Update changelog

Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/compile-manual.yml

@@ -0,0 +1,17 @@
+---
+name: Compile debian man
+on:
+  - push
+jobs:
+  compile-debian-man:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Produce debian man
+        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
+      - uses: EndBug/add-and-commit@v7
+        with:
+          add: 'debian/cis-hardening.8'
+          message: 'Regenerate man pages (Github action)'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/functionnal-tests.yml

@@ -0,0 +1,27 @@
+---
+name: Run functionnal tests
+on:
+  - pull_request
+  - push
+jobs:
+  functionnal-tests-docker-debian9:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian9
+        run: ./tests/docker_build_and_run_tests.sh debian9
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10
+  functionnal-tests-docker-debian11:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the tests debian11
+        run: ./tests/docker_build_and_run_tests.sh debian11

.github/workflows/pre-release.yml

@@ -0,0 +1,64 @@
+---
+name: Create Pre-Release
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: Create Pre-Release
+    runs-on: ubuntu-latest
+    steps:
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # GET LATEST VERSION TAG
+      - name: Get latest version tag
+        uses: actions-ecosystem/action-get-latest-tag@v1
+        id: get-latest-tag
+      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
+      - name: Generate changelog
+        id: changelog
+        uses: metcalfc/changelog-generator@v0.4.4
+        with:
+          myToken: ${{ secrets.GITHUB_TOKEN }}
+          head-ref: ${{ github.sha }}
+          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
+      # CREATE RELEASE NAMED LATEST
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: latest
+          release_name: Pre-release
+          body: ${{ steps.changelog.outputs.changelog }}
+          draft: false
+          prerelease: true
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening.deb
+          asset_content_type: application/vnd.debian.binary-package

.github/workflows/shellcheck_and_shellfmt.yml

@@ -0,0 +1,29 @@
+---
+name: Run shell-linter
+on:
+  - push
+  - pull_request
+jobs:
+  shellfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run the sh-checker
+        uses: luizm/action-sh-checker@v0.1.12
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
+          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
+        with:
+          sh_checker_shellcheck_disable: true
+          sh_checker_comment: true
+          sh_checker_exclude: |
+                              src/
+                              debian/postrm
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Run shellcheck
+        run: ./shellcheck/docker_build_and_run_shellcheck.sh

.github/workflows/tagged-release.yml

@@ -0,0 +1,66 @@
+---
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    name: Create Release
+    # only runs on master
+    if: github.event.base_ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    steps:
+      # GET VERSION TAG
+      - name: Get latest version number
+        id: vars
+        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
+      # CHECKOUT CODE
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.vars.outputs.tag }}
+      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
+      - name: Generate changelog
+        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
+      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
+      - name: Abort if changelog is empty
+        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
+      # BUILD THE .DEB PACKAGE
+      - name: Build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts debhelper
+          sudo debuild --buildinfo-option=-O -us -uc -b -j8
+          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
+      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
+      - name: Delete the tag latest and the release latest
+        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        with:
+          delete_release: true
+          tag_name: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # CREATE RELEASE
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          body_path: changelog.md
+          draft: false
+          prerelease: false
+      # UPLOAD PACKAGE .DEB
+      - name: Upload Release deb
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./cis-hardening.deb
+          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
+          asset_content_type: application/vnd.debian.binary-package

AUTHORS

@@ -1,8 +1,9 @@
 Contributors of this project :
 
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>

LICENSE

@@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
-All rights reserved.
+Copyright 2020 OVHcloud
 
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
 
-  * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-  * Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
-  * Neither the name of OVH SAS nor the
-    names of its contributors may be used to endorse or promote products
-    derived from this software without specific prior written permission.
+       http://www.apache.org/licenses/LICENSE-2.0
 
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   A copy of the license terms follows:
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

