2.17_disable_nis.sh

@@ -17,14 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 
+PACKAGES='nis'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
 }
 
 # This function will check config parameters required

bin/hardening/3.1.1_disable_ipv6.sh

@@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
-            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ "$FNRET" != 0 ]; then
-                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ "$FNRET" = 255 ]; then
-                warn "$SYSCTL_PARAM does not exist -- Typo?"
-            else
-                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-            fi
-        done
+        crit "ipv6 is enabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else

bin/hardening/3.3.1_disable_source_routed_packets.sh

@@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
         if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)

bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

@@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -38,15 +36,15 @@ audit() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -62,6 +60,8 @@ apply() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 

bin/hardening/3.4.1_disable_dccp.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
+MODULE_NAME="dccp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.2_disable_sctp.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
+MODULE_NAME="sctp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.3_disable_rds.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_RDS"
+MODULE_NAME="rds"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.4_disable_tipc.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_TIPC"
+MODULE_NAME="tipc"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh

@@ -20,6 +20,7 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
 PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
+FW_CMD="iptables"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -27,9 +28,9 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
-        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -nL 2>/dev/null || true)
         if [[ -z "$ipt" ]]; then
-            crit "Empty return from $PACKAGE command. Aborting..."
+            crit "Empty return from $FW_CMD command. Aborting..."
             return
         fi
         for chain in $FW_CHAINS; do

bin/hardening/4.1.1.3_audit_bootloader.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."
 
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -30,7 +30,7 @@ audit() {
         for GRUB_OPTION in $OPTIONS; do
             GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
             GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
             debug "$GRUB_PARAM should be set to $GRUB_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
@@ -55,7 +55,7 @@ apply() {
         GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
         GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
         debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"

bin/hardening/4.1.1.4_audit_backlog_limit.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."
 
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -30,7 +30,7 @@ audit() {
         for GRUB_OPTION in $OPTIONS; do
             GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
             GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
             debug "$GRUB_PARAM should be set to $GRUB_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
@@ -55,7 +55,7 @@ apply() {
         GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
         GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
         debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
         if [ "$FNRET" != 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"

bin/hardening/4.1.11_record_privileged_commands.sh

@@ -17,9 +17,9 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."
 
-# Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+# Find all files with setuid or setgid set
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
     awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'
 

bin/hardening/4.2.1.2_enable_syslog-ng.sh

@@ -17,29 +17,40 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure syslog-ng service is activated."
 
+PACKAGE='syslog-ng'
 SERVICE_NAME="syslog-ng"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
-        ok "$SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
     else
-        crit "$SERVICE_NAME is disabled"
+        info "Checking if $SERVICE_NAME is enabled"
+        is_service_enabled "$SERVICE_NAME"
+        if [ "$FNRET" = 0 ]; then
+            ok "$SERVICE_NAME is enabled"
+        else
+            crit "$SERVICE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
+    is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        info "Enabling $SERVICE_NAME"
-        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
-        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
+        crit "$PACKAGE is not installed!"
     else
-        ok "$SERVICE_NAME is enabled"
+        info "Checking if $SERVICE_NAME is enabled"
+        is_service_enabled "$SERVICE_NAME"
+        if [ "$FNRET" != 0 ]; then
+            info "Enabling $SERVICE_NAME"
+            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
+            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
+        else
+            ok "$SERVICE_NAME is enabled"
+        fi
     fi
 }
 

bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh

@@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 
 # Note: this is not exacly the same check as the one described in CIS PDF
 
