Update changelog (#82 )

Check that package are installed before launching check (#69 )
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-07-16 13:52:17 +02:00 · 2021-03-26 12:16:50 +01:00 · 2021-03-25 14:01:57 +01:00 · 2021-03-25 13:50:08 +01:00 · 2021-03-23 08:36:36 +01:00 · 2021-03-22 15:22:50 +01:00
146 changed files with 2697 additions and 912 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,7 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: "daily"
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -0,0 +1,17 @@
 ---
 name: Compile debian man
 on:
  - push
 jobs:
  compile-debian-man:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Produce debian man
        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
      - uses: EndBug/add-and-commit@v7
        with:
          add: 'debian/cis-hardening.8'
          message: 'Regenerate man pages (Github action)'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -0,0 +1,27 @@
 ---
 name: Run functionnal tests
 on:
  - pull_request
  - push
 jobs:
  functionnal-tests-docker-debian9:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian9
        run: ./tests/docker_build_and_run_tests.sh debian9
  functionnal-tests-docker-debian10:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -0,0 +1,64 @@
 ---
 name: Create Pre-Release
 on:
  push:
    branches:
      - master
 jobs:
  build:
    name: Create Pre-Release
    runs-on: ubuntu-latest
    steps:
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v2
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.1.3
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
        uses: actions-ecosystem/action-get-latest-tag@v1
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
        uses: metcalfc/changelog-generator@v0.4.4
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
          base-ref: ${{ steps.get-latest-tag.outputs.tag }}
      # CREATE RELEASE NAMED LATEST
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: latest
          release_name: Pre-release
          body: ${{ steps.changelog.outputs.changelog }}
          draft: false
          prerelease: true
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -0,0 +1,29 @@
 ---
 name: Run shell-linter
 on:
  - push
  - pull_request
 jobs:
  shellfmt:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the sh-checker
        uses: luizm/action-sh-checker@v0.1.12
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
        with:
          sh_checker_shellcheck_disable: true
          sh_checker_comment: true
          sh_checker_exclude: |
                              src/
                              debian/postrm
  shellcheck:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run shellcheck
        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -0,0 +1,66 @@
 ---
 name: Create Release
 on:
  push:
    tags:
      - 'v*'
 jobs:
  build:
    name: Create Release
    # only runs on master
    if: github.event.base_ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      # GET VERSION TAG
      - name: Get latest version number
        id: vars
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      # CHECKOUT CODE
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          ref: ${{ steps.vars.outputs.tag }}
      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
      - name: Generate changelog
        run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
      # IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
      - name: Abort if changelog is empty
        run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential devscripts debhelper
          sudo debuild --buildinfo-option=-O -us -uc -b -j8
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
        uses: dev-drprasad/delete-tag-and-release@v0.1.3
        with:
          delete_release: true
          tag_name: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # CREATE RELEASE
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ github.ref }}
          body_path: changelog.md
          draft: false
          prerelease: false
      # UPLOAD PACKAGE .DEB
      - name: Upload Release deb
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: ./cis-hardening.deb
          asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
          asset_content_type: application/vnd.debian.binary-package
--- a/7
+++ b/7
@ -1,8 +1,9 @@
 Contributors of this project :
 Developers :
-    Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+    Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
-    Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
+    Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
    Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 Debian package maintainers :
-    Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
+    Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
--- a/211
+++ b/211
@ -1,25 +1,192 @@
-Copyright (c) 2016, OVH SAS.
+Copyright 2020 OVHcloud
 All rights reserved.
-Redistribution and use in source and binary forms, with or without
+   Licensed under the Apache License, Version 2.0 (the "License");
-modification, are permitted provided that the following conditions are met:
+   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
-  * Redistributions of source code must retain the above copyright
+       http://www.apache.org/licenses/LICENSE-2.0
    notice, this list of conditions and the following disclaimer.
  * Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
  * Neither the name of OVH SAS nor the
    names of its contributors may be used to endorse or promote products
    derived from this software without specific prior written permission.
-THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
+   Unless required by applicable law or agreed to in writing, software
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   distributed under the License is distributed on an "AS IS" BASIS,
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+   See the License for the specific language governing permissions and
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+   limitations under the License.
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+   A copy of the license terms follows:
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+                                 Apache License
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
--- a/MANUAL.md
+++ b/MANUAL.md
@ -0,0 +1,160 @@
 % CIS-HARDENING(8)
 %
 % 2016
 # NAME
 cis-hardening - CIS Debian 9/10 Hardening
 # SYNOPSIS
 **hardening.sh** RUN_MODE [OPTIONS]
 # DESCRIPTION
 Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 # SCRIPTS CONFIGURATION
 Hardening scripts are in `bin/hardening`. Each script has a corresponding
 configuration file in `etc/conf.d/[script_name].cfg`.
 Each hardening script can be individually enabled from its configuration file.
 For example, this is the default configuration file for `disable_system_accounts`:
 ```
 # Configuration for script of same name
 status=disabled
 # Put here your exceptions concerning admin accounts shells separated by spaces
 EXCEPTIONS=""
 ```
 **status** parameter may take 3 values:
 - `disabled` (do nothing): The script will not run.
 - `audit` (RO): The script will check if any change should be applied.
 - `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
 Global configuration is in `etc/hardening.cfg`. This file controls the log level
 as well as the backup directory. Whenever a script is instructed to edit a file, it
 will create a timestamped backup in this directory.
 # RUN MODE
 `-h`, `--help`
 :   Display a friendly help message.
 `--apply`
 :   Apply hardening for enabled scripts.
    Beware that NO confirmation is asked whatsoever, which is why you're warmly
    advised to use `--audit` before, which can be regarded as a dry-run mode.
 `--audit`
 :   Audit configuration for enabled scripts.
    No modification will be made on the system, we'll only report on your system
    compliance for each script.
 `--audit-all`
 :   Same as `--audit`, but for *all* scripts, even disabled ones.
    This is a good way to peek at your compliance level if all scripts were enabled,
    and might be a good starting point.
 `--audit-all-enable-passed`
 :   Same as `--audit-all`, but in addition, will *modify* the individual scripts
    configurations to enable those which passed for your system.
    This is an easy way to enable scripts for which you're already compliant.
    However, please always review each activated script afterwards, this option
    should only be regarded as a way to kickstart a configuration from scratch.
    Don't run this if you have already customized the scripts enable/disable
    configurations, obviously.
 `--create-config-files-only`
 :   Create the config files in etc/conf.d
    Must be run as root, before running the audit with user secaudit
 `-set-hardening-level=level`
 :   Modifies the configuration to enable/disable tests given an hardening level,
    between 1 to 5. Don't run this if you have already customized the scripts
    enable/disable configurations.
    1: very basic policy, failure to pass tests at this level indicates severe
        misconfiguration of the machine that can have a huge security impact
    2: basic policy, some good practice rules that, once applied, shouldn't
        break anything on most systems
    3: best practices policy, passing all tests might need some configuration
        modifications (such as specific partitioning, etc.)
    4: high security policy, passing all tests might be time-consuming and
        require high adaptation of your workflow
    5: placebo, policy rules that might be very difficult to apply and maintain,
        with questionable security benefits
 `--allow-service=service`
 :   Use with `--set-hardening-level`.
    Modifies the policy to allow a certain kind of services on the machine, such
    as http, mail, etc. Can be specified multiple times to allow multiple services.
    Use --allow-service-list to get a list of supported services.
 # OPTIONS
 `--allow-service-list`
 :   Get a list of supported service.
 `--only test-number`
 :    Modifies the RUN_MODE to only work on the test_number script.
    Can be specified multiple times to work only on several scripts.
    The test number is the numbered prefix of the script,
    i.e. the test number of 1.2_script_name.sh is 1.2.
 `--sudo`
 :   This option lets you audit your system as a normal user, but allows sudo
    escalation to gain read-only access to root files. Note that you need to
    provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
    the -n option instructs sudo not to prompt for a password.
    Finally note that `--sudo` mode only works for audit mode.
 `--set-log-level=level`
 :   This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
    Default value is : info
 `--batch`
 :   While performing system audit, this option sets LOGLEVEL to 'ok' and
    captures all output to print only one line once the check is done, formatted like :
    OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
 `--allow-unsupported-distribution`
    Must be specified manually in the command line to allow the run on non compatible
    version or distribution. If you want to mute the warning change the LOGLEVEL
    in /etc/hardening.cfg
 # AUTHORS
 - Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
 - Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
 - Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 - Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
 # COPYRIGHT
 Copyright 2020 OVHcloud
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 # SEE ALSO
 - **Center for Internet Security**: https://www.cisecurity.org/
 - **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **Project repository**: https://github.com/ovh/debian-cis
--- a/README.md
+++ b/README.md
@ -1,44 +1,60 @@
-# CIS Debian 7/8/9 Hardening
+# :lock: CIS Debian 9/10 Hardening
-Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
-recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
+report issues if you find any!