MANUAL.md

@@ -0,0 +1,160 @@
+% CIS-HARDENING(8)
+%
+% 2016
+
+# NAME
+
+cis-hardening - CIS Debian 9/10 Hardening
+
+# SYNOPSIS
+
+**hardening.sh** RUN_MODE [OPTIONS]
+
+# DESCRIPTION
+
+Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
+
+# SCRIPTS CONFIGURATION
+
+Hardening scripts are in `bin/hardening`. Each script has a corresponding
+configuration file in `etc/conf.d/[script_name].cfg`.
+
+Each hardening script can be individually enabled from its configuration file.
+For example, this is the default configuration file for `disable_system_accounts`:
+
+```
+# Configuration for script of same name
+status=disabled
+# Put here your exceptions concerning admin accounts shells separated by spaces
+EXCEPTIONS=""
+```
+
+**status** parameter may take 3 values:
+
+- `disabled` (do nothing): The script will not run.
+- `audit` (RO): The script will check if any change should be applied.
+- `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
+
+Global configuration is in `etc/hardening.cfg`. This file controls the log level
+as well as the backup directory. Whenever a script is instructed to edit a file, it
+will create a timestamped backup in this directory.
+
+
+# RUN MODE
+
+`-h`, `--help`
+:   Display a friendly help message.
+
+`--apply`
+:   Apply hardening for enabled scripts.
+    Beware that NO confirmation is asked whatsoever, which is why you're warmly
+    advised to use `--audit` before, which can be regarded as a dry-run mode.
+
+`--audit`
+:   Audit configuration for enabled scripts.
+    No modification will be made on the system, we'll only report on your system
+    compliance for each script.
+
+`--audit-all`
+:   Same as `--audit`, but for *all* scripts, even disabled ones.
+    This is a good way to peek at your compliance level if all scripts were enabled,
+    and might be a good starting point.
+
+`--audit-all-enable-passed`
+:   Same as `--audit-all`, but in addition, will *modify* the individual scripts
+    configurations to enable those which passed for your system.
+    This is an easy way to enable scripts for which you're already compliant.
+    However, please always review each activated script afterwards, this option
+    should only be regarded as a way to kickstart a configuration from scratch.
+    Don't run this if you have already customized the scripts enable/disable
+    configurations, obviously.
+
+`--create-config-files-only`
+:   Create the config files in etc/conf.d
+    Must be run as root, before running the audit with user secaudit
+
+`-set-hardening-level=level`
+:   Modifies the configuration to enable/disable tests given an hardening level,
+    between 1 to 5. Don't run this if you have already customized the scripts
+    enable/disable configurations.
+    1: very basic policy, failure to pass tests at this level indicates severe
+        misconfiguration of the machine that can have a huge security impact
+    2: basic policy, some good practice rules that, once applied, shouldn't
+        break anything on most systems
+    3: best practices policy, passing all tests might need some configuration
+        modifications (such as specific partitioning, etc.)
+    4: high security policy, passing all tests might be time-consuming and
+        require high adaptation of your workflow
+    5: placebo, policy rules that might be very difficult to apply and maintain,
+        with questionable security benefits
+
+`--allow-service=service`
+:   Use with `--set-hardening-level`.
+    Modifies the policy to allow a certain kind of services on the machine, such
+    as http, mail, etc. Can be specified multiple times to allow multiple services.
+    Use --allow-service-list to get a list of supported services.
+
+# OPTIONS
+
+`--allow-service-list`
+:   Get a list of supported service.
+
+  
+`--only test-number`
+:    Modifies the RUN_MODE to only work on the test_number script.
+    Can be specified multiple times to work only on several scripts.
+    The test number is the numbered prefix of the script,
+    i.e. the test number of 1.2_script_name.sh is 1.2.
+
+`--sudo`
+:   This option lets you audit your system as a normal user, but allows sudo
+    escalation to gain read-only access to root files. Note that you need to
+    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
+    the -n option instructs sudo not to prompt for a password.
+    Finally note that `--sudo` mode only works for audit mode.
+
+`--set-log-level=level`
+:   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+    Default value is : info
+
+`--batch`
+:   While performing system audit, this option sets LOGLEVEL to 'ok' and
+    captures all output to print only one line once the check is done, formatted like :
+    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+
+`--allow-unsupported-distribution`
+    Must be specified manually in the command line to allow the run on non compatible
+    version or distribution. If you want to mute the warning change the LOGLEVEL
+    in /etc/hardening.cfg
+
+
+# AUTHORS
+
+- Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+- Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+- Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
+- Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
+
+# COPYRIGHT
+
+Copyright 2020 OVHcloud
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+# SEE ALSO
+
+- **Center for Internet Security**: https://www.cisecurity.org/
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
+- **Project repository**: https://github.com/ovh/debian-cis
+

README.md

@@ -1,44 +1,60 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 9/10 Hardening
 