+PACKAGE='syslog-ng'
 PERMISSIONS=''
 USER=''
 GROUP=''
@@ -26,14 +27,71 @@ EXCEPTIONS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            warn "$FILE does not exist"
-        else
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
+        for FILE in $FILES; do
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
+                warn "$FILE does not exist"
+            else
+                FOUND_EXC=0
+                if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+                    debug "$FILE is found in exceptions"
+                    debug "Setting special user:group:perm"
+                    FOUND_EXC=1
+                    local user_bak="$USER"
+                    local group_bak="$GROUP"
+                    local perm_bak="$PERMISSIONS"
+                    USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                    GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                    PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+                fi
+                has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+                if [ "$FNRET" = 0 ]; then
+                    ok "$FILE has correct ownership ($USER:$GROUP)"
+                else
+                    crit "$FILE ownership was not set to $USER:$GROUP"
+                fi
+                has_file_correct_permissions "$FILE" "$PERMISSIONS"
+                if [ "$FNRET" = 0 ]; then
+                    ok "$FILE has correct permissions ($PERMISSIONS)"
+                else
+                    crit "$FILE permissions were not set to $PERMISSIONS"
+                fi
+                if [ "$FOUND_EXC" = 1 ]; then
+                    debug "Resetting user:group:perm"
+                    USER="$user_bak"
+                    GROUP="$group_bak"
+                    PERMISSIONS="$perm_bak"
+                fi
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        for FILE in $FILES; do
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
+                info "$FILE does not exist"
+                filedir=$(dirname "${FILE#/var/log/}")
+                if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                    debug "Creating /var/log/$filedir for $FILE"
+                    debug "mkdir -p /var/log/$filedir"
+                    mkdir -p /var/log/"$filedir"
+                fi
+                touch "$FILE"
+            fi
             FOUND_EXC=0
-            if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+            if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                 debug "$FILE is found in exceptions"
                 debug "Setting special user:group:perm"
                 FOUND_EXC=1
@@ -46,15 +104,17 @@ audit() {
             fi
             has_file_correct_ownership "$FILE" "$USER" "$GROUP"
             if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct ownership ($USER:$GROUP)"
+                ok "$FILE has correct ownership"
             else
-                crit "$FILE ownership was not set to $USER:$GROUP"
+                warn "fixing $FILE ownership to $USER:$GROUP"
+                chown "$USER":"$GROUP" "$FILE"
             fi
             has_file_correct_permissions "$FILE" "$PERMISSIONS"
             if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct permissions ($PERMISSIONS)"
+                ok "$FILE has correct permissions"
             else
-                crit "$FILE permissions were not set to $PERMISSIONS"
+                info "fixing $FILE permissions to $PERMISSIONS"
+                chmod 0"$PERMISSIONS" "$FILE"
             fi
             if [ "$FOUND_EXC" = 1 ]; then
                 debug "Resetting user:group:perm"
@@ -62,57 +122,8 @@ audit() {
                 GROUP="$group_bak"
                 PERMISSIONS="$perm_bak"
             fi
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            info "$FILE does not exist"
-            filedir=$(dirname "${FILE#/var/log/}")
-            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
-                debug "Creating /var/log/$filedir for $FILE"
-                debug "mkdir -p /var/log/$filedir"
-                mkdir -p /var/log/"$filedir"
-            fi
-            touch "$FILE"
-        fi
-        FOUND_EXC=0
-        if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
-            debug "$FILE is found in exceptions"
-            debug "Setting special user:group:perm"
-            FOUND_EXC=1
-            local user_bak="$USER"
-            local group_bak="$GROUP"
-            local perm_bak="$PERMISSIONS"
-            USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
-            GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
-            PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
-        fi
-        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown "$USER":"$GROUP" "$FILE"
-        fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0"$PERMISSIONS" "$FILE"
-        fi
-        if [ "$FOUND_EXC" = 1 ]; then
-            debug "Resetting user:group:perm"
-            USER="$user_bak"
-            GROUP="$group_bak"
-            PERMISSIONS="$perm_bak"
-        fi
-    done
+        done
+    fi
 }
 
 # This function will create the config file for this check with default values

bin/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -17,40 +17,52 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
 