 <p align="center">
      <img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
 </p>
 ![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
 ![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
 ![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
 ![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 ```console
 $ bin/hardening.sh --audit-all
 [...]
-hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
+hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
+6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
-13.15_check_duplicate_gid [INFO] Checking Configuration
+6.2.19_check_duplicate_gr [INFO] Checking Configuration
-13.15_check_duplicate_gid [INFO] Performing audit
+6.2.19_check_duplicate_gr [INFO] Performing audit
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
+6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
-13.15_check_duplicate_gid [ OK ] Check Passed
+6.2.19_check_duplicate_gr [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 191
+      Total Available Checks : 232
-         Total Runned Checks : 191
+         Total Runned Checks : 166
-         Total Passed Checks : [ 170/191 ]
+         Total Passed Checks : [ 142/166 ]
-         Total Failed Checks : [  21/191 ]
+         Total Failed Checks : [  24/166 ]
-   Enabled Checks Percentage : 100.00 %
+   Enabled Checks Percentage : 71.00 %
-       Conformity Percentage : 89.01 %
+       Conformity Percentage : 85.00 %
 ```
-## Quickstart
+## :dizzy: Quickstart
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
 $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ bin/hardening/1.1_install_updates.sh --audit-all
+$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
-1.1_install_updates [INFO] Working on 1.1_install_updates
+hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
-1.1_install_updates [INFO] Checking Configuration
+1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
-1.1_install_updates [INFO] Performing audit
+1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
-1.1_install_updates [INFO] Checking if apt needs an update
+1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
-1.1_install_updates [INFO] Fetching upgrades ...
+1.1.1.1_disable_freevxfs  [INFO] Performing audit
-1.1_install_updates [ OK ] No upgrades available
+1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled
-1.1_install_updates [ OK ] Check Passed
+1.1.1.1_disable_freevxfs  [ OK ] Check Passed
 ```
-## Usage
+## :hammer: Usage
 ### Configuration
@ -72,7 +88,9 @@ This command has 2 main operation modes:
 - ``--audit``: Audit your system with all enabled and audit mode scripts
 - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
+Additionally, some options add more granularity:
 ``--audit-all`` can be used to force running all auditing scripts,
 including disabled ones. this will *not* change the system.
 ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,16 +98,36 @@ configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
-``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
+``--sudo``: audit your system as a normal user, but allow sudo escalation to read
 specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
 with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
 not prompt for a password.
-``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
+``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
 captures all output to print only one line once the check is done, formatted like :
 OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
-## Hacking
+``--only <check_number>``: run only the selected checks.
 ``--set-hardening-level``: run all checks that are lower or equal to the selected level.
 Do NOT use this option if you have already started to customize your configuration.
 ``--allow-service <service>``: use with --set-hardening-level. Modifies the policy 
 to allow a certain kind of services on the machine, such as http, mail, etc.
 Can be specified multiple times to allow multiple services.
 Use --allow-service-list to get a list of supported services.
 ``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
 Default value is : info
 ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
 before running the audit with user secaudit, to have the rights setup well on the conf files.
 ``--allow-unsupported-distribution``: must be specified manually in the command line to allow 
 the run on non compatible version or distribution. If you want to mute the warning change the
 LOGLEVEL in /etc/hardening.cfg
 ## :computer: Hacking
 **Getting the source**
@ -110,6 +148,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 ```
 Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
 If the check replace somehow one that is in the CIS specifications,
 you can use the numerotation of the check it replaces inplace. For example we check
 the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
 Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
 (part of OVHcloud security policy)
 Code your check explaining what it does then if you want to test
@ -117,7 +164,7 @@ Code your check explaining what it does then if you want to test
 $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 ```
-## Functional testing
+## :sparkles: Functional testing
 Functional tests are available. They are to be run in a Docker environment.
@ -125,7 +172,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
-With `target` being like `debian8` or `debian9`.
+With `target` being like `debian9` or `debian10`.
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@ -151,10 +198,49 @@ Functional tests can make use of the following helper functions :
 In order to write your own functional test, you will find a code skeleton in
 `./src/skel.test`.
-## Disclaimer
+Some tests ar labelled with a disclaimer warning that we only test on a blank host
 and that we will not test the apply function. It's because the check is very basic
 (like a package install) and that a test on it is not really necessary.
 Furthermore, some tests are disabled on docker because there not pertinent (kernel 
 modules, grub, partitions, ...)
 You can disable a check on docker with:
 ```bash
 if [ -f "/.dockerenv" ]; then
  skip "SKIPPED on docker"
 else
 ...
 fi
 ```
 ## :art: Coding style
 ### Shellcheck
 We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the 
 correctness of the scripts and to respect best practices.
 It can be used directly with the docker environnment to check all scripts 
 compliancy. By default it runs on every `.sh` it founds.
 ```console
 $ ./shellcheck/launch_shellcheck.sh [name of script...]
 ```
 ### Shellfmt
 We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a 
 consistent style in every script. 
 Identically to shellcheck, it can be run through a script with the following:
 ```console
 $ ./shellfmt/launch_shellfmt.sh
 ```
 It will automatically fix any styling problem on every script.
 ## :heavy_exclamation_mark: Disclaimer
 This project is a set of tools. They are meant to help the system administrator
-built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
+built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
@ -163,7 +249,7 @@ Additionally, quoting the License:
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
+> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -171,13 +257,11 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-## Reference
+## :satellite: Reference
 - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
+- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
 - **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
-## License
+## :page_facing_up: License
 3-Clause BSD
 Apache, Version 2.0
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -26,6 +26,8 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 usage() {
    cat <<EOF
@ -98,11 +100,20 @@ OPTIONS:
        the '-n' option instructs sudo not to prompt for a password.
        Finally note that '--sudo' mode only works for audit mode.
    --set-log-level <level>
        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
        Default value is : info
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
    --allow-unsupported-distribution
        Must be specified manually in the command line to allow the run on non compatible
        version or distribution. If you want to mute the warning change the LOGLEVEL
        in /etc/hardening.cfg
 EOF
    exit 0
 }
@ -143,6 +154,10 @@ while [[ $# -gt 0 ]]; do
        SET_HARDENING_LEVEL="$2"
        shift
        ;;
    --set-log-level)
        ASK_LOGLEVEL=$2
        shift
        ;;
    --only)
        TEST_LIST[${#TEST_LIST[@]}]="$2"
        shift
@ -152,7 +167,10 @@ while [[ $# -gt 0 ]]; do
        ;;
    --batch)
        BATCH_MODE='--batch'
-        LOGLEVEL=ok
+        ASK_LOGLEVEL=ok
        ;;
    --allow-unsupported-distribution)
        ALLOW_UNSUPPORTED_DISTRIBUTION=1
        ;;
    -h | --help)
        usage
@ -179,16 +197,53 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
-# shellcheck source=../lib/constants.sh
+
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=../lib/constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
-if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
+# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 if [ "$DISTRIBUTION" != "debian" ]; then
    echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
    if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
        echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
        echo "Exiting now"
        exit 100
    elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
        echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
        echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
    fi
 else
    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
        echo "Your debian version is deprecated and is no more maintained. Please upgrade to a supported version."
        if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
            echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
            echo "Exiting now"
            exit 100
        elif [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ] && [ "$MACHINE_LOG_LEVEL" -ge 2 ]; then
            echo "Be aware that the result given by this set of scripts can give you a false feedback of security on unsupported distributions, especially on deprecated ones !"
            echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
        fi
    fi
 fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
@ -294,7 +349,7 @@ if [ "$BATCH_MODE" ]; then
    BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
    BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
-        CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
    else
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@ -307,8 +362,8 @@ else
    printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
    printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-    ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
+    ENABLED_CHECKS_PERCENTAGE=$(div $((TOTAL_TREATED_CHECKS * 100)) $TOTAL_CHECKS)
-    CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
+    CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
    printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
+MODULE_NAME="hfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
+MODULE_NAME="hfsplus"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -17,31 +17,37 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
+MODULE_NAME="squashfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
    :
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -17,28 +17,36 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_UDF_FS"
-MODULE_FILE="udf"
+MODULE_NAME="udf"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -24,6 +24,7 @@ MODULE_FILE="vfat"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    # TODO check if uefi enabled if yes check if only boot partition use FAT
    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
        crit "$KERNEL_OPTION is enabled!"
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -24,7 +24,11 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -24,7 +24,11 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -24,7 +24,11 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_USB_STORAGE"
-MODULE_FILE="usb-storage"
+MODULE_NAME="usb-storage"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        crit "$KERNEL_OPTION is enabled!"