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
+report issues if you find any !
+
+
+<p align="center">
+      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
+</p>
+
+![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
+![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
+![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
+
+![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
+![License](https://img.shields.io/github/license/ovh/debian-cis)
+---
+
+Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
-13.15_check_duplicate_gid [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Performing audit
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
-         Total Runned Checks : 191
-         Total Passed Checks : [ 170/191 ]
-         Total Failed Checks : [  21/191 ]
-   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 89.01 %
+      Total Available Checks : 232
+         Total Runned Checks : 166
+         Total Passed Checks : [ 142/166 ]
+         Total Failed Checks : [  24/166 ]
+   Enabled Checks Percentage : 71.00 %
+       Conformity Percentage : 85.00 %
 ```
 
-## Quickstart
+## :dizzy: Quickstart
 
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
-1.1_install_updates [INFO] Checking Configuration
-1.1_install_updates [INFO] Performing audit
-1.1_install_updates [INFO] Checking if apt needs an update
-1.1_install_updates [INFO] Fetching upgrades ...
-1.1_install_updates [ OK ] No upgrades available
-1.1_install_updates [ OK ] Check Passed
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
 
-## Usage
+## :hammer: Usage
 
 ### Configuration
 
@@ -72,7 +88,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
 
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
+
+ ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@@ -80,16 +98,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
 
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 
-## Hacking
+``--only <check_number>``: run only the selected checks.
+
+``--set-hardening-level``: run all checks that are lower or equal to the selected level.
+Do NOT use this option if you have already started to customize your configuration.
+
+``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
+to allow a certain kind of services on the machine, such as http, mail, etc.
+Can be specified multiple times to allow multiple services.
+Use --allow-service-list to get a list of supported services.
+
+``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+Default value is : info
+
+``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
+before running the audit with user secaudit, to have the rights setup well on the conf files.
+
+``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
+the run on non compatible version or distribution. If you want to mute the warning change the
+LOGLEVEL in /etc/hardening.cfg
+
+## :computer: Hacking
 
 **Getting the source**
 
@@ -110,6 +148,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
+Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
+
+If the check replace somehow one that is in the CIS specifications,
+you can use the numerotation of the check it replaces inplace. For example we check
+the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
+
+Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
+(part of OVHcloud security policy)
+
 
 Code your check explaining what it does then if you want to test
 
@@ -117,7 +164,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 
 Functional tests are available. They are to be run in a Docker environment.
 
@@ -125,7 +172,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian9` or `debian10`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@@ -151,10 +198,49 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
 
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
+and that we will not test the apply function. It's because the check is very basic
+(like a package install) and that a test on it is not really necessary.
+
+Furthermore, some tests are disabled on docker because there not pertinent (kernel 
+modules, grub, partitions, ...)
+You can disable a check on docker with:
+```bash
+if [ -f "/.dockerenv" ]; then
+  skip "SKIPPED on docker"
+else
+...
+fi
+```
+
+## :art: Coding style
+### Shellcheck
+
+We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
+correctness of the scripts and to respect best practices.
+It can be used directly with the docker environnment to check all scripts 
+compliancy. By default it runs on every `.sh` it founds.
+
+```console
+$ ./shellcheck/launch_shellcheck.sh [name of script...]
+```
+
+### Shellfmt
+
+We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
+consistent style in every script. 
+Identically to shellcheck, it can be run through a script with the following:
+
+```console
+$ ./shellfmt/launch_shellfmt.sh
+```
+It will automatically fix any styling problem on every script.
+
+
+## :heavy_exclamation_mark: Disclaimer
 
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
@@ -163,7 +249,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@@ -171,13 +257,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-## Reference
+## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
-- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 
-## License
-
-3-Clause BSD
+## :page_facing_up: License
 
+Apache, Version 2.0

bin/hardening.sh

@@ -26,6 +26,8 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+ASK_LOGLEVEL=''
+ALLOW_UNSUPPORTED_DISTRIBUTION=0
 
 usage() {
     cat <<EOF
@@ -98,10 +100,19 @@ OPTIONS:
         the '-n' option instructs sudo not to prompt for a password.
         Finally note that '--sudo' mode only works for audit mode.
 
+    --set-log-level <level>
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        Default value is : info
+
     --batch
         While performing system audit, this option sets LOGLEVEL to 'ok' and
         captures all output to print only one line once the check is done, formatted like :
         OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
+    
+    --allow-unsupported-distribution
+        Must be specified manually in the command line to allow the run on non compatible
+        version or distribution. If you want to mute the warning change the LOGLEVEL
+        in /etc/hardening.cfg
 
 EOF
     exit 0
@@ -143,6 +154,10 @@ while [[ $# -gt 0 ]]; do
         SET_HARDENING_LEVEL="$2"
         shift
         ;;
+    --set-log-level)
+        ASK_LOGLEVEL=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -152,7 +167,10 @@ while [[ $# -gt 0 ]]; do
         ;;
     --batch)
         BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
+        ;;
+    --allow-unsupported-distribution)
+        ALLOW_UNSUPPORTED_DISTRIBUTION=1
         ;;
     -h | --help)
         usage
@@ -179,16 +197,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
     exit 128
 fi
-# shellcheck source=../lib/constants.sh
-[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
+# shellcheck source=../lib/constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 
-if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
+# print warning, otherwise quit
+
+if [ "$DISTRIBUTION" != "debian" ]; then
+    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+        echo "Exiting now"
+        exit 100
+    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+    fi
+else
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
+        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
+            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
+            echo "Exiting now"
+            exit 100
+        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
+            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
+            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
+        fi
+    fi
+fi
 
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
@@ -294,7 +349,7 @@ if [ "$BATCH_MODE" ]; then
     BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
     BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
     if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
     else
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@@ -307,8 +362,8 @@ else
     printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
     printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
 
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
-    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
     printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
     if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
         printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
+MODULE_NAME="hfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
+MODULE_NAME="hfsplus"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -17,31 +17,37 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
+MODULE_NAME="squashfs"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
-    :
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
-    :
 }
 
 # This function will check config parameters required

bin/hardening/1.1.1.6_disable_udf.sh

@@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 
-# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
-
 KERNEL_OPTION="CONFIG_UDF_FS"
-MODULE_FILE="udf"
+MODULE_NAME="udf"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -24,6 +24,7 @@ MODULE_FILE="vfat"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # TODO check if uefi enabled if yes check if only boot partition use FAT
     is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
     if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
         crit "$KERNEL_OPTION is enabled!"

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 
 KERNEL_OPTION="CONFIG_USB_STORAGE"
-MODULE_FILE="usb-storage"
+MODULE_NAME="usb-storage"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
     else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
     else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
     fi
 }
 

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -29,7 +29,7 @@ audit() {
     LIMIT_FILES=""
     if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
         for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
-            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+            LIMIT_FILES="$LIMIT_FILES $file"
         done
     fi
     debug "Files to search $LIMIT_FILE $LIMIT_FILES"

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -78,7 +78,7 @@ apply() {
     IFS=$d_IFS
 
     if [ $ERROR = 1 ]; then
-        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
         $SUDO_CMD update-grub
     else
         ok "$PACKAGES are configured"

bin/hardening/2.2.17_disable_nis.sh

@@ -17,14 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 
+PACKAGES='nis'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
 }
 
 # This function will check config parameters required

bin/hardening/3.1.1_disable_ipv6.sh

@@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
-            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ "$FNRET" != 0 ]; then
-                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-            elif [ "$FNRET" = 255 ]; then
-                warn "$SYSCTL_PARAM does not exist -- Typo?"
-            else
-                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-            fi
-        done
+        crit "ipv6 is enabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
     if [ "$FNRET" != 0 ]; then
         ok "ipv6 is disabled"
     else

bin/hardening/3.3.1_disable_source_routed_packets.sh

@@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
         if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)

bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

@@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -38,15 +36,15 @@ audit() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
-    if [ "$FNRET" != 0 ]; then
-        ok "ipv6 is disabled"
-    else
+    is_ipv6_enabled
+    if [ "$FNRET" = 0 ]; then
         for SYSCTL_VALUES in $SYSCTL_PARAMS; do
             SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
             SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@@ -62,6 +60,8 @@ apply() {
                 ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
             fi
         done
+    else
+        ok "ipv6 disabled"
     fi
 }
 

bin/hardening/3.4.1_disable_dccp.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
+MODULE_NAME="dccp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.2_disable_sctp.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
+MODULE_NAME="sctp"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.3_disable_rds.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_RDS"
+MODULE_NAME="rds"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/3.4.4_disable_tipc.sh

@@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
+KERNEL_OPTION="CONFIG_TIPC"
+MODULE_NAME="tipc"
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/4.2.2.1_journald_logs.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='ForwardToSyslog=yes'
+OPTIONS='ForwardToSyslog=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            warn "$PATTERN is not present in $FILE, adding it"
+        if [ "$FNRET" = 0 ]; then
+            warn "$PATTERN is present in $FILE, deleting it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }

bin/hardening/4.2.2.2_journald_compress.sh

@@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 
 FILE='/etc/systemd/journald.conf'
-OPTIONS='Compress=yes'
+OPTIONS='Compress=no'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -34,9 +34,9 @@ audit() {
             debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
             does_pattern_exist_in_file "$FILE" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
             else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
             fi
         done
     fi
@@ -57,18 +57,18 @@ apply() {
         debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
         PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
         does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
             warn "$PATTERN is not present in $FILE, adding it"
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
             fi
         else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
         fi
     done
 }

bin/hardening/4.2.2.3_journald_write_persistent.sh

@@ -62,7 +62,7 @@ apply() {
             does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
             if [ "$FNRET" != 0 ]; then
                 info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
             else
                 info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
                 replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"

bin/hardening/5.1.2_crontab_perm_ownership.sh

@@ -24,6 +24,10 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"

bin/hardening/5.1.3_cron_hourly_perm_ownership.sh

@@ -24,6 +24,10 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"

bin/hardening/5.1.4_cron_daily_perm_ownership.sh

@@ -24,6 +24,10 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"

bin/hardening/5.1.5_cron_weekly_perm_ownership.sh

@@ -24,6 +24,10 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"

bin/hardening/5.1.6_cron_monthly_perm_ownership.sh

@@ -24,6 +24,10 @@ GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
     has_file_correct_ownership "$FILE" "$USER" "$GROUP"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct ownership"

bin/hardening/5.1.8_cron_users.sh

@@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
 FILES_ABSENT='/etc/cron.deny /etc/at.deny'
 FILES_PRESENT='/etc/cron.allow /etc/at.allow'
 PERMISSIONS='644'
+PERMISSIONSOK='644 640 600 440 400'
 USER='root'
 GROUP='root'
 
@@ -36,7 +37,7 @@ audit() {
     for FILE in $FILES_PRESENT; do
         does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            crit "$FILE is absent"
+            crit "$FILE is absent, should exist"
         else
             has_file_correct_ownership "$FILE" "$USER" "$GROUP"
             if [ "$FNRET" = 0 ]; then
@@ -44,7 +45,7 @@ audit() {
             else
                 crit "$FILE ownership was not set to $USER:$GROUP"
             fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
             if [ "$FNRET" = 0 ]; then
                 ok "$FILE has correct permissions"
             else
@@ -68,7 +69,7 @@ apply() {
     for FILE in $FILES_PRESENT; do
         does_file_exist "$FILE"