+PACKAGE='syslog-ng'
+
 PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [ "$FOUND" = 1 ]; then
-        ok "$PATTERN is present in $FILES"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
     else
-        crit "$PATTERN is not present in $FILES"
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
+
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-    if [ "$FOUND" = 1 ]; then
-        ok "$PATTERN is present in $FILES"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
     else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        fi
     fi
 }
 

bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -17,64 +17,74 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
 
+PACKAGE='syslog-ng'
+
 REMOTE_HOST=""
 PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [[ "$REMOTE_HOST" ]]; then
-        info "This is the remote host, checking that it only accepts logs from specified zone"
-        if [ "$FOUND" = 1 ]; then
-            ok "$PATTERN is present in $FILES"
-        else
-            crit "$PATTERN is not present in $FILES"
-        fi
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
     else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
-        if [ "$FOUND" = 1 ]; then
-            crit "$PATTERN is present in $FILES"
-        else
-            ok "$PATTERN is not present in $FILES"
-        fi
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
 
+        if [[ "$REMOTE_HOST" ]]; then
+            info "This is the remote host, checking that it only accepts logs from specified zone"
+            if [ "$FOUND" = 1 ]; then
+                ok "$PATTERN is present in $FILES"
+            else
+                crit "$PATTERN is not present in $FILES"
+            fi
+        else
+            info "This is the not the remote host checking that it doesn't accept remote logs"
+            if [ "$FOUND" = 1 ]; then
+                crit "$PATTERN is present in $FILES"
+            else
+                ok "$PATTERN is not present in $FILES"
+            fi
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [[ "$REMOTE_HOST" ]]; then
-        info "This is the remote host, checking that it only accepts logs from specified zone"
-        if [ "$FOUND" = 1 ]; then
-            ok "$PATTERN is present in $FILES"
-        else
-            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
-        fi
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
     else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
-        if [ "$FOUND" = 1 ]; then
-            warn "$PATTERN is present in $FILES, "
-        else
-            ok "$PATTERN is not present in $FILES"
-        fi
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
 
+        if [[ "$REMOTE_HOST" ]]; then
+            info "This is the remote host, checking that it only accepts logs from specified zone"
+            if [ "$FOUND" = 1 ]; then
+                ok "$PATTERN is present in $FILES"
+            else
+                crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
+            fi
+        else
+            info "This is the not the remote host checking that it doesn't accept remote logs"
+            if [ "$FOUND" = 1 ]; then
+                warn "$PATTERN is present in $FILES, "
+            else
+                ok "$PATTERN is not present in $FILES"
+            fi
+        fi
     fi
 }
 

bin/hardening/4.2.2.1_journald_logs.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='ForwardToSyslog=yes'
+OPTIONS='ForwardToSyslog=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            warn "$PATTERN is not present in $FILE, adding it"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PATTERN is present in $FILE, deleting it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }

bin/hardening/4.2.2.2_journald_compress.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='Compress=yes'
+OPTIONS='Compress=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }

bin/hardening/4.2.2.3_journald_write_persistent.sh

@@ -62,7 +62,7 @@ apply() {
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
                 replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"

bin/hardening/5.1.2_crontab_perm_ownership.sh

@@ -24,17 +24,22 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
@@ -44,20 +49,21 @@ apply() {
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.1.3_cron_hourly_perm_ownership.sh

@@ -24,17 +24,22 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
@@ -44,20 +49,21 @@ apply() {
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.1.4_cron_daily_perm_ownership.sh

@@ -24,17 +24,22 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
@@ -44,20 +49,21 @@ apply() {
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.1.5_cron_weekly_perm_ownership.sh

@@ -24,17 +24,22 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
@@ -44,20 +49,21 @@ apply() {
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.1.6_cron_monthly_perm_ownership.sh

@@ -24,17 +24,22 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
@@ -44,20 +49,21 @@ apply() {
     if [ "$FNRET" != 0 ]; then
         info "$FILE does not exist"
         touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.1.8_cron_users.sh