+        ok "Container detected, consider host enforcing or disable this check!"
    else
-        ok "$KERNEL_OPTION is disabled"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_kernel_option_enabled "$KERNEL_OPTION"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        ok "Container detected, consider host enforcing!"
    else
-        ok "$KERNEL_OPTION is disabled, nothing to do"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -66,22 +66,22 @@ check_config() {
    is_pkg_installed "grub-pc"
    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    does_user_exist "$USER"
    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
-        exit 128
+        exit 2
    fi
    does_group_exist "$GROUP"
    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
-        exit 128
+        exit 2
    fi
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -51,7 +51,6 @@ apply() {
    else
        ok "$PWD_PATTERN is present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
@ -59,11 +58,11 @@ check_config() {
    is_pkg_installed "grub-pc"
    if [ "$FNRET" != 0 ]; then
        warn "grub-pc is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -38,7 +38,6 @@ apply() {
    else
        ok "$PATTERN is not present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -35,31 +35,39 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" != 0 ]; then
+        ok "Container detected, cannot read dmesg!"
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
        fi
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
            else
                ok "NX is supported and enabled"
            fi
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" != 0 ]; then
+        ok "Container detected, cannot read dmesg!"
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
        fi
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
            else
                ok "NX is supported and enabled"
            fi
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
--- a/bin/hardening/1.6.4_restrict_core_dumps.sh
+++ b/bin/hardening/1.6.4_restrict_core_dumps.sh
@ -29,7 +29,7 @@ audit() {
    LIMIT_FILES=""
    if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
        for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
-            LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
+            LIMIT_FILES="$LIMIT_FILES $file"
        done
    fi
    debug "Files to search $LIMIT_FILE $LIMIT_FILES"
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGES are configured"
+        is_pkg_installed "grub-pc"
        if [ "$FNRET" != 0 ]; then
            if [ "$IS_CONTAINER" -eq 1 ]; then
                ok "Grub is not installed in container"
            else
                warn "Grub is not installed"
                exit 128
            fi
        else
            ERROR=0
            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
            # define custom IFS and save default one
            d_IFS=$IFS
            c_IFS=$'\n'
            IFS=$c_IFS
            for line in $RESULT; do
                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
                    crit "$line is not configured"
                    ERROR=1
                fi
            done
            IFS=$d_IFS
            if [ "$ERROR" = 0 ]; then
                ok "$PACKAGES are configured"
            fi
        fi
    fi
 }
@ -62,26 +76,35 @@ apply() {
        fi
    done
-    ERROR=0
+    is_pkg_installed "grub-pc"
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    if [ "$FNRET" != 0 ]; then
-
+        if [ "$IS_CONTAINER" -eq 1 ]; then
-    # define custom IFS and save default one
+            ok "Grub is not installed in container"
-    d_IFS=$IFS
+        else
-    c_IFS=$'\n'
+            warn "You should use grub. Install it yourself"
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
        $SUDO_CMD update-grub
    else
-        ok "$PACKAGES are configured"
+        ERROR=0
        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
        # define custom IFS and save default one
        d_IFS=$IFS
        c_IFS=$'\n'
        IFS=$c_IFS
        for line in $RESULT; do
            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
                crit "$line is not configured"
                ERROR=1
            fi
        done
        IFS=$d_IFS
        if [ $ERROR = 1 ]; then
            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
            $SUDO_CMD update-grub
        else
            ok "$PACKAGES are configured"
        fi
    fi
 }
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
            ok "No profiles are unconfined"
-    if [ -n "$RESULT_UNCONFINED" ]; then
+        else
-        ok "No profiles are unconfined"
+            crit "Some processes are unconfined while they have defined profile"
-
+        fi
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
 }
@ -46,6 +49,7 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
-    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+            ok "No profiles are unconfined"
        else
            crit "Some processes are unconfined while they have defined profile"
        fi
-    if [ -n "$RESULT_UNCONFINED" ]; then
+        if [ -n "$RESULT_COMPLAIN" ]; then
-        ok "No profiles are unconfined"
+            ok "No profiles are in complain mode"
-    else
+        else
-        crit "Some processes are unconfined while they have defined profile"
+            crit "Some processes are in complain mode"
-    fi
+        fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        crit "Some processes are in complain mode"
    fi
 }
@ -52,6 +55,7 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking netport ports opened"
+    is_pkg_installed net-tools
-    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    if [ "$FNRET" != 0 ]; then
-    RESULT=${RESULT:-}
+        warn "netsat not installed, cannot execute check"
-    debug "Result is $RESULT"
+        exit 2
    if [ -z "$RESULT" ]; then
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
-        info "Checking $RESULT"
+        info "Checking netport ports opened"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
+        RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
-            ok "MTA is configured to localhost only"
+        RESULT=${RESULT:-}
        debug "Result is $RESULT"
        if [ -z "$RESULT" ]; then
            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            crit "MTA listens worldwide"
+            info "Checking $RESULT"
            if grep -q "127.0.0.1" <<<"$RESULT"; then
                ok "MTA is configured to localhost only"
            else
                crit "MTA listens worldwide"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking netport ports opened"
+    is_pkg_installed net-tools
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    if [ "$FNRET" != 0 ]; then
-    RESULT=${RESULT:-}
+        warn "netsat not installed, cannot execute check"
-    debug "Result is $RESULT"
+        exit 2
    if [ -z "$RESULT" ]; then
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
-        info "Checking $RESULT"
+        info "Checking netport ports opened"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
+        RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
-            ok "MTA is configured to localhost only"
+        RESULT=${RESULT:-}
        debug "Result is $RESULT"
        if [ -z "$RESULT" ]; then
            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            warn "MTA listens worldwide, correct this considering your MTA"
+            info "Checking $RESULT"
            if grep -q "127.0.0.1" <<<"$RESULT"; then
                ok "MTA is configured to localhost only"
            else
                warn "MTA listens worldwide, correct this considering your MTA"
            fi
        fi
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/2.2.17_disable_nis.sh
+++ b/bin/hardening/2.2.17_disable_nis.sh
@ -17,14 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 PACKAGES='nis'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed!"
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge "$PACKAGE" -y
            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
    done
 }
 # This function will check config parameters required
--- a/bin/hardening/3.1.1_disable_ipv6.sh
+++ b/bin/hardening/3.1.1_disable_ipv6.sh
@ -21,29 +21,17 @@ SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ip
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
+        crit "ipv6 is enabled"
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ "$FNRET" = 255 ]; then
                warn "$SYSCTL_PARAM does not exist -- Typo?"
            else
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
    if [ "$FNRET" != 0 ]; then
        ok "ipv6 is disabled"
    else
--- a/bin/hardening/3.3.1_disable_source_routed_packets.sh
+++ b/bin/hardening/3.3.1_disable_source_routed_packets.sh
@ -22,7 +22,7 @@ SYSCTL_PARAMS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-        does_sysctl_param_exists "net.ipv6"
+        is_ipv6_enabled
        if [ "$FNRET" = 0 ] || [[ ! "$SYSCTL_VALUES" =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
--- a/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
+++ b/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
@ -21,10 +21,8 @@ SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -38,15 +36,15 @@ audit() {
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    else
        ok "ipv6 disabled"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_sysctl_param_exists "net.ipv6"
+    is_ipv6_enabled
-    if [ "$FNRET" != 0 ]; then
+    if [ "$FNRET" = 0 ]; then
        ok "ipv6 is disabled"
    else
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
@ -62,6 +60,8 @@ apply() {
                ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
            fi
        done
    else
        ok "ipv6 disabled"
    fi
 }
--- a/bin/hardening/3.4.1_disable_dccp.sh
+++ b/bin/hardening/3.4.1_disable_dccp.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_NF_CT_PROTO_DCCP"
 MODULE_NAME="dccp"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.2_disable_sctp.sh
+++ b/bin/hardening/3.4.2_disable_sctp.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_NF_CT_PROTO_SCTP"
 MODULE_NAME="sctp"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.3_disable_rds.sh
+++ b/bin/hardening/3.4.3_disable_rds.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_RDS"
 MODULE_NAME="rds"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.4_disable_tipc.sh
+++ b/bin/hardening/3.4.4_disable_tipc.sh
@ -17,14 +17,39 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
 # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
 KERNEL_OPTION="CONFIG_TIPC"
 MODULE_NAME="tipc"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Not implemented yet"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.1.3_audit_bootloader.sh
+++ b/bin/hardening/4.1.1.3_audit_bootloader.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -18,8 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Collect use of privileged commands."
 # Find all files with setuid or setgid set
-SUDO_CMD='sudo -n'
+AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
 AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'
--- a/bin/hardening/4.2.1.2_enable_syslog-ng.sh
+++ b/bin/hardening/4.2.1.2_enable_syslog-ng.sh
@ -17,29 +17,40 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure syslog-ng service is activated."
 PACKAGE='syslog-ng'
 SERVICE_NAME="syslog-ng"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking if $SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
-    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" != 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is not installed!"
        ok "$SERVICE_NAME is enabled"
    else
-        crit "$SERVICE_NAME is disabled"
+        info "Checking if $SERVICE_NAME is enabled"
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" = 0 ]; then
            ok "$SERVICE_NAME is enabled"
        else
            crit "$SERVICE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking if $SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" != 0 ]; then
-        info "Enabling $SERVICE_NAME"
+        crit "$PACKAGE is not installed!"