         if [ "$FNRET" != 0 ]; then
-            warn "$FILE is absent"
+            warn "$FILE is absent, fixing (touch)"
             touch "$FILE"
         fi
         has_file_correct_ownership "$FILE" "$USER" "$GROUP"
@@ -78,7 +79,7 @@ apply() {
             warn "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else

bin/hardening/5.2.10_disable_root_login.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.14_ssh_cry_mac.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -78,7 +78,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your MACs
-OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
+OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
 EOF
 }
 

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
@@ -73,15 +73,12 @@ apply() {
 }
 
 create_config() {
-    get_debian_major_version
     set +u
     debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
+    if [[ 7 -le "$DEB_MAJ_VER" ]]; then
         KEX='diffie-hellman-group-exchange-sha256'
-    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
-        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     else
-        KEX='diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     fi
     set -u
     cat <<EOF
@@ -89,6 +86,7 @@ status=audit
 # Put your KexAlgorithms
 OPTIONS="KexAlgorithms=$KEX"
 EOF
+
 }
 
 # This function will check config parameters required

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.18_sshd_limit_access.sh

@@ -25,7 +25,7 @@ audit() {
     OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.19_ssh_banner.sh

@@ -25,7 +25,7 @@ audit() {
     OPTIONS="Banner=$BANNER_FILE"
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.20_enable_ssh_pam.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.22_configure_ssh_max_startups.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.4_sshd_protocol.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.5_sshd_loglevel.sh

@@ -26,7 +26,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -18,8 +18,8 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 
 PACKAGE='libpam-modules-bin'
-PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
-PATTERN_ACCOUNT='pam_tally[2]?\.so'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so'
+PATTERN_ACCOUNT='pam_((tally[2]?)|(faillock))\.so'
 FILE_AUTH='/etc/pam.d/common-auth'
 FILE_ACCOUNT='/etc/pam.d/common-account'
 
@@ -59,14 +59,22 @@ apply() {
         ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
         warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        fi
     fi
     does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
     else
         warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally.so" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
+        fi
 
     fi
 }

bin/hardening/99.1.1.23_disable_usb_devices.sh

@@ -13,6 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 USER='root'
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="USB devices are disabled."
 

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -12,6 +12,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
 

bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh

@@ -25,7 +25,7 @@ OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthen
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.2_ssh_cry_rekey.sh

@@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    get_debian_major_version
     set +u
     debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]]; then
         set -u
         crit "Cannot get Debian version. Aborting..."
         return
     fi
-    if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
         set -u
         warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
         return
@@ -40,7 +39,7 @@ audit() {
     set -u
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.3_ssh_disable_features.sh

@@ -13,6 +13,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check all special features in sshd_config are disabled"
 
@@ -24,7 +25,7 @@ OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwardin
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -12,6 +12,8 @@
 set -e # One error, it is over
 set -u # One variable unset, it is over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available."
 

bin/hardening/99.5.2.5_ssh_strict_modes.sh

@@ -13,7 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable)  before connecting."
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting."
 
 PACKAGE='openssh-server'
 OPTIONS='StrictModes=yes'
@@ -23,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.2.6_ssh_sys_accept_env.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"

bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh

@@ -12,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed"
+
 # shellcheck disable=2034
 SERVICES="rlogin rlogind rcp"
 

bin/hardening/99.5.2.8_ssh_sys_sandbox.sh

@@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -6,14 +6,16 @@
 #
 
 #
-# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# 99.5.4.5.1 Check that any password that will be created will be SHA512 hashed and salted
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Check that any password that will be created will be SHA512 hashed and salted"
 
 CONF_FILE="/etc/login.defs"
 CONF_LINE="ENCRYPT_METHOD SHA512"

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -12,6 +12,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
+# shellcheck disable=2034
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
 FILE="/etc/shadow"

bin/hardening/99.99_check_distribution.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# OVH Security audit
+#
+
+#
+# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="Check the distribution and the distribution version"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$DISTRIBUTION" != "debian" ]; then
+        crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    else
+        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is too recent and is not yet supported."
+        elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
+        else
+            ok "Your distribution is debian and the version is supported"
+
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
+    echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

debian/changelog

@@ -1,3 +1,29 @@
+cis-hardening (3.1-0) unstable; urgency=medium
+
+  * Add missing HARDENING_LEVEL var for some checks
+  * Add dealing with debian 11
+  * Add warning for unsupported distributions and debian version
+  * Remove bc dependency
+  * Add 1.8.1-4 comprehensive tests
+  * Add 3.1-3.x comprehensive tests
+  * Add missing 3.4.x checks and tests (exotic protocol)
+  * Add environment detection (container)
+  * Improve kernel module detection
+  * Improve partition detection
+  * Add cli option to override loglevel
+  * Improve 5.1.8 to allow more restrictive permissions
+  * Upgrade mac and key to be debian10 CIS compliant
+  * Fix path in 1.6.4
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 22 Feb 2021 8:30:01 +0100
+
+cis-hardening (3.0-1) unstable; urgency=medium
+
+  * Add workflows for github action
+  * Update man page and README.md
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 18 Jan 2021 09:01:28 +0100
+
 cis-hardening (3.0) unstable; urgency=medium
 
   * Migration to debian10 numbering

debian/cis-hardening.8

@@ -1,156 +1,180 @@
-.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
+.\" Automatically generated by Pandoc 2.6
+.\"
+.TH "CIS-HARDENING" "8" "2016" "" ""
+.hy
 .SH NAME
-cis-hardening - CIS Debian 7/8/9 Hardening
 .PP
+cis-hardening - CIS Debian 9/10 Hardening
+.SH SYNOPSIS
+.PP
+\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
 .SH DESCRIPTION
 .PP
-Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
-recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
+Modular Debian 9/10 security hardening scripts based on the CIS
+(https://www.cisecurity.org) recommendations.
 .PP
-.RS
-.nf
-$ bin/hardening.sh \-\-audit\-all
-[...]
-hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
-13.15_check_duplicate_gid [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
-[...]
-################### SUMMARY ###################
-      Total Available Checks : 191
-         Total Runned Checks : 191