@@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
 FILES_ABSENT='/etc/cron.deny /etc/at.deny'
 FILES_PRESENT='/etc/cron.allow /etc/at.allow'
 PERMISSIONS='644'
+PERMISSIONSOK='644 640 600 440 400'
 USER='root'
 GROUP='root'
 
@@ -36,7 +37,7 @@ audit() {
     for FILE in $FILES_PRESENT; do
         does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            crit "$FILE is absent"
+            crit "$FILE is absent, should exist"
         else
             has_file_correct_ownership "$FILE" "$USER" "$GROUP"
             if [ "$FNRET" = 0 ]; then
@@ -44,7 +45,7 @@ audit() {
             else
                 crit "$FILE ownership was not set to $USER:$GROUP"
             fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
             if [ "$FNRET" = 0 ]; then
                 ok "$FILE has correct permissions"
             else
@@ -68,7 +69,7 @@ apply() {
     for FILE in $FILES_PRESENT; do
         does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            warn "$FILE is absent"
+            warn "$FILE is absent, fixing (touch)"
             touch "$FILE"
         fi
         has_file_correct_ownership "$FILE" "$USER" "$GROUP"
@@ -78,7 +79,7 @@ apply() {
             warn "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else

bin/hardening/5.2.10_disable_root_login.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
+            does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.14_ssh_cry_mac.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -78,7 +78,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your MACs
-OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
+OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
 EOF
 }
 

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -73,15 +73,12 @@ apply() {
 }
 
 create_config() {
-    get_debian_major_version
     set +u
     debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
+    if [[ 7 -le "$DEB_MAJ_VER" ]]; then
         KEX='diffie-hellman-group-exchange-sha256'
-    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
-        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     else
-        KEX='diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     fi
     set -u
     cat <<EOF
@@ -89,6 +86,7 @@ status=audit
 # Put your KexAlgorithms
 OPTIONS="KexAlgorithms=$KEX"
 EOF
+
 }
 
 # This function will check config parameters required

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.18_sshd_limit_access.sh

@@ -25,7 +25,7 @@ audit() {
     OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -34,7 +34,7 @@ audit() {
             # shellcheck disable=SC2001
             SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -59,12 +59,12 @@ apply() {
         # shellcheck disable=SC2001
         SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.19_ssh_banner.sh

@@ -25,7 +25,7 @@ audit() {
     OPTIONS="Banner=$BANNER_FILE"
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.1_sshd_conf_perm_ownership.sh

@@ -17,6 +17,7 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
 
+PACKAGE='openssh-server'
 FILE='/etc/ssh/sshd_config'
 PERMISSIONS='600'
 USER='root'
@@ -24,40 +25,50 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed!"
     else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist "$FILE"
+    is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+        ok "$PACKAGE is not installed"
     else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            info "$FILE does not exist"
+            touch "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
     fi
 }
 

bin/hardening/5.2.20_enable_ssh_pam.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.22_configure_ssh_max_startups.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -25,18 +25,28 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -55,17 +65,22 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.4_sshd_protocol.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.5_sshd_loglevel.sh

@@ -26,7 +26,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -61,7 +61,7 @@ apply() {
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -25,18 +25,28 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -55,17 +65,22 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            warn "$PATTERN is not present in $FILE"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -25,14 +25,14 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -18,8 +18,8 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 
 PACKAGE='libpam-modules-bin'
-PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
-PATTERN_ACCOUNT='pam_tally[2]?\.so'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so'
+PATTERN_ACCOUNT='pam_((tally[2]?)|(faillock))\.so'
 FILE_AUTH='/etc/pam.d/common-auth'
 FILE_ACCOUNT='/etc/pam.d/common-account'
 
@@ -59,14 +59,22 @@ apply() {
         ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
         warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        fi
     fi
     does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
     else
         warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally.so" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
+        fi
 
     fi
 }

bin/hardening/5.4.5_default_timeout.sh

@@ -31,7 +31,7 @@ audit() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
                     debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                 else
@@ -41,7 +41,7 @@ audit() {
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
@@ -64,7 +64,7 @@ apply() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
                     debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                 else
@@ -74,7 +74,7 @@ apply() {
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
@@ -87,8 +87,7 @@ apply() {
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
         touch "$FILE"
         chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
-        add_end_of_file "$FILE" "readonly TMOUT"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
         add_end_of_file "$FILE" "export TMOUT"
     else
         ok "$PATTERN is present in $FILES_TO_SEARCH"

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -17,12 +17,21 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"
 
+EXCLUDED=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         # shellcheck disable=SC2001
@@ -35,10 +44,16 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
     else
         ok "No world writable files found, nothing to apply"
     fi

bin/hardening/6.1.11_find_unowned_files.sh

@@ -26,10 +26,10 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         crit "Some unowned files are present"
@@ -44,13 +44,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         warn "Applying chown on all unowned files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
     else
         ok "No unowned files found, nothing to apply"
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -26,10 +26,10 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
@@ -44,13 +44,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
     else
         ok "No ungrouped files found, nothing to apply"
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -24,9 +24,9 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
     fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do

bin/hardening/6.1.14_find_sgid_files.sh

@@ -24,9 +24,9 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
     fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do

bin/hardening/6.1.3_etc_gshadow-_permissions.sh

@@ -25,35 +25,45 @@ GROUPSOK='root shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUPSOK"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUPSOK"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
     fi
 }
 

bin/hardening/6.1.6_etc_passwd-_permissions.sh

@@ -24,35 +24,45 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
     fi
 }
 

bin/hardening/6.1.7_etc_shadow-_permissions.sh

@@ -24,35 +24,45 @@ GROUP='shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
     fi
 }
 

bin/hardening/6.1.8_etc_group-_permissions.sh

@@ -24,35 +24,45 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
     else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
     fi
 }
 

bin/hardening/99.1.1.23_disable_usb_devices.sh

@@ -13,6 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 USER='root'
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="USB devices are disabled."
 

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -12,6 +12,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
 

bin/hardening/99.3.3.4_hosts_allow_permissions.sh

@@ -24,22 +24,36 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        ok "$FILE exist"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist"
+        touch "$FILE"
+        warn "You may want to fill it with allowed networks"
+    else
+        ok "$FILE exist"
+    fi
     has_file_correct_permissions "$FILE" "$PERMISSIONS"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"

bin/hardening/99.3.3.5_hosts_deny_permissions.sh

@@ -24,22 +24,36 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
     else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        ok "$FILE exist"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist"
+        touch "$FILE"
+        warn "You may want to fill it with allowed networks"
+    else
+        ok "$FILE exist"
+    fi
     has_file_correct_permissions "$FILE" "$PERMISSIONS"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"

bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh

@@ -25,7 +25,7 @@ OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthen
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.2_ssh_cry_rekey.sh

@@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    get_debian_major_version
     set +u
     debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]]; then
         set -u
         crit "Cannot get Debian version. Aborting..."
         return
     fi
-    if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
         set -u
         warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
         return
@@ -40,7 +39,7 @@ audit() {
     set -u
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.3_ssh_disable_features.sh

@@ -13,6 +13,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check all special features in sshd_config are disabled"
 
@@ -24,7 +25,7 @@ OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwardin
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -12,6 +12,8 @@
 set -e # One error, it is over
 set -u # One variable unset, it is over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available."
 

bin/hardening/99.5.2.5_ssh_strict_modes.sh

@@ -13,7 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable)  before connecting."
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting."
 
 PACKAGE='openssh-server'
 OPTIONS='StrictModes=yes'
@@ -23,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.6_ssh_sys_accept_env.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"

bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh

@@ -12,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed"
+
 # shellcheck disable=2034
 SERVICES="rlogin rlogind rcp"