        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
    else
-        ok "$SERVICE_NAME is enabled"
+        info "Checking if $SERVICE_NAME is enabled"
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" != 0 ]; then
            info "Enabling $SERVICE_NAME"
            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
        else
            ok "$SERVICE_NAME is enabled"
        fi
    fi
 }
--- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 # Note: this is not exacly the same check as the one described in CIS PDF
 PACKAGE='syslog-ng'
 PERMISSIONS=''
 USER=''
 GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
+    is_pkg_installed "$PACKAGE"
-    for FILE in $FILES; do
+    if [ "$FNRET" != 0 ]; then
-        does_file_exist "$FILE"
+        crit "$PACKAGE is not installed!"
-        if [ "$FNRET" != 0 ]; then
+    else
-            warn "$FILE does not exist"
+        FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-        else
+        for FILE in $FILES; do
            does_file_exist "$FILE"
            if [ "$FNRET" != 0 ]; then
                warn "$FILE does not exist"
            else
                FOUND_EXC=0
                if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                    debug "$FILE is found in exceptions"
                    debug "Setting special user:group:perm"
                    FOUND_EXC=1
                    local user_bak="$USER"
                    local group_bak="$GROUP"
                    local perm_bak="$PERMISSIONS"
                    USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
                    GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
                    PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
                fi
                has_file_correct_ownership "$FILE" "$USER" "$GROUP"
                if [ "$FNRET" = 0 ]; then
                    ok "$FILE has correct ownership ($USER:$GROUP)"
                else
                    crit "$FILE ownership was not set to $USER:$GROUP"
                fi
                has_file_correct_permissions "$FILE" "$PERMISSIONS"
                if [ "$FNRET" = 0 ]; then
                    ok "$FILE has correct permissions ($PERMISSIONS)"
                else
                    crit "$FILE permissions were not set to $PERMISSIONS"
                fi
                if [ "$FOUND_EXC" = 1 ]; then
                    debug "Resetting user:group:perm"
                    USER="$user_bak"
                    GROUP="$group_bak"
                    PERMISSIONS="$perm_bak"
                fi
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        for FILE in $FILES; do
            does_file_exist "$FILE"
            if [ "$FNRET" != 0 ]; then
                info "$FILE does not exist"
                filedir=$(dirname "${FILE#/var/log/}")
                if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
                    debug "Creating /var/log/$filedir for $FILE"
                    debug "mkdir -p /var/log/$filedir"
                    mkdir -p /var/log/"$filedir"
                fi
                touch "$FILE"
            fi
            FOUND_EXC=0
-            if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+            if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                debug "$FILE is found in exceptions"
                debug "Setting special user:group:perm"
                FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
            fi
            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct ownership ($USER:$GROUP)"
+                ok "$FILE has correct ownership"
            else
-                crit "$FILE ownership was not set to $USER:$GROUP"
+                warn "fixing $FILE ownership to $USER:$GROUP"
                chown "$USER":"$GROUP" "$FILE"
            fi
            has_file_correct_permissions "$FILE" "$PERMISSIONS"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct permissions ($PERMISSIONS)"
+                ok "$FILE has correct permissions"
            else
-                crit "$FILE permissions were not set to $PERMISSIONS"
+                info "fixing $FILE permissions to $PERMISSIONS"
                chmod 0"$PERMISSIONS" "$FILE"
            fi
            if [ "$FOUND_EXC" = 1 ]; then
                debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
                GROUP="$group_bak"
                PERMISSIONS="$perm_bak"
            fi
-        fi
+        done
-    done
+    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for FILE in $FILES; do
        does_file_exist "$FILE"
        if [ "$FNRET" != 0 ]; then
            info "$FILE does not exist"
            filedir=$(dirname "${FILE#/var/log/}")
            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
                debug "Creating /var/log/$filedir for $FILE"
                debug "mkdir -p /var/log/$filedir"
                mkdir -p /var/log/"$filedir"
            fi
            touch "$FILE"
        fi
        FOUND_EXC=0
        if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
            debug "$FILE is found in exceptions"
            debug "Setting special user:group:perm"
            FOUND_EXC=1
            local user_bak="$USER"
            local group_bak="$GROUP"
            local perm_bak="$PERMISSIONS"
            USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
            GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
            PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            warn "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
        if [ "$FOUND_EXC" = 1 ]; then
            debug "Resetting user:group:perm"
            USER="$user_bak"
            GROUP="$group_bak"
            PERMISSIONS="$perm_bak"
        fi
    done
 }
 # This function will create the config file for this check with default values
--- a/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
+++ b/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
@ -17,40 +17,52 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
 PACKAGE='syslog-ng'
 PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [ "$FOUND" = 1 ]; then
        ok "$PATTERN is present in $FILES"
    else
-        crit "$PATTERN is not present in $FILES"
+        FOUND=0
        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
        for FILE in $FILES; do
            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                FOUND=1
            fi
        done
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [ "$FOUND" = 1 ]; then
        ok "$PATTERN is present in $FILES"
    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        FOUND=0
        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
        for FILE in $FILES; do
            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                FOUND=1
            fi
        done
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
        fi
    fi
 }
--- a/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
+++ b/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
@ -17,64 +17,74 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
 PACKAGE='syslog-ng'
 REMOTE_HOST=""
 PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$REMOTE_HOST" ]]; then
        info "This is the remote host, checking that it only accepts logs from specified zone"
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES"
        fi
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
+        FOUND=0
-        if [ "$FOUND" = 1 ]; then
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-            crit "$PATTERN is present in $FILES"
+        for FILE in $FILES; do
-        else
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-            ok "$PATTERN is not present in $FILES"
+            if [ "$FNRET" = 0 ]; then
-        fi
+                FOUND=1
            fi
        done
        if [[ "$REMOTE_HOST" ]]; then
            info "This is the remote host, checking that it only accepts logs from specified zone"
            if [ "$FOUND" = 1 ]; then
                ok "$PATTERN is present in $FILES"
            else
                crit "$PATTERN is not present in $FILES"
            fi
        else
            info "This is the not the remote host checking that it doesn't accept remote logs"
            if [ "$FOUND" = 1 ]; then
                crit "$PATTERN is present in $FILES"
            else
                ok "$PATTERN is not present in $FILES"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$REMOTE_HOST" ]]; then
        info "This is the remote host, checking that it only accepts logs from specified zone"
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
        fi
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
+        FOUND=0
-        if [ "$FOUND" = 1 ]; then
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-            warn "$PATTERN is present in $FILES, "
+        for FILE in $FILES; do
-        else
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-            ok "$PATTERN is not present in $FILES"
+            if [ "$FNRET" = 0 ]; then
-        fi
+                FOUND=1
            fi
        done
        if [[ "$REMOTE_HOST" ]]; then
            info "This is the remote host, checking that it only accepts logs from specified zone"
            if [ "$FOUND" = 1 ]; then
                ok "$PATTERN is present in $FILES"
            else
                crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
            fi
        else
            info "This is the not the remote host checking that it doesn't accept remote logs"
            if [ "$FOUND" = 1 ]; then
                warn "$PATTERN is present in $FILES, "
            else
                ok "$PATTERN is not present in $FILES"
            fi
        fi
    fi
 }
--- a/bin/hardening/4.2.2.1_journald_logs.sh
+++ b/bin/hardening/4.2.2.1_journald_logs.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 FILE='/etc/systemd/journald.conf'
-OPTIONS='ForwardToSyslog=yes'
+OPTIONS='ForwardToSyslog=no'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -34,9 +34,9 @@ audit() {
            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
            else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
            fi
        done
    fi
@ -57,18 +57,18 @@ apply() {
        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
-            warn "$PATTERN is not present in $FILE, adding it"
+            warn "$PATTERN is present in $FILE, deleting it"
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
            fi
        else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
        fi
    done
 }
--- a/bin/hardening/4.2.2.2_journald_compress.sh
+++ b/bin/hardening/4.2.2.2_journald_compress.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."