-         Total Passed Checks : [ 170/191 ]
-         Total Failed Checks : [  21/191 ]
-   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 89.01 %
-.fi
-.RE
-.SH Quickstart
-.PP
-.RS
-.nf
-$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
-$ cp debian/default /etc/default/cis\-hardening
-$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
-$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
-1.1_install_updates [INFO] Checking Configuration
-1.1_install_updates [INFO] Performing audit
-1.1_install_updates [INFO] Checking if apt needs an update
-1.1_install_updates [INFO] Fetching upgrades ...
-1.1_install_updates [ OK ] No upgrades available
-1.1_install_updates [ OK ] Check Passed
-.fi
-.RE
-.SH Usage
-.SS Configuration
-.PP
-Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
-configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
-.PP
-Each hardening script can be individually enabled from its configuration file.
-For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
-.PP
-.RS
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
+infrastructure.
+.SH SCRIPTS CONFIGURATION
+.PP
+Hardening scripts are in \f[C]bin/hardening\f[R].
+Each script has a corresponding configuration file in
+\f[C]etc/conf.d/[script_name].cfg\f[R].
+.PP
+Each hardening script can be individually enabled from its configuration
+file.
+For example, this is the default configuration file for
+\f[C]disable_system_accounts\f[R]:
+.IP
 .nf
+\f[C]
 # Configuration for script of same name
 status=disabled
 # Put here your exceptions concerning admin accounts shells separated by spaces
-EXCEPTIONS=""
+EXCEPTIONS=\[dq]\[dq]
+\f[R]
 .fi
-.RE
 .PP
-\fB\fCstatus\fR parameter may take 3 values:
-     \fB\fCdisabled\fR (do nothing): The script will not run.
-     \fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
-     \fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
+\f[B]status\f[R] parameter may take 3 values:
+.IP \[bu] 2
+\f[C]disabled\f[R] (do nothing): The script will not run.
+.IP \[bu] 2
+\f[C]audit\f[R] (RO): The script will check if any change should be
+applied.
+.IP \[bu] 2
+\f[C]enabled\f[R] (RW): The script will check if any change should be
+done and automatically apply what it can.
 .PP
-Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
-as well as the backup directory. Whenever a script is instructed to edit a file, it
-will create a timestamped backup in this directory.
-.SS Run aka "Harden your distro"
+Global configuration is in \f[C]etc/hardening.cfg\f[R].
+This file controls the log level as well as the backup directory.
+Whenever a script is instructed to edit a file, it will create a
+timestamped backup in this directory.
+.SH RUN MODE
+.TP
+.B \f[C]-h\f[R], \f[C]--help\f[R]
+Display a friendly help message.
+.TP
+.B \f[C]--apply\f[R]
+Apply hardening for enabled scripts.
+Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
+warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
+a dry-run mode.
+.TP
+.B \f[C]--audit\f[R]
+Audit configuration for enabled scripts.
+No modification will be made on the system, we\[cq]ll only report on
+your system compliance for each script.
+.TP
+.B \f[C]--audit-all\f[R]
+Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
+ones.
+This is a good way to peek at your compliance level if all scripts were
+enabled, and might be a good starting point.
+.TP
+.B \f[C]--audit-all-enable-passed\f[R]
+Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
+the individual scripts configurations to enable those which passed for
+your system.
+This is an easy way to enable scripts for which you\[cq]re already
+compliant.
+However, please always review each activated script afterwards, this
+option should only be regarded as a way to kickstart a configuration
+from scratch.
+Don\[cq]t run this if you have already customized the scripts
+enable/disable configurations, obviously.
+.TP
+.B \f[C]--create-config-files-only\f[R]
+Create the config files in etc/conf.d Must be run as root, before
+running the audit with user secaudit
+.TP
+.B \f[C]-set-hardening-level=level\f[R]
+Modifies the configuration to enable/disable tests given an hardening
+level, between 1 to 5.
+Don\[cq]t run this if you have already customized the scripts
+enable/disable configurations.
+1: very basic policy, failure to pass tests at this level indicates
+severe misconfiguration of the machine that can have a huge security
+impact 2: basic policy, some good practice rules that, once applied,
+shouldn\[cq]t break anything on most systems 3: best practices policy,
+passing all tests might need some configuration modifications (such as
+specific partitioning, etc.) 4: high security policy, passing all tests
+might be time-consuming and require high adaptation of your workflow 5:
+placebo, policy rules that might be very difficult to apply and
+maintain, with questionable security benefits
+.TP
+.B \f[C]--allow-service=service\f[R]
+Use with \f[C]--set-hardening-level\f[R].
+Modifies the policy to allow a certain kind of services on the machine,
+such as http, mail, etc.
+Can be specified multiple times to allow multiple services.
+Use \[en]allow-service-list to get a list of supported services.
+.SH OPTIONS
+.TP
+.B \f[C]--allow-service-list\f[R]
+Get a list of supported service.
+.TP
+.B \f[C]--only test-number\f[R]
+Modifies the RUN_MODE to only work on the test_number script.
+Can be specified multiple times to work only on several scripts.
+The test number is the numbered prefix of the script, i.e.\ the test
+number of 1.2_script_name.sh is 1.2.
+.TP
+.B \f[C]--sudo\f[R]
+This option lets you audit your system as a normal user, but allows sudo
+escalation to gain read-only access to root files.
+Note that you need to provide a sudoers file with NOPASSWD option in
+/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
+password.
+Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
+.TP
+.B \f[C]--set-log-level=level\f[R]
+This option sets LOGLEVEL, you can choose : info, warning, error, ok,
+debug.
+Default value is : info
+.TP
+.B \f[C]--batch\f[R]
+While performing system audit, this option sets LOGLEVEL to `ok' and
+captures all output to print only one line once the check is done,
+formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
 .PP
-To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
+\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
+the command line to allow the run on non compatible version or
+distribution.
+If you want to mute the warning change the LOGLEVEL in
+/etc/hardening.cfg
+.SH AUTHORS
+.IP \[bu] 2
+Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
+.IP \[bu] 2
+St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
+.IP \[bu] 2
+Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
+.IP \[bu] 2
+Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
+.SH COPYRIGHT
 .PP
-This command has 2 main operation modes:
-     \fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
-     \fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
+Copyright 2020 OVHcloud
 .PP
-Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
-including disabled ones. this will \fInot\fP change the system.
-.PP
-\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
-configuration. It will run all scripts in audit mode. If a script passes,
-it will automatically be enabled for future runs. Do NOT use this option
-if you have already started to customize your configuration.
-.SH Hacking
-.PP
-\fBGetting the source\fP
-.PP
-.RS
+Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+.IP
 .nf
-$ git clone https://github.com/ovh/debian\-cis.git
+\f[C]
+   http://www.apache.org/licenses/LICENSE-2.0
+\f[R]
 .fi
-.RE
 .PP
-\fBBuilding a debian Package\fP (the hacky way)
-.PP
-.RS
-.nf
-$ debuild \-us \-uc
-.fi
-.RE
-.PP
-\fBAdding a custom hardening script\fP
-.PP
-.RS
-.nf
-$ cp src/skel bin/hardening/99.99_custom_script.sh
-$ chmod +x bin/hardening/99.99_custom_script.sh
-$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
-.fi
-.RE
-.PP
-Code your check explaining what it does then if you want to test
-.PP
-.RS
-.nf
-$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
-$ ./bin/hardening/99.99_custom_script.sh
-.fi
-.RE
-.SH Disclaimer
-.PP
-This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
-infrastructure, we can not guarantee that it will work for you. It will not
-magically secure any random host.
-.PP
-Additionally, quoting the License:
-.PP
-.RS
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.RE
-.SH Reference
-.PP
-.RS
-.nf
- **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
-.fi
-.RE
-.SH License
-.PP
-3\-Clause BSD
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an \[lq]AS IS\[rq]
+BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+# SEE ALSO
+.IP \[bu] 2
+\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
+.IP \[bu] 2
+\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
+.IP \[bu] 2
+\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis

debian/compat

@@ -1 +1 @@
-8
+9

debian/control

@@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, bc, patch
+Depends: ${misc:Depends}, patch
 Description: Suite of configurable scripts to audit or harden a Debian.
  Modular Debian security hardening scripts based on cisecurity.org
  ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

lib/common.sh

@@ -112,3 +112,20 @@ sudo_wrapper() {
         crit "Not allowed to \"sudo -n $*\" "
     fi
 }
+
+#
+# Math functions
+#
+
+div() {
+    local _d=${3:-2}
+    local _n=0000000000
+    _n=${_n:0:$_d}
+    if (($2 == 0)); then
+        echo "N.A"
+        return
+    fi
+    local _r=$(($1$_n / $2))
+    _r=${_r:0:-$_d}.${_r: -$_d}
+    echo $_r
+}

lib/constants.sh

@@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
 BYELLOW='\033[1;33m' # Yellow
 # shellcheck disable=2034
 BWHITE='\033[1;37m' # White
+
+# Debian version variables
+
+CONTAINER_TYPE=""
+IS_CONTAINER=0
+
+if [ "$(is_running_in_container "docker")" != "" ]; then
+    CONTAINER_TYPE="docker"
+    IS_CONTAINER=1
+fi
+if [ "$(is_running_in_container "lxc")" != "" ]; then
+    CONTAINER_TYPE="lxc"
+    IS_CONTAINER=1
+fi
+if [ "$(is_running_in_container "kubepods")" != "" ]; then
+    # shellcheck disable=SC2034
+    CONTAINER_TYPE="kubepods"
+    # shellcheck disable=SC2034
+    IS_CONTAINER=1
+fi
+
+get_distribution
+
+get_debian_major_version
+
+# shellcheck disable=SC2034
+SMALLEST_SUPPORTED_DEBIAN_VERSION=9
+# shellcheck disable=SC2034
+HIGHEST_SUPPORTED_DEBIAN_VERSION=10

lib/main.sh

@@ -10,14 +10,15 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
-# shellcheck source=constants.sh
-[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
+# shellcheck source=constants.sh
+[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

lib/utils.sh

@@ -46,6 +46,30 @@ set_sysctl_param() {
     fi
 }
 
+#
+# IPV6
+#
+
+is_ipv6_enabled() {
+    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
+
+    does_sysctl_param_exists "net.ipv6"
+    local ENABLE=1
+    if [ "$FNRET" = 0 ]; then
+        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
+            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
+            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
+            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+            if [ "$FNRET" != 0 ]; then
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+                ENABLE=0
+            fi
+        done
+    fi
+    FNRET=$ENABLE
+}
+
 #
 # Dmesg
 #
@@ -295,43 +319,90 @@ is_service_enabled() {
 is_kernel_option_enabled() {
     local KERNEL_OPTION="$1"
     local MODULE_NAME=""
+    local MODPROBE_FILTER=""
+    local RESULT=""
+    local IS_MONOLITHIC_KERNEL=1
+    local DEF_MODULE=""
+
     if [ $# -ge 2 ]; then
         MODULE_NAME="$2"
     fi
-    if $SUDO_CMD [ -r "/proc/config.gz" ]; then
-        RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
-    elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
-        RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
-    fi
-    ANSWER=$(cut -d = -f 2 <<<"$RESULT")
-    if [ "x$ANSWER" = "xy" ]; then
-        debug "Kernel option $KERNEL_OPTION enabled"
-        FNRET=0
-    elif [ "x$ANSWER" = "xn" ]; then
-        debug "Kernel option $KERNEL_OPTION disabled"
-        FNRET=1
-    else
-        debug "Kernel option $KERNEL_OPTION not found"
-        FNRET=2 # Not found
+
+    if [ $# -ge 3 ]; then
+        MODPROBE_FILTER="$3"
     fi
 
-    if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
-        # also check in modules, because even if not =y, maybe
-        # the admin compiled it separately later (or out-of-tree)
-        # as a module (regardless of the fact that we have =m or not)
-        debug "Checking if we have $MODULE_NAME.ko"
-        local modulefile
-        modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
-        if $SUDO_CMD [ -n "$modulefile" ]; then
-            debug "We do have $modulefile!"
-            # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
-            if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
-                debug "... but it's blacklisted!"
-                FNRET=1 # Not found (found but blacklisted)
-                # FIXME: even if blacklisted, it might be present in the initrd and
-                # be insmod from there... but painful to check :/ maybe lsmod would be enough ?
+    debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
+    if $SUDO_CMD lsmod >/dev/null 2>&1; then
+        IS_MONOLITHIC_KERNEL=0
+    fi
+
+    if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
+        if $SUDO_CMD [ -r "/proc/config.gz" ]; then
+            RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
+        elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
+            RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
+        else
+            debug "No information about kernel found, you're probably in a container"
+            FNRET=127
+            return
+        fi
+
+        ANSWER=$(cut -d = -f 2 <<<"$RESULT")
+        if [ "x$ANSWER" = "xy" ]; then
+            debug "Kernel option $KERNEL_OPTION enabled"
+            FNRET=0
+        elif [ "x$ANSWER" = "xn" ]; then
+            debug "Kernel option $KERNEL_OPTION disabled"
+            FNRET=1
+        else
+            debug "Kernel option $KERNEL_OPTION not found"
+            FNRET=2 # Not found
+        fi
+
+        if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
+            # also check in modules, because even if not =y, maybe
+            # the admin compiled it separately later (or out-of-tree)
+            # as a module (regardless of the fact that we have =m or not)
+            debug "Checking if we have $MODULE_NAME.ko"
+            local modulefile
+            modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
+            if $SUDO_CMD [ -n "$modulefile" ]; then
+                debug "We do have $modulefile!"
+                # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
+                if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
+                    debug "... but it's blacklisted!"
+                    FNRET=1 # Not found (found but blacklisted)
+                fi
+                # ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
+                if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
+                    debug "... but it's override!"
+                    FNRET=1 # Not found (found but override)
+                fi
+                FNRET=0 # Found!
             fi
-            FNRET=0 # Found!
+        fi
+    else
+        if [ "$MODPROBE_FILTER" != "" ]; then
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
+        else
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
+        fi
+
+        if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
+            debug "$MODULE_NAME is disabled (blacklist with override)"
+            FNRET=1
+        elif [ "$DEF_MODULE" == "" ]; then
+            debug "$MODULE_NAME is disabled"
+            FNRET=1
+        else
+            debug "$MODULE_NAME is enabled"
+            FNRET=0
+        fi
+
+        if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
+            debug "$MODULE_NAME is enabled"
+            FNRET=0
         fi
     fi
 }
@@ -344,12 +415,20 @@ is_kernel_option_enabled() {
 is_a_partition() {
     local PARTITION=$1
     FNRET=128
-    if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
-        debug "$PARTITION found in fstab"
-        FNRET=0