 FILE='/etc/systemd/journald.conf'
-OPTIONS='Compress=yes'
+OPTIONS='Compress=no'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -34,9 +34,9 @@ audit() {
            debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
-                crit "$PATTERN is not present in $FILE"
+                ok "$PATTERN is not present in $FILE"
            else
-                ok "$PATTERN is present in $FILE"
+                crit "$PATTERN is present in $FILE"
            fi
        done
    fi
@ -57,18 +57,18 @@ apply() {
        debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE"
        PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
-        if [ "$FNRET" != 0 ]; then
+        if [ "$FNRET" = 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=yes"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
+                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=yes"
            fi
        else
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN is not present in $FILE"
        fi
    done
 }
--- a/bin/hardening/4.2.2.3_journald_write_persistent.sh
+++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh
@ -62,7 +62,7 @@ apply() {
            does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM"
            if [ "$FNRET" != 0 ]; then
                info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end"
-                add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE"
+                add_end_of_file "$FILE" "$JOURNALD_PARAM=$JOURNALD_VALUE"
            else
                info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE"
--- a/bin/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh
@ -24,17 +24,22 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        crit "$FILE does not exist"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -44,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -24,17 +24,22 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        crit "$FILE does not exist"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -44,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -24,17 +24,22 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        crit "$FILE does not exist"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -44,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -24,17 +24,22 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        crit "$FILE does not exist"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -44,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -24,17 +24,22 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        crit "$FILE does not exist"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -44,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.8_cron_users.sh
+++ b/bin/hardening/5.1.8_cron_users.sh
@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
 FILES_ABSENT='/etc/cron.deny /etc/at.deny'
 FILES_PRESENT='/etc/cron.allow /etc/at.allow'
 PERMISSIONS='644'
 PERMISSIONSOK='644 640 600 440 400'
 USER='root'
 GROUP='root'
@ -36,7 +37,7 @@ audit() {
    for FILE in $FILES_PRESENT; do
        does_file_exist "$FILE"
        if [ "$FNRET" != 0 ]; then
-            crit "$FILE is absent"
+            crit "$FILE is absent, should exist"
        else
            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
            if [ "$FNRET" = 0 ]; then
@ -44,7 +45,7 @@ audit() {
            else
                crit "$FILE ownership was not set to $USER:$GROUP"
            fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
            if [ "$FNRET" = 0 ]; then
                ok "$FILE has correct permissions"
            else
@ -68,7 +69,7 @@ apply() {
    for FILE in $FILES_PRESENT; do
        does_file_exist "$FILE"
        if [ "$FNRET" != 0 ]; then
-            warn "$FILE is absent"
+            warn "$FILE is absent, fixing (touch)"
            touch "$FILE"
        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
@ -78,7 +79,7 @@ apply() {
            warn "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.14_ssh_cry_mac.sh
+++ b/bin/hardening/5.2.14_ssh_cry_mac.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
@ -78,7 +78,7 @@ create_config() {
    cat <<EOF
 status=audit
 # Put your MACs
-OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
+OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
 EOF
 }
--- a/bin/hardening/5.2.15_ssh_cry_kex.sh
+++ b/bin/hardening/5.2.15_ssh_cry_kex.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
@ -73,15 +73,12 @@ apply() {
 }
 create_config() {
    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
+    if [[ 7 -le "$DEB_MAJ_VER" ]]; then
        KEX='diffie-hellman-group-exchange-sha256'
    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    else
-        KEX='diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
    fi
    set -u
    cat <<EOF
@ -89,6 +86,7 @@ status=audit
 # Put your KexAlgorithms
 OPTIONS="KexAlgorithms=$KEX"
 EOF
 }
 # This function will check config parameters required
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.18_sshd_limit_access.sh
+++ b/bin/hardening/5.2.18_sshd_limit_access.sh
@ -25,7 +25,7 @@ audit() {
    OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.19_ssh_banner.sh
+++ b/bin/hardening/5.2.19_ssh_banner.sh
@ -25,7 +25,7 @@ audit() {
    OPTIONS="Banner=$BANNER_FILE"
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
+++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
@ -17,6 +17,7 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
 PACKAGE='openssh-server'
 FILE='/etc/ssh/sshd_config'
 PERMISSIONS='600'
 USER='root'
@ -24,40 +25,50 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        ok "$PACKAGE is not installed!"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist "$FILE"
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
+        ok "$PACKAGE is not installed"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        does_file_exist "$FILE"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" != 0 ]; then
-    fi
+            info "$FILE does not exist"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            touch "$FILE"
-    if [ "$FNRET" = 0 ]; then
+        fi
-        ok "$FILE has correct permissions"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    else
+        if [ "$FNRET" = 0 ]; then
-        info "fixing $FILE permissions to $PERMISSIONS"
+            ok "$FILE has correct ownership"
-        chmod 0"$PERMISSIONS" "$FILE"
+        else
            warn "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.2.20_enable_ssh_pam.sh
+++ b/bin/hardening/5.2.20_enable_ssh_pam.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.5_sshd_loglevel.sh
+++ b/bin/hardening/5.2.5_sshd_loglevel.sh
@ -26,7 +26,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh
+++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh
@ -18,8 +18,8 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 PACKAGE='libpam-modules-bin'
-PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so'
-PATTERN_ACCOUNT='pam_tally[2]?\.so'
+PATTERN_ACCOUNT='pam_((tally[2]?)|(faillock))\.so'
 FILE_AUTH='/etc/pam.d/common-auth'
 FILE_ACCOUNT='/etc/pam.d/common-account'
@ -59,14 +59,22 @@ apply() {
        ok "$PATTERN_AUTH is present in $FILE_AUTH"
    else
        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
        else
            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
        fi
    fi
    does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
    if [ "$FNRET" = 0 ]; then
        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
    else
        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally.so" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
        else
            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
        fi
    fi
 }
--- a/bin/hardening/99.1.1.23_disable_usb_devices.sh
+++ b/bin/hardening/99.1.1.23_disable_usb_devices.sh
@ -13,6 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 USER='root'
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="USB devices are disabled."
--- a/bin/hardening/99.1.3_acc_sudoers_no_all.sh
+++ b/bin/hardening/99.1.3_acc_sudoers_no_all.sh
@ -12,6 +12,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)."
--- a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
+++ b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        ok "$FILE exist"
-    fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
-        ok "$FILE has correct ownership"
+        else
-    else
+            crit "$FILE permissions were not set to $PERMISSIONS"
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist"
        touch "$FILE"
        warn "You may want to fill it with allowed networks"
    else
        ok "$FILE exist"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
+++ b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        ok "$FILE exist"
-    fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
-        ok "$FILE has correct ownership"
+        else
-    else
+            crit "$FILE permissions were not set to $PERMISSIONS"
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist"
        touch "$FILE"
        warn "You may want to fill it with allowed networks"
    else
        ok "$FILE exist"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh
+++ b/bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh
@ -25,7 +25,7 @@ OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthen
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
+++ b/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]]; then
        set -u
        crit "Cannot get Debian version. Aborting..."
        return
    fi
-    if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
        set -u
        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
        return
@ -40,7 +39,7 @@ audit() {
    set -u
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/99.5.2.3_ssh_disable_features.sh
+++ b/bin/hardening/99.5.2.3_ssh_disable_features.sh
@ -13,6 +13,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check all special features in sshd_config are disabled"
@ -24,7 +25,7 @@ OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwardin
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/99.5.2.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh
@ -12,6 +12,8 @@
 set -e # One error, it is over
 set -u # One variable unset, it is over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available."
--- a/bin/hardening/99.5.2.5_ssh_strict_modes.sh
+++ b/bin/hardening/99.5.2.5_ssh_strict_modes.sh
@ -13,7 +13,9 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
-DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable)  before connecting."
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting."
 PACKAGE='openssh-server'
 OPTIONS='StrictModes=yes'
@ -23,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/99.5.2.6_ssh_sys_accept_env.sh
+++ b/bin/hardening/99.5.2.6_ssh_sys_accept_env.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
--- a/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh
+++ b/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh
@ -12,8 +12,11 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed"
 # shellcheck disable=2034
 SERVICES="rlogin rlogind rcp"
--- a/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh
+++ b/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh
@ -25,7 +25,7 @@ FILE='/etc/ssh/sshd_config'
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        ok "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
--- a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
+++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
@ -6,14 +6,16 @@
 #
 #
-# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# 99.5.4.5.1 Check that any password that will be created will be SHA512 hashed and salted
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Check that any password that will be created will be SHA512 hashed and salted"
 CONF_FILE="/etc/login.defs"
 CONF_LINE="ENCRYPT_METHOD SHA512"
--- a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
+++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
@ -12,6 +12,8 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
 FILE="/etc/shadow"
--- a/bin/hardening/99.99_check_distribution.sh
+++ b/bin/hardening/99.99_check_distribution.sh
@ -0,0 +1,65 @@
 #!/bin/bash
 # run-shellcheck
 #
 # OVH Security audit
 #
 #
 # 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Check the distribution and the distribution version"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$DISTRIBUTION" != "debian" ]; then
        crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
    else
        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
            crit "Your distribution is too recent and is not yet supported."
        elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
            crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
        else
            ok "Your distribution is debian and the version is supported"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
    echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,39 @@
 cis-hardening (3.1-1) unstable; urgency=medium
  * Various mispeling fixes
  * Fix div function that causes a display bug when runnin test with --only
  * Fix 4.1.1.4 bad pattern bug
  * Fix 5.4.2.2
  * Various verification that package is installed or file exist before running check (openssh, apparmor, crontab)
 -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 25 Mar 2021 14:59:49 +0100
 cis-hardening (3.1-0) unstable; urgency=medium
  * Add missing HARDENING_LEVEL var for some checks
  * Add dealing with debian 11
  * Add warning for unsupported distributions and debian version
  * Remove bc dependency
  * Add 1.8.1-4 comprehensive tests
  * Add 3.1-3.x comprehensive tests
  * Add missing 3.4.x checks and tests (exotic protocol)
  * Add environment detection (container)
  * Improve kernel module detection
  * Improve partition detection
  * Add cli option to override loglevel
  * Improve 5.1.8 to allow more restrictive permissions
  * Upgrade mac and key to be debian10 CIS compliant
  * Fix path in 1.6.4
 -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 22 Feb 2021 8:30:01 +0100
 cis-hardening (3.0-1) unstable; urgency=medium
  * Add workflows for github action
  * Update man page and README.md
 -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 18 Jan 2021 09:01:28 +0100
 cis-hardening (3.0) unstable; urgency=medium
  * Migration to debian10 numbering
--- a/debian/cis-hardening.8
+++ b/debian/cis-hardening.8
@ -1,156 +1,180 @@
-.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
+.\" Automatically generated by Pandoc 2.6
 .\"
 .TH "CIS-HARDENING" "8" "2016" "" ""
 .hy
 .SH NAME
 cis-hardening - CIS Debian 7/8/9 Hardening
 .PP
 cis-hardening - CIS Debian 9/10 Hardening
 .SH SYNOPSIS
 .PP
 \f[B]hardening.sh\f[R] RUN_MODE OPTIONS
 .SH DESCRIPTION
 .PP
-Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
+Modular Debian 9/10 security hardening scripts based on the CIS
-recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
+(https://www.cisecurity.org) recommendations.
 .PP
-.RS
+We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
-.nf
+infrastructure.
-$ bin/hardening.sh \-\-audit\-all
+.SH SCRIPTS CONFIGURATION
-[...]
+.PP
-hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
+Hardening scripts are in \f[C]bin/hardening\f[R].
-13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
+Each script has a corresponding configuration file in
-13.15_check_duplicate_gid [INFO] Checking Configuration
+\f[C]etc/conf.d/[script_name].cfg\f[R].
-13.15_check_duplicate_gid [INFO] Performing audit
+.PP
-13.15_check_duplicate_gid [ OK ] No duplicate GIDs
+Each hardening script can be individually enabled from its configuration
-13.15_check_duplicate_gid [ OK ] Check Passed
+file.
-[...]
+For example, this is the default configuration file for
-################### SUMMARY ###################
+\f[C]disable_system_accounts\f[R]:
-      Total Available Checks : 191
+.IP
         Total Runned Checks : 191
         Total Passed Checks : [ 170/191 ]
         Total Failed Checks : [  21/191 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 89.01 %
 .fi
 .RE
 .SH Quickstart
 .PP
 .RS
 .nf
 $ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
 $ cp debian/default /etc/default/cis\-hardening
 $ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
 $ bin/hardening/1.1_install_updates.sh \-\-audit\-all
 1.1_install_updates [INFO] Working on 1.1_install_updates
 1.1_install_updates [INFO] Checking Configuration
 1.1_install_updates [INFO] Performing audit
 1.1_install_updates [INFO] Checking if apt needs an update
 1.1_install_updates [INFO] Fetching upgrades ...
 1.1_install_updates [ OK ] No upgrades available
 1.1_install_updates [ OK ] Check Passed
 .fi
 .RE
 .SH Usage
 .SS Configuration
 .PP
 Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
 configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
 .PP
 Each hardening script can be individually enabled from its configuration file.
 For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
 .PP
 .RS
 .nf
 \f[C]
 # Configuration for script of same name
 status=disabled
 # Put here your exceptions concerning admin accounts shells separated by spaces
-EXCEPTIONS=""
+EXCEPTIONS=\[dq]\[dq]
 \f[R]
 .fi
 .RE
 .PP
-\fB\fCstatus\fR parameter may take 3 values:
+\f[B]status\f[R] parameter may take 3 values:
-     \fB\fCdisabled\fR (do nothing): The script will not run.
+.IP \[bu] 2
-     \fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
+\f[C]disabled\f[R] (do nothing): The script will not run.
-     \fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
+.IP \[bu] 2
 \f[C]audit\f[R] (RO): The script will check if any change should be
 applied.
 .IP \[bu] 2
 \f[C]enabled\f[R] (RW): The script will check if any change should be
 done and automatically apply what it can.
 .PP
-Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
+Global configuration is in \f[C]etc/hardening.cfg\f[R].
-as well as the backup directory. Whenever a script is instructed to edit a file, it
+This file controls the log level as well as the backup directory.
-will create a timestamped backup in this directory.
+Whenever a script is instructed to edit a file, it will create a
-.SS Run aka "Harden your distro"
+timestamped backup in this directory.
 .SH RUN MODE
 .TP
 .B \f[C]-h\f[R], \f[C]--help\f[R]
 Display a friendly help message.
 .TP
 .B \f[C]--apply\f[R]
 Apply hardening for enabled scripts.
 Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
 warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
 a dry-run mode.
 .TP
 .B \f[C]--audit\f[R]
 Audit configuration for enabled scripts.
 No modification will be made on the system, we\[cq]ll only report on
 your system compliance for each script.
 .TP
 .B \f[C]--audit-all\f[R]
 Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
 ones.
 This is a good way to peek at your compliance level if all scripts were
 enabled, and might be a good starting point.
 .TP
 .B \f[C]--audit-all-enable-passed\f[R]
 Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
 the individual scripts configurations to enable those which passed for
 your system.
 This is an easy way to enable scripts for which you\[cq]re already
 compliant.
 However, please always review each activated script afterwards, this
 option should only be regarded as a way to kickstart a configuration
 from scratch.
 Don\[cq]t run this if you have already customized the scripts
 enable/disable configurations, obviously.
 .TP
 .B \f[C]--create-config-files-only\f[R]
 Create the config files in etc/conf.d Must be run as root, before
 running the audit with user secaudit
 .TP
 .B \f[C]-set-hardening-level=level\f[R]
 Modifies the configuration to enable/disable tests given an hardening
 level, between 1 to 5.
 Don\[cq]t run this if you have already customized the scripts
 enable/disable configurations.
 1: very basic policy, failure to pass tests at this level indicates
 severe misconfiguration of the machine that can have a huge security
 impact 2: basic policy, some good practice rules that, once applied,
 shouldn\[cq]t break anything on most systems 3: best practices policy,
 passing all tests might need some configuration modifications (such as
 specific partitioning, etc.) 4: high security policy, passing all tests
 might be time-consuming and require high adaptation of your workflow 5:
 placebo, policy rules that might be very difficult to apply and
 maintain, with questionable security benefits
 .TP
 .B \f[C]--allow-service=service\f[R]
 Use with \f[C]--set-hardening-level\f[R].
 Modifies the policy to allow a certain kind of services on the machine,
 such as http, mail, etc.
 Can be specified multiple times to allow multiple services.
 Use \[en]allow-service-list to get a list of supported services.
 .SH OPTIONS
 .TP
 .B \f[C]--allow-service-list\f[R]
 Get a list of supported service.
 .TP
 .B \f[C]--only test-number\f[R]
 Modifies the RUN_MODE to only work on the test_number script.
 Can be specified multiple times to work only on several scripts.
 The test number is the numbered prefix of the script, i.e.\ the test
 number of 1.2_script_name.sh is 1.2.
 .TP
 .B \f[C]--sudo\f[R]
 This option lets you audit your system as a normal user, but allows sudo
 escalation to gain read-only access to root files.
 Note that you need to provide a sudoers file with NOPASSWD option in
 /etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
 password.
 Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
 .TP
 .B \f[C]--set-log-level=level\f[R]
 This option sets LOGLEVEL, you can choose : info, warning, error, ok,
 debug.
 Default value is : info
 .TP
 .B \f[C]--batch\f[R]
 While performing system audit, this option sets LOGLEVEL to `ok' and
 captures all output to print only one line once the check is done,
 formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
 .PP
-To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
+\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
 the command line to allow the run on non compatible version or
 distribution.
 If you want to mute the warning change the LOGLEVEL in
 /etc/hardening.cfg
 .SH AUTHORS
 .IP \[bu] 2
 Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
 .IP \[bu] 2
 St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
 .IP \[bu] 2
 Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
 .IP \[bu] 2
 Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
 .SH COPYRIGHT
 .PP
-This command has 2 main operation modes:
+Copyright 2020 OVHcloud
     \fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
     \fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
 .PP
-Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
+Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
-including disabled ones. this will \fInot\fP change the system.
+you may not use this file except in compliance with the License.
-.PP
+You may obtain a copy of the License at
-\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
+.IP
 configuration. It will run all scripts in audit mode. If a script passes,
 it will automatically be enabled for future runs. Do NOT use this option
 if you have already started to customize your configuration.
 .SH Hacking
 .PP
 \fBGetting the source\fP
 .PP
 .RS
 .nf
-$ git clone https://github.com/ovh/debian\-cis.git
+\f[C]
   http://www.apache.org/licenses/LICENSE-2.0
 \f[R]
 .fi
 .RE
 .PP
-\fBBuilding a debian Package\fP (the hacky way)
+Unless required by applicable law or agreed to in writing, software
-.PP
+distributed under the License is distributed on an \[lq]AS IS\[rq]
-.RS
+BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-.nf
+implied.
-$ debuild \-us \-uc
+See the License for the specific language governing permissions and
-.fi
+limitations under the License.
-.RE
+# SEE ALSO
-.PP
+.IP \[bu] 2
-\fBAdding a custom hardening script\fP
+\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
-.PP
+.IP \[bu] 2
-.RS
+\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
-.nf
+.IP \[bu] 2
-$ cp src/skel bin/hardening/99.99_custom_script.sh
+\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
 $ chmod +x bin/hardening/99.99_custom_script.sh
 $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
 .fi
 .RE
 .PP
 Code your check explaining what it does then if you want to test
 .PP
 .RS
 .nf
 $ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
 $ ./bin/hardening/99.99_custom_script.sh
 .fi
 .RE
 .SH Disclaimer
 .PP
 This project is a set of tools. They are meant to help the system administrator
 built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 .PP
 Additionally, quoting the License:
 .PP
 .RS
 THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
 DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .RE
 .SH Reference
 .PP
 .RS
 .nf
 **Center for Internet Security**: https://www.cisecurity.org/
 **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
 **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
 .fi
 .RE
 .SH License
 .PP
 3\-Clause BSD
--- a/debian/compat
+++ b/debian/compat
@ -1 +1 @@
-8
+9
--- a/debian/control
+++ b/debian/control
@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, bc, patch
+Depends: ${misc:Depends}, patch
 Description: Suite of configurable scripts to audit or harden a Debian.
 Modular Debian security hardening scripts based on cisecurity.org
 ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to
--- a/lib/common.sh
+++ b/lib/common.sh
@ -112,3 +112,24 @@ sudo_wrapper() {
        crit "Not allowed to \"sudo -n $*\" "
    fi
 }
 #
 # Math functions
 #
 div() {
    local _d=${3:-2}
    local _n=0000000000
    _n=${_n:0:$_d}
    if (($1 == 0)); then
        echo "0"
        return
    fi
    if (($2 == 0)); then
        echo "N.A"
        return
    fi
    local _r=$(($1$_n / $2))
    _r=${_r:0:-$_d}.${_r: -$_d}
    echo $_r
 }
--- a/lib/constants.sh
+++ b/lib/constants.sh
@ -31,3 +31,32 @@ BGREEN='\033[1;32m' # Green
 BYELLOW='\033[1;33m' # Yellow
 # shellcheck disable=2034
 BWHITE='\033[1;37m' # White
 # Debian version variables
 CONTAINER_TYPE=""
 IS_CONTAINER=0
 if [ "$(is_running_in_container "docker")" != "" ]; then
    CONTAINER_TYPE="docker"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "lxc")" != "" ]; then
    CONTAINER_TYPE="lxc"
    IS_CONTAINER=1
 fi
 if [ "$(is_running_in_container "kubepods")" != "" ]; then
    # shellcheck disable=SC2034
    CONTAINER_TYPE="kubepods"
    # shellcheck disable=SC2034
    IS_CONTAINER=1
 fi
 get_distribution
 get_debian_major_version
 # shellcheck disable=SC2034
 SMALLEST_SUPPORTED_DEBIAN_VERSION=9
 # shellcheck disable=SC2034
 HIGHEST_SUPPORTED_DEBIAN_VERSION=10
--- a/lib/main.sh
+++ b/lib/main.sh
@ -10,14 +10,15 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
-# shellcheck source=constants.sh
+
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
 [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
 # shellcheck source=constants.sh
 [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
 # Environment Sanitizing
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -46,6 +46,30 @@ set_sysctl_param() {
    fi
 }
 #
 # IPV6
 #
 is_ipv6_enabled() {
    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
    does_sysctl_param_exists "net.ipv6"
    local ENABLE=1
    if [ "$FNRET" = 0 ]; then
        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
            if [ "$FNRET" != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
                ENABLE=0
            fi
        done
    fi
    FNRET=$ENABLE
 }
 #
 # Dmesg
 #
@ -295,43 +319,90 @@ is_service_enabled() {
 is_kernel_option_enabled() {
    local KERNEL_OPTION="$1"
    local MODULE_NAME=""
    local MODPROBE_FILTER=""
    local RESULT=""
    local IS_MONOLITHIC_KERNEL=1
    local DEF_MODULE=""
    if [ $# -ge 2 ]; then
        MODULE_NAME="$2"
    fi
-    if $SUDO_CMD [ -r "/proc/config.gz" ]; then
+
-        RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
+    if [ $# -ge 3 ]; then
-    elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
+        MODPROBE_FILTER="$3"
        RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
    fi
    ANSWER=$(cut -d = -f 2 <<<"$RESULT")
    if [ "x$ANSWER" = "xy" ]; then
        debug "Kernel option $KERNEL_OPTION enabled"
        FNRET=0
    elif [ "x$ANSWER" = "xn" ]; then
        debug "Kernel option $KERNEL_OPTION disabled"
        FNRET=1
    else
        debug "Kernel option $KERNEL_OPTION not found"
        FNRET=2 # Not found
    fi
-    if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
+    debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
-        # also check in modules, because even if not =y, maybe
+    if $SUDO_CMD lsmod >/dev/null 2>&1; then
-        # the admin compiled it separately later (or out-of-tree)
+        IS_MONOLITHIC_KERNEL=0
-        # as a module (regardless of the fact that we have =m or not)
+    fi
-        debug "Checking if we have $MODULE_NAME.ko"
+
-        local modulefile
+    if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
-        modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
+        if $SUDO_CMD [ -r "/proc/config.gz" ]; then
-        if $SUDO_CMD [ -n "$modulefile" ]; then
+            RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
-            debug "We do have $modulefile!"
+        elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
-            # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
+            RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
-            if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
+        else
-                debug "... but it's blacklisted!"
+            debug "No information about kernel found, you're probably in a container"
-                FNRET=1 # Not found (found but blacklisted)
+            FNRET=127
-                # FIXME: even if blacklisted, it might be present in the initrd and
+            return
-                # be insmod from there... but painful to check :/ maybe lsmod would be enough ?
+        fi
        ANSWER=$(cut -d = -f 2 <<<"$RESULT")
        if [ "x$ANSWER" = "xy" ]; then
            debug "Kernel option $KERNEL_OPTION enabled"
            FNRET=0
        elif [ "x$ANSWER" = "xn" ]; then
            debug "Kernel option $KERNEL_OPTION disabled"
            FNRET=1
        else
            debug "Kernel option $KERNEL_OPTION not found"
            FNRET=2 # Not found
        fi
        if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
            # also check in modules, because even if not =y, maybe
            # the admin compiled it separately later (or out-of-tree)
            # as a module (regardless of the fact that we have =m or not)
            debug "Checking if we have $MODULE_NAME.ko"
            local modulefile
            modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
            if $SUDO_CMD [ -n "$modulefile" ]; then
                debug "We do have $modulefile!"
                # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
                if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
                    debug "... but it's blacklisted!"
                    FNRET=1 # Not found (found but blacklisted)
                fi
                # ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
                if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
                    debug "... but it's override!"
                    FNRET=1 # Not found (found but override)
                fi
                FNRET=0 # Found!
            fi
-            FNRET=0 # Found!
+        fi
    else
        if [ "$MODPROBE_FILTER" != "" ]; then
            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
        else
            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
        fi
        if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
            debug "$MODULE_NAME is disabled (blacklist with override)"
            FNRET=1
        elif [ "$DEF_MODULE" == "" ]; then
            debug "$MODULE_NAME is disabled"
            FNRET=1
        else
            debug "$MODULE_NAME is enabled"
            FNRET=0
        fi
        if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
            debug "$MODULE_NAME is enabled"
            FNRET=0
        fi
    fi
 }
@ -344,12 +415,20 @@ is_kernel_option_enabled() {
 is_a_partition() {
    local PARTITION=$1
    FNRET=128
-    if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
+    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
-        debug "$PARTITION found in fstab"
+        debug "/etc/fstab not found or empty, searching mountpoint"
-        FNRET=0
+        if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
            FNRET=0
        fi
    else
-        debug "Unable to find $PARTITION in fstab"
+        if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
-        FNRET=1
+            debug "$PARTITION found in fstab"
            FNRET=0
        else
            debug "Unable to find $PARTITION in fstab"
            FNRET=1
        fi
    fi
 }
@ -369,18 +448,23 @@ is_mounted() {
 has_mount_option() {
    local PARTITION=$1
    local OPTION=$2
-    if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
+    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
-        local actual_partition
+        debug "/etc/fstab not found or empty, readin current mount options"
-        actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
+        has_mounted_option "$PARTITION" "$OPTION"
        debug "$PARTITION is a bind mount of $actual_partition"
        PARTITION="$actual_partition"
    fi
    if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
        debug "$OPTION has been detected in fstab for partition $PARTITION"
        FNRET=0
    else
-        debug "Unable to find $OPTION in fstab for partition $PARTITION"
+        if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
-        FNRET=1
+            local actual_partition
            actual_partition="$(grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $1}')"
            debug "$PARTITION is a bind mount of $actual_partition"
            PARTITION="$actual_partition"
        fi
        if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
            debug "$OPTION has been detected in fstab for partition $PARTITION"
            FNRET=0
        else
            debug "Unable to find $OPTION in fstab for partition $PARTITION"
            FNRET=1
        fi
    fi
 }
@ -478,9 +562,33 @@ get_debian_major_version() {
    DEB_MAJ_VER=""
    does_file_exist /etc/debian_version
    if [ "$FNRET" = 0 ]; then
-        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+        if grep -q "sid" /etc/debian_version; then
            DEB_MAJ_VER="sid"
        else
            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
        fi
    else
        # shellcheck disable=2034
        DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)
    fi
 }
 # Returns the distribution
 get_distribution() {
    DISTRIBUTION=""
    if [ -f /etc/os-release ]; then
        # shellcheck disable=2034
        DISTRIBUTION=$(grep "^ID=" /etc/os-release | sed 's/ID=//' | tr '[:upper:]' '[:lower:]')
        FNRET=0
    else
        debug "Distribution not found !"
        FNRET=127
    fi
 }
 # Detect if container based on cgroup detection
 is_running_in_container() {
    awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thibault Ayanides	cbd81b8ab2	Update changelog (#82 )	2021-03-26 12:16:50 +01:00
Thibault Ayanides	1c51e4cec4	Check that package are installed before launching check (#69 ) * FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-03-25 14:01:57 +01:00
Thibault Ayanides	f8ac58700d	FIX(4.1.1.4): bad pattern (#67 ) fix #61	2021-03-25 13:50:08 +01:00
Thibault Ayanides	1c1393c7e3	Fix div function to manage 0 on numerator (#79 ) fix #77 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-03-23 08:36:36 +01:00
Thibault Ayanides	c50f200c5c	FIX(5.4.5.2): explicit sha512 fix #74	2021-03-22 15:22:50 +01:00
Simão Gomes Viana	c0ecc9cd6f	README: fix spelling and spacing in first line	2021-03-19 08:36:31 +01:00
Thibault Ayanides	fb5be208ef	Update changelog	2021-03-15 08:25:26 +01:00
jeremydenoun	b44fb47c3a	add log details to be more comprehensive (#49 ) Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-02-17 12:04:11 +01:00
jeremydenoun	84ac4db90f	fix incorrect path from ls (#45 ) Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-02-17 12:00:13 +01:00
Thibault Ayanides	40fb536d4e	Add missing HARDENING_LEVEL (#44 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-02-17 11:51:51 +01:00
Thibault Ayanides	d1b371f410	Add is_ipv6_disabled (#57 ) Modify some checks to make it pass when ipv6 is diabled fix #50 modified: bin/hardening/3.1.1_disable_ipv6.sh modified: bin/hardening/3.3.1_disable_source_routed_packets.sh modified: bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh modified: lib/utils.sh Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-02-17 11:45:20 +01:00
Thibault Ayanides	6ab1cab3ce	IMP(5.1.8): allow more restrictive permissions (#59 ) fix #52 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-02-17 11:40:31 +01:00
Thibault Ayanides	1a7dd5893a	Use pam_faillock instead of pam_tally for bullseye (#56 ) Fix #55 See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0 pam_tally is deprecated and replaced by pam_faillock Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-02-17 11:36:58 +01:00
Thibault Ayanides	fa111bc0d0	Update mac and kex to match debian10 CIS (#60 ) fix #53 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-02-17 11:31:22 +01:00
Thibault Ayanides	460843ffb3	Fix #51 (#58 )	2021-02-17 11:19:38 +01:00
jeremydenoun	896d277d95	fix #46 bug (#47 ) Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-02-11 14:00:18 +01:00
Thibault Ayanides	6ae05f3fa2	Add dealing with debian 11 * ADD: add dockerfile for debian11 * FIX: fix crontab file not found on debian11 blank * Add workflow for debian11 * FIX: fix debian version func to manage debian11 * Add dealing with unsupported version and distro * Add 99.99 check that check if distro version is supported * Use global var for debian major and distro fix #26	2021-02-08 13:54:24 +01:00
Thibault Ayanides	449c695415	IMP: improve partition detection in container fix #27	2021-02-08 09:07:09 +01:00
dependabot[bot]	2d6550fb13	Bump dev-drprasad/delete-tag-and-release from v0.1.2 to v0.1.3 (#41 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.2 to v0.1.3. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.2...3c280cb168f9f46f0036f47c7f57bba2ec18f61c) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-02-04 16:23:41 +01:00
jeremydenoun	0b6ea0d97e	IMP: add multiple Improvements * add new kernel module detection (enable & listing) with detection of monolithic kernel * change way to detect if file system type is disabled * add global IS_CONTAINER variable * disable test for 3.4.x to be consistent with others * add cli options to override configuration loglevel	2021-02-04 16:21:49 +01:00
dependabot[bot]	ec9e2addc2	Bump luizm/action-sh-checker from v0.1.10 to v0.1.12 Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.10 to v0.1.12. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.10...442951059cb22d260c6e69309ae59cb7bb2334b8) Signed-off-by: dependabot[bot] <support@github.com>	2021-02-01 13:08:50 +01:00
Thibault Ayanides	ed1baa724e	IMP: mark some checks as useless	2021-01-25 13:02:52 +01:00
Thibault Ayanides	bd4ddfc398	ADD(3.4.x): add checks and tests	2021-01-25 13:02:52 +01:00
Thibault Ayanides	5a72d986ea	IMP(3.1-3.x): add comprehensive tests	2021-01-25 13:02:52 +01:00
Thibault Ayanides	c51513e083	IMP(1.8.1.4-6): add comprehensive tests	2021-01-25 13:02:52 +01:00
Thibault Ayanides	6127f2fe67	IMP(4.2.2.x): improve dealing with default conf The default for journald is Compress=yes and ForwardToSyslog=yes So we check that Compress=no and ForwardToSyslog=no are not in the conf file.	2021-01-25 13:02:52 +01:00
Thibault Serti	6efefa07ac	Update shellcheck workflow fix #34	2021-01-22 14:45:01 +01:00
jeremydenoun	dce926a536	Add default variable to avoid unbound variable Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-01-22 10:02:44 +01:00
jeremydenoun	0edb837f80	Remove bc dependency Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-01-22 09:31:53 +01:00
jeremydenoun	1c2e171655	Fix ovh/debian-cis:#25 (#28 ) Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>	2021-01-21 16:01:34 +01:00
dependabot[bot]	4a652a94c6	Bump EndBug/add-and-commit from v6 to v7 Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from v6 to v7. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v6...b3c7c1e078a023d75fb0bd326e02962575ce0519) Signed-off-by: dependabot[bot] <support@github.com>	2021-01-18 15:52:46 +01:00
Thibault Ayanides	89780550e6	Fix badges on README	2021-01-18 15:47:41 +01:00
Thibault Ayanides	047421f2d8	Regenerate man pages (Github action)	2021-01-18 15:47:41 +01:00
Thibault Ayanides	124aeea5cc	Fix debian package build via github actions	2021-01-18 15:47:41 +01:00
Thibault Ayanides	8de9817035	Update LICENSE	2021-01-18 15:47:41 +01:00
Thibault Ayanides	3217429679	Regenerate man pages (Github action)	2021-01-18 11:45:13 +01:00
Thibault Ayanides	af38e4f404	Update changelog	2021-01-18 11:45:13 +01:00
Thibault Ayanides	efb14ea0a9	Add compile manual github action	2021-01-18 11:45:13 +01:00
Thibault Ayanides	8029da6157	Add manual	2021-01-18 11:45:13 +01:00
Thibault Ayanides	4281ed330a	Update compat in debian package	2021-01-18 11:45:13 +01:00
Thibault Ayanides	aa90093f24	Add dependabot action	2021-01-18 11:45:13 +01:00
Thibault Ayanides	0ab210183b	Beautify README.md	2021-01-18 11:45:13 +01:00
Thibault Ayanides	8f5e3c2ef8	Bump shellcheck action version	2021-01-18 11:45:13 +01:00
Thibault Ayanides	f454b18991	Change artefact name when releasing	2021-01-18 11:45:13 +01:00
Thibault Ayanides	33b0dae4c3	Check if changelog was modfified before release	2021-01-18 11:45:13 +01:00
Thibault Ayanides	44e7ea7c63	Improve workflows	2021-01-18 11:45:13 +01:00
Thibault Ayanides	3f20f99e50	Add github actions Add shellcheck, shellfmt, release, prerelease, functionnal tests	2021-01-14 19:31:14 +01:00
Thibault Ayanides	45ccd337b4	Update README, AUTHORS, LICENSE	2021-01-13 11:14:26 +01:00