+    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+        debug "/etc/fstab not found or empty, searching mountpoint"
+        if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
+            FNRET=0
+        fi
     else
-        debug "Unable to find $PARTITION in fstab"
-        FNRET=1
+        if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
+            debug "$PARTITION found in fstab"
+            FNRET=0
+        else
+            debug "Unable to find $PARTITION in fstab"
+            FNRET=1
+        fi
+
     fi
 }
 
@@ -369,18 +448,23 @@ is_mounted() {
 has_mount_option() {
     local PARTITION=$1
     local OPTION=$2
-    if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
-        local actual_partition
-        actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
-        debug "$PARTITION is a bind mount of $actual_partition"
-        PARTITION="$actual_partition"
-    fi
-    if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
-        debug "$OPTION has been detected in fstab for partition $PARTITION"
-        FNRET=0
+    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+        debug "/etc/fstab not found or empty, readin current mount options"
+        has_mounted_option "$PARTITION" "$OPTION"
     else
-        debug "Unable to find $OPTION in fstab for partition $PARTITION"
-        FNRET=1
+        if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
+            local actual_partition
+            actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
+            debug "$PARTITION is a bind mount of $actual_partition"
+            PARTITION="$actual_partition"
+        fi
+        if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
+            debug "$OPTION has been detected in fstab for partition $PARTITION"
+            FNRET=0
+        else
+            debug "Unable to find $OPTION in fstab for partition $PARTITION"
+            FNRET=1
+        fi
     fi
 }
 
@@ -478,9 +562,33 @@ get_debian_major_version() {
     DEB_MAJ_VER=""
     does_file_exist /etc/debian_version
     if [ "$FNRET" = 0 ]; then
-        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+        if grep -q "sid" /etc/debian_version; then
+            DEB_MAJ_VER="sid"
+        else
+            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+        fi
     else
         # shellcheck disable=2034
         DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
     fi
 }
+
+# Returns the distribution
+
+get_distribution() {
+    DISTRIBUTION=""
+    if [ -f /etc/os-release ]; then
+        # shellcheck disable=2034
+        DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
+        FNRET=0
+    else
+        debug "Distribution not found !"
+        FNRET=127
+    fi
+}
+
+# Detect if container based on cgroup detection
+
+is_running_in_container() {
+    awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
+}

tests/docker/Dockerfile.debian10

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian11

@@ -0,0 +1,21 @@
+FROM debian:bullseye
+
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
+
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron
+
+COPY --chown=500:500 . /opt/debian-cis/
+
+COPY debian/default /etc/default/cis-hardening
+RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
+
+COPY cisharden.sudoers /etc/sudoers.d/secaudit
+RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
+
+
+ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

tests/docker/Dockerfile.debian8

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian9

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/hardening/1.1.15_run_shm_nodev.sh

@@ -16,5 +16,10 @@ test_audit() {
     # Cleanup
     rm /run/shm
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.16_run_shm_nosuid.sh

@@ -16,5 +16,10 @@ test_audit() {
     # Cleanup
     rm /run/shm
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.17_run_shm_noexec.sh

@@ -16,5 +16,10 @@ test_audit() {
     # Cleanup
     rm /run/shm
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.23_disable_usb_storage.sh

@@ -1,12 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
     ##################################################################
     # For this test, we only check that it runs properly on a blank  #
     # host, and we check root/sudo consistency. But, we don't test   #

tests/hardening/1.4.1_install_tripwire.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.6.3_disable_prelink.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.8.1.4_motd_perms.sh

@@ -7,5 +7,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="motd-user"
+    local test_file="/etc/motd"
+
+    describe Tests purposely failing
+    chmod 777 "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd "$test_user"
+    chown "$test_user":"$test_user" "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel "$test_user"
 }

tests/hardening/1.8.1.5_etc_issue_perms.sh

@@ -7,5 +7,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="issue-user"
+    local test_file="/etc/issue"
+
+    describe Tests purposely failing
+    chmod 777 "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd "$test_user"
+    chown "$test_user":"$test_user" "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel "$test_user"
 }

tests/hardening/1.8.1.6_etc_issue_net_perms.sh

@@ -7,5 +7,36 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="issue-net-user"
+    local test_file="/etc/issue.net"
+
+    describe Tests purposely failing
+    chmod 777 "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "permissions were not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Tests purposely failing
+    useradd "$test_user"
+    chown "$test_user":"$test_user" "$test_file"
+    register_test retvalshouldbe 1
+    register_test contain "ownership was not set to"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    register_test contain "has correct ownership"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # Cleanup
+    userdel "$test_user"
 }

tests/hardening/2.1.1_disable_xinetd.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.17_disable_nis.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.3.4_disable_telnet_client.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.3.5_disable_ldap_client.sh

@@ -7,5 +7,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/3.1.1_disable_ipv6.sh

@@ -7,5 +7,23 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv6.conf.all.disable_ipv6=0 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv6.conf.all.disable_ipv6 was not set to 1"
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 1"
+        register_test contain "net.ipv6.conf.all.disable_ipv6 correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }

tests/hardening/3.2.1_disable_send_packet_redirects.sh

@@ -7,5 +7,23 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv4.conf.all.send_redirects=1 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv4.conf.all.send_redirects was not set to 0"
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 0"
+        register_test contain "net.ipv4.conf.all.send_redirects correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }

tests/hardening/3.3.1_disable_source_routed_packets.sh

@@ -7,5 +7,30 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv4.conf.all.accept_source_route=1 net.ipv4.conf.default.accept_source_route=1 net.ipv6.conf.all.accept_source_route=1 net.ipv6.conf.default.accept_source_route=1 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv4.conf.all.accept_source_route was not set to 0"
+        register_test contain "net.ipv4.conf.default.accept_source_route was not set to 0"
+        register_test contain "net.ipv6.conf.all.accept_source_route was not set to 0"
+        register_test contain "net.ipv6.conf.default.accept_source was not set to 0"
+
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 0"
+        register_test contain "net.ipv4.conf.all.accept_source_route correctly set to 0"
+        register_test contain "net.ipv4.conf.default.accept_source_route correctly set to 0"
+        register_test contain "net.ipv6.conf.all.accept_source_route correctly set to 0"
+        register_test contain "net.ipv6.conf.default.accept_source correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }