Skip NTP and Chrony config check if they are not installed (#120 )

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
Fix 3.4.2 audit rule (#123 )
2025-07-15 21:32:17 +02:00 · 2021-12-01 10:49:08 +01:00 · 2021-12-01 10:23:11 +01:00 · 2021-12-01 08:58:32 +01:00 · 2021-11-30 18:47:19 +01:00 · 2021-11-30 18:42:33 +01:00
76 changed files with 961 additions and 593 deletions
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -21,7 +21,7 @@ jobs:
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
        with:
          delete_release: true
          tag_name: latest
@ -29,12 +29,12 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.4.1
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
-        uses: metcalfc/changelog-generator@v0.4.4
+        uses: metcalfc/changelog-generator@v1.0.0
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -10,7 +10,7 @@ jobs:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.1.12
+        uses: luizm/action-sh-checker@v0.3.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -35,7 +35,7 @@ jobs:
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
        with:
          delete_release: true
          tag_name: latest
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 # :lock: CIS Debian 9/10 Hardening

-:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
-report issues if you find any !
+:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
+report issues if you find any!


 <p align="center">
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0

@ -80,7 +81,7 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
-    
+
    --create-config-files-only
        Create the config files in etc/conf.d
        Must be run as root, before running the audit with user secaudit
@ -101,14 +102,18 @@ OPTIONS:
        Finally note that '--sudo' mode only works for audit mode.

    --set-log-level <level>
-        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
        Default value is : info

+    --summary-json
+        While performing system audit, this option sets LOGLEVEL to silent and
+        only output a json summary at the end
+
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
        OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
-    
+
    --allow-unsupported-distribution
        Must be specified manually in the command line to allow the run on non compatible
        version or distribution. If you want to mute the warning change the LOGLEVEL
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
    --sudo)
        SUDO_MODE='--sudo'
        ;;
+    --summary-json)
+        SUMMARY_JSON='--summary-json'
+        ASK_LOGLEVEL=silent
+        ;;
    --batch)
        BATCH_MODE='--batch'
        ASK_LOGLEVEL=ok
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
    info "Treating $SCRIPT"
    if [ "$CREATE_CONFIG" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
    fi

    SCRIPT_EXITCODE=$?
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
    becho "$BATCH_SUMMARY"
+elif [ "$SUMMARY_JSON" ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    else
+        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
+    fi
+    printf '{'
+    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
+    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
+    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
+    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
+    printf '}\n'
 else
    printf "%40s\n" "################### SUMMARY ###################"
    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -26,7 +26,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
@ -41,7 +41,7 @@ apply() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -26,7 +26,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
@ -41,7 +41,7 @@ apply() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -24,7 +24,11 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -24,7 +24,11 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -24,7 +24,11 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
+        PARTITION=$(readlink -e "$PARTITION")
+    else
+        PARTITION="/dev/shm"
+    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -17,12 +17,20 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."

+EXCEPTIONS=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if setuid is set on world writable Directories"
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
        # shellcheck disable=SC2001
@ -35,8 +43,15 @@ audit() {

 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
    if [ -n "$RESULT" ]; then
+        warn "Setting sticky bit on world writable directories"
        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -33,7 +34,7 @@ audit() {
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi

-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -51,7 +52,7 @@ apply() {
        chown "$USER":"$GROUP" "$FILE"
    fi

-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -63,25 +64,25 @@ apply() {
 # This function will check config parameters required
 check_config() {

-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    does_user_exist "$USER"
    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
-        exit 128
+        exit 2
    fi
    does_group_exist "$GROUP"
    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
-        exit 128
+        exit 2
    fi
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }

--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -51,19 +51,18 @@ apply() {
    else
        ok "$PWD_PATTERN is present in $FILE"
    fi
-    :
 }

 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
-        exit 128
+        warn "Grub is not installed, not handling configuration"
+        exit 2
    fi
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }

--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -38,7 +38,6 @@ apply() {
    else
        ok "$PATTERN is not present in $FILE"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -35,31 +35,39 @@ nx_supported_and_enabled() {

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ "$FNRET" != 0 ]; then
-        nx_supported_and_enabled
-        if [ "$FNRET" != 0 ]; then
-            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
-        else
-            ok "NX is supported and enabled"
-        fi
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg "$PATTERN"
-    if [ "$FNRET" != 0 ]; then
-        nx_supported_and_enabled
-        if [ "$FNRET" != 0 ]; then
-            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
-        else
-            ok "NX is supported and enabled"
-        fi
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        ok "Container detected, cannot read dmesg!"
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
+        if [ "$FNRET" != 0 ]; then
+            nx_supported_and_enabled
+            if [ "$FNRET" != 0 ]; then
+                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
+            else
+                ok "NX is supported and enabled"
+            fi
+        else
+            ok "$PATTERN is present in dmesg"
+        fi
    fi
 }

--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done

-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
-        fi
-    done
-    IFS=$d_IFS
    if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGES are configured"
+        is_pkg_installed "grub-common"
+        if [ "$FNRET" != 0 ]; then
+            if [ "$IS_CONTAINER" -eq 1 ]; then
+                ok "Grub is not installed in container"
+            else
+                warn "Grub is not installed"
+                exit 128
+            fi
+        else
+            ERROR=0
+            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)

+            # define custom IFS and save default one
+            d_IFS=$IFS
+            c_IFS=$'\n'
+            IFS=$c_IFS
+            for line in $RESULT; do
+                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
+                    crit "$line is not configured"
+                    ERROR=1
+                fi
+            done
+            IFS=$d_IFS
+            if [ "$ERROR" = 0 ]; then
+                ok "$PACKAGES are configured"
+
+            fi
+        fi
    fi
 }

@ -62,26 +76,35 @@ apply() {
        fi
    done

-    ERROR=0
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
-
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for line in $RESULT; do
-        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
-            crit "$line is not configured"
-            ERROR=1
+    is_pkg_installed "grub-pc"
+    if [ "$FNRET" != 0 ]; then
+        if [ "$IS_CONTAINER" -eq 1 ]; then
+            ok "Grub is not installed in container"
+        else
+            warn "You should use grub. Install it yourself"
        fi
-    done
-    IFS=$d_IFS
-
-    if [ $ERROR = 1 ]; then
-        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
-        $SUDO_CMD update-grub
    else
-        ok "$PACKAGES are configured"
+        ERROR=0
+        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+
+        # define custom IFS and save default one
+        d_IFS=$IFS
+        c_IFS=$'\n'
+        IFS=$c_IFS
+        for line in $RESULT; do
+            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+                crit "$line is not configured"
+                ERROR=1
+            fi
+        done
+        IFS=$d_IFS
+
+        if [ $ERROR = 1 ]; then
+            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
+            $SUDO_CMD update-grub
+        else
+            ok "$PACKAGES are configured"
+        fi
    fi
 }

--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")

-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"

-    if [ -n "$RESULT_UNCONFINED" ]; then
-        ok "No profiles are unconfined"
-
-    else
-        crit "Some processes are unconfined while they have defined profile"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi
    fi
 }

@ -46,6 +49,7 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
+            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
+    if [ "$ERROR" = 0 ]; then
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)

-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+        if [ -n "$RESULT_UNCONFINED" ]; then
+            ok "No profiles are unconfined"
+        else
+            crit "Some processes are unconfined while they have defined profile"
+        fi

-    if [ -n "$RESULT_UNCONFINED" ]; then
-        ok "No profiles are unconfined"
-    else
-        crit "Some processes are unconfined while they have defined profile"
-    fi
-
-    if [ -n "$RESULT_COMPLAIN" ]; then
-        ok "No profiles are in complain mode"
-    else
-        crit "Some processes are in complain mode"
+        if [ -n "$RESULT_COMPLAIN" ]; then
+            ok "No profiles are in complain mode"
+        else
+            crit "Some processes are in complain mode"
+        fi
    fi
 }

@ -52,13 +55,14 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
+            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
    done

-    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)

    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
    else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
-        else
-            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
-        fi
+        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
    fi
 }

@ -46,7 +40,11 @@ apply() {

 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }

 # Source Root Dir Parameter
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp

 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
    else
-        ok "$PACKAGE is installed, checking configuration"
-        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
-        else
-            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
-        fi
-        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-        else
-            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
-        fi
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    fi
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
+    if [ "$FNRET" != 0 ]; then
+        crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
+    else
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
    fi
 }

@ -77,7 +71,11 @@ apply() {

 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }

 # Source Root Dir Parameter
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking netport ports opened"
-    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
+    is_pkg_installed net-tools
+    if [ "$FNRET" != 0 ]; then
+        warn "netsat not installed, cannot execute check"
+        exit 2
    else
-        info "Checking $RESULT"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
-            ok "MTA is configured to localhost only"
+        info "Checking netport ports opened"
+        RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
+        RESULT=${RESULT:-}
+        debug "Result is $RESULT"
+        if [ -z "$RESULT" ]; then
+            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            crit "MTA listens worldwide"
+            info "Checking $RESULT"
+            if grep -q "127.0.0.1" <<<"$RESULT"; then
+                ok "MTA is configured to localhost only"
+            else
+                crit "MTA listens worldwide"
+            fi
        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking netport ports opened"
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
-    RESULT=${RESULT:-}
-    debug "Result is $RESULT"
-    if [ -z "$RESULT" ]; then
-        ok "Nothing listens on 25 port, probably unix socket configured"
+    is_pkg_installed net-tools
+    if [ "$FNRET" != 0 ]; then
+        warn "netsat not installed, cannot execute check"
+        exit 2
    else
-        info "Checking $RESULT"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
-            ok "MTA is configured to localhost only"
+        info "Checking netport ports opened"
+        RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+        RESULT=${RESULT:-}
+        debug "Result is $RESULT"
+        if [ -z "$RESULT" ]; then
+            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            warn "MTA listens worldwide, correct this considering your MTA"
+            info "Checking $RESULT"
+            if grep -q "127.0.0.1" <<<"$RESULT"; then
+                ok "MTA is configured to localhost only"
+            else
+                warn "MTA listens worldwide, correct this considering your MTA"
+            fi
        fi
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/3.4.2_disable_sctp.sh
+++ b/bin/hardening/3.4.2_disable_sctp.sh
@ -28,7 +28,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
--- a/bin/hardening/4.1.1.3_audit_bootloader.sh
+++ b/bin/hardening/4.1.1.3_audit_bootloader.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."

 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."

 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -17,8 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."

-# Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
+# Find all files with setuid or setgid set
 AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'
--- a/bin/hardening/4.2.1.2_enable_syslog-ng.sh
+++ b/bin/hardening/4.2.1.2_enable_syslog-ng.sh
@ -17,29 +17,40 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure syslog-ng service is activated."

+PACKAGE='syslog-ng'
 SERVICE_NAME="syslog-ng"

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
-        ok "$SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
    else
-        crit "$SERVICE_NAME is disabled"
+        info "Checking if $SERVICE_NAME is enabled"
+        is_service_enabled "$SERVICE_NAME"
+        if [ "$FNRET" = 0 ]; then
+            ok "$SERVICE_NAME is enabled"
+        else
+            crit "$SERVICE_NAME is disabled"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking if $SERVICE_NAME is enabled"
-    is_service_enabled "$SERVICE_NAME"
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        info "Enabling $SERVICE_NAME"
-        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
-        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
+        crit "$PACKAGE is not installed!"
    else
-        ok "$SERVICE_NAME is enabled"
+        info "Checking if $SERVICE_NAME is enabled"
+        is_service_enabled "$SERVICE_NAME"
+        if [ "$FNRET" != 0 ]; then
+            info "Enabling $SERVICE_NAME"
+            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
+            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
+        else
+            ok "$SERVICE_NAME is enabled"
+        fi
    fi
 }

--- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."

 # Note: this is not exacly the same check as the one described in CIS PDF

+PACKAGE='syslog-ng'
 PERMISSIONS=''
 USER=''
 GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            warn "$FILE does not exist"
-        else
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
+        for FILE in $FILES; do
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
+                warn "$FILE does not exist"
+            else
+                FOUND_EXC=0
+                if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+                    debug "$FILE is found in exceptions"
+                    debug "Setting special user:group:perm"
+                    FOUND_EXC=1
+                    local user_bak="$USER"
+                    local group_bak="$GROUP"
+                    local perm_bak="$PERMISSIONS"
+                    USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                    GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                    PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+                fi
+                has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+                if [ "$FNRET" = 0 ]; then
+                    ok "$FILE has correct ownership ($USER:$GROUP)"
+                else
+                    crit "$FILE ownership was not set to $USER:$GROUP"
+                fi
+                has_file_correct_permissions "$FILE" "$PERMISSIONS"
+                if [ "$FNRET" = 0 ]; then
+                    ok "$FILE has correct permissions ($PERMISSIONS)"
+                else
+                    crit "$FILE permissions were not set to $PERMISSIONS"
+                fi
+                if [ "$FOUND_EXC" = 1 ]; then
+                    debug "Resetting user:group:perm"
+                    USER="$user_bak"
+                    GROUP="$group_bak"
+                    PERMISSIONS="$perm_bak"
+                fi
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        for FILE in $FILES; do
+            does_file_exist "$FILE"
+            if [ "$FNRET" != 0 ]; then
+                info "$FILE does not exist"
+                filedir=$(dirname "${FILE#/var/log/}")
+                if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                    debug "Creating /var/log/$filedir for $FILE"
+                    debug "mkdir -p /var/log/$filedir"
+                    mkdir -p /var/log/"$filedir"
+                fi
+                touch "$FILE"
+            fi
            FOUND_EXC=0
-            if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+            if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                debug "$FILE is found in exceptions"
                debug "Setting special user:group:perm"
                FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
            fi
            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct ownership ($USER:$GROUP)"
+                ok "$FILE has correct ownership"
            else
-                crit "$FILE ownership was not set to $USER:$GROUP"
+                warn "fixing $FILE ownership to $USER:$GROUP"
+                chown "$USER":"$GROUP" "$FILE"
            fi
            has_file_correct_permissions "$FILE" "$PERMISSIONS"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct permissions ($PERMISSIONS)"
+                ok "$FILE has correct permissions"
            else
-                crit "$FILE permissions were not set to $PERMISSIONS"
+                info "fixing $FILE permissions to $PERMISSIONS"
+                chmod 0"$PERMISSIONS" "$FILE"
            fi
            if [ "$FOUND_EXC" = 1 ]; then
                debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
                GROUP="$group_bak"
                PERMISSIONS="$perm_bak"
            fi
-        fi
-    done
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    for FILE in $FILES; do
-        does_file_exist "$FILE"
-        if [ "$FNRET" != 0 ]; then
-            info "$FILE does not exist"
-            filedir=$(dirname "${FILE#/var/log/}")
-            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
-                debug "Creating /var/log/$filedir for $FILE"
-                debug "mkdir -p /var/log/$filedir"
-                mkdir -p /var/log/"$filedir"
-            fi
-            touch "$FILE"
-        fi
-        FOUND_EXC=0
-        if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
-            debug "$FILE is found in exceptions"
-            debug "Setting special user:group:perm"
-            FOUND_EXC=1
-            local user_bak="$USER"
-            local group_bak="$GROUP"
-            local perm_bak="$PERMISSIONS"
-            USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
-            GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
-            PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
-        fi
-        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct ownership"
-        else
-            warn "fixing $FILE ownership to $USER:$GROUP"
-            chown "$USER":"$GROUP" "$FILE"
-        fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        if [ "$FNRET" = 0 ]; then
-            ok "$FILE has correct permissions"
-        else
-            info "fixing $FILE permissions to $PERMISSIONS"
-            chmod 0"$PERMISSIONS" "$FILE"
-        fi
-        if [ "$FOUND_EXC" = 1 ]; then
-            debug "Resetting user:group:perm"
-            USER="$user_bak"
-            GROUP="$group_bak"
-            PERMISSIONS="$perm_bak"
-        fi
-    done
+        done
+    fi
 }

 # This function will create the config file for this check with default values
--- a/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
+++ b/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
@ -17,40 +17,52 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."

+PACKAGE='syslog-ng'
+
 PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [ "$FOUND" = 1 ]; then
-        ok "$PATTERN is present in $FILES"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
    else
-        crit "$PATTERN is not present in $FILES"
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
+
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-    if [ "$FOUND" = 1 ]; then
-        ok "$PATTERN is present in $FILES"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done
+        if [ "$FOUND" = 1 ]; then
+            ok "$PATTERN is present in $FILES"
+        else
+            crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        fi
    fi
 }

--- a/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
+++ b/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
@ -17,64 +17,74 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."

+PACKAGE='syslog-ng'
+
 REMOTE_HOST=""
 PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [[ "$REMOTE_HOST" ]]; then
-        info "This is the remote host, checking that it only accepts logs from specified zone"
-        if [ "$FOUND" = 1 ]; then
-            ok "$PATTERN is present in $FILES"
-        else
-            crit "$PATTERN is not present in $FILES"
-        fi
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
-        if [ "$FOUND" = 1 ]; then
-            crit "$PATTERN is present in $FILES"
-        else
-            ok "$PATTERN is not present in $FILES"
-        fi
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done

+        if [[ "$REMOTE_HOST" ]]; then
+            info "This is the remote host, checking that it only accepts logs from specified zone"
+            if [ "$FOUND" = 1 ]; then
+                ok "$PATTERN is present in $FILES"
+            else
+                crit "$PATTERN is not present in $FILES"
+            fi
+        else
+            info "This is the not the remote host checking that it doesn't accept remote logs"
+            if [ "$FOUND" = 1 ]; then
+                crit "$PATTERN is present in $FILES"
+            else
+                ok "$PATTERN is not present in $FILES"
+            fi
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-    for FILE in $FILES; do
-        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            FOUND=1
-        fi
-    done
-
-    if [[ "$REMOTE_HOST" ]]; then
-        info "This is the remote host, checking that it only accepts logs from specified zone"
-        if [ "$FOUND" = 1 ]; then
-            ok "$PATTERN is present in $FILES"
-        else
-            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
-        fi
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
-        if [ "$FOUND" = 1 ]; then
-            warn "$PATTERN is present in $FILES, "
-        else
-            ok "$PATTERN is not present in $FILES"
-        fi
+        FOUND=0
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+        for FILE in $FILES; do
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                FOUND=1
+            fi
+        done

+        if [[ "$REMOTE_HOST" ]]; then
+            info "This is the remote host, checking that it only accepts logs from specified zone"
+            if [ "$FOUND" = 1 ]; then
+                ok "$PATTERN is present in $FILES"
+            else
+                crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
+            fi
+        else
+            info "This is the not the remote host checking that it doesn't accept remote logs"
+            if [ "$FOUND" = 1 ]; then
+                warn "$PATTERN is present in $FILES, "
+            else
+                ok "$PATTERN is not present in $FILES"
+            fi
+        fi
    fi
 }

--- a/bin/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
+            does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.18_sshd_limit_access.sh
+++ b/bin/hardening/5.2.18_sshd_limit_access.sh
@ -34,7 +34,7 @@ audit() {
            # shellcheck disable=SC2001
            SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -59,12 +59,12 @@ apply() {
        # shellcheck disable=SC2001
        SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
+++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
@ -17,6 +17,7 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."

+PACKAGE='openssh-server'
 FILE='/etc/ssh/sshd_config'
 PERMISSIONS='600'
 USER='root'
@ -24,40 +25,50 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$PACKAGE is not installed!"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist "$FILE"
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
-        touch "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
+        ok "$PACKAGE is not installed"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
-    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
-    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            info "$FILE does not exist"
+            touch "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/5.2.20_enable_ssh_pam.sh
+++ b/bin/hardening/5.2.20_enable_ssh_pam.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
@ -32,11 +32,21 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
            fi
        done
    fi
@ -55,17 +65,22 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
            fi
            /etc/init.d/ssh reload
        fi
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.5_sshd_loglevel.sh
+++ b/bin/hardening/5.2.5_sshd_loglevel.sh
@ -61,7 +61,7 @@ apply() {
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -32,11 +32,21 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
            fi
        done
    fi
@ -55,17 +65,22 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            warn "$PATTERN is not present in $FILE"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
            fi
            /etc/init.d/ssh reload
        fi
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.4.5_default_timeout.sh
+++ b/bin/hardening/5.4.5_default_timeout.sh
@ -31,7 +31,7 @@ audit() {
            debug "$FILE_SEARCHED is a directory"
            # shellcheck disable=2044
            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                if [ "$FNRET" != 0 ]; then
                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                else
@ -41,7 +41,7 @@ audit() {
                fi
            done
        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                debug "$PATTERN is not present in $FILE_SEARCHED"
            else
@ -64,7 +64,7 @@ apply() {
            debug "$FILE_SEARCHED is a directory"
            # shellcheck disable=2044
            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
                if [ "$FNRET" != 0 ]; then
                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                else
@ -74,7 +74,7 @@ apply() {
                fi
            done
        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                debug "$PATTERN is not present in $FILE_SEARCHED"
            else
@ -87,8 +87,7 @@ apply() {
        warn "$PATTERN is not present in $FILES_TO_SEARCH"
        touch "$FILE"
        chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
-        add_end_of_file "$FILE" "readonly TMOUT"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
        add_end_of_file "$FILE" "export TMOUT"
    else
        ok "$PATTERN is present in $FILES_TO_SEARCH"
--- a/bin/hardening/6.1.10_find_world_writable_file.sh
+++ b/bin/hardening/6.1.10_find_world_writable_file.sh
@ -17,12 +17,21 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"

+EXCLUDED=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are world writable files"
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
    if [ -n "$RESULT" ]; then
        crit "Some world writable files are present"
        # shellcheck disable=SC2001
@ -35,7 +44,13 @@ audit() {

 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
    if [ -n "$RESULT" ]; then
        warn "chmoding o-w all files in the system"
        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
--- a/bin/hardening/6.1.11_find_unowned_files.sh
+++ b/bin/hardening/6.1.11_find_unowned_files.sh
@ -26,7 +26,7 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
    fi
--- a/bin/hardening/6.1.12_find_ungrouped_files.sh
+++ b/bin/hardening/6.1.12_find_ungrouped_files.sh
@ -26,7 +26,7 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
    fi
--- a/bin/hardening/6.1.13_find_suid_files.sh
+++ b/bin/hardening/6.1.13_find_suid_files.sh
@ -24,7 +24,7 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
    else
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
    fi
--- a/bin/hardening/6.1.14_find_sgid_files.sh
+++ b/bin/hardening/6.1.14_find_sgid_files.sh
@ -24,7 +24,7 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
    else
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
    fi
--- a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
+++ b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        ok "$FILE exist"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist"
+        touch "$FILE"
+        warn "You may want to fill it with allowed networks"
+    else
+        ok "$FILE exist"
+    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
+++ b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        ok "$FILE exist"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$FILE does not exist"
+        touch "$FILE"
+        warn "You may want to fill it with allowed networks"
+    else
+        ok "$FILE exist"
+    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
+++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
@ -49,7 +49,6 @@ apply() {
            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
            replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
        fi
-        /etc/init.d/ssh reload >/dev/null 2>&1
    fi
 }

--- a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
+++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
@ -37,7 +37,7 @@ audit() {
            pw_found+="$user "
            ok "User $user has a disabled password."
        # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
-        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+        elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
            pw_found+="$user "
            ok "User $user has suitable SHA512 hashed password."
        else
--- a/cisharden.sudoers
+++ b/cisharden.sudoers
@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                        /sbin/sysctl -a,\
                        /bin/dmesg "",\
                        /bin/netstat,\
+                        /usr/sbin/lsmod,\
+                        /sbin/lsmod,\
+                        /sbin/modprobe,\
+                        /usr/sbin/modprobe -n -v*,\
                        /usr/sbin/apparmor_status

 cisharden ALL = (root) NOPASSWD: SCL_CMD
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,47 @@
+cis-hardening (3.1-6) unstable; urgency=medium
+
+  * Improve EXCEPTIONS management (1.1.21,6.1.10)
+  * Fix bug linked with regex quoting (6.1.10-11-12-13-14)
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Wed, 02 Jun 2021 09:45:40 +0200
+
+cis-hardening (3.1-5) unstable; urgency=medium
+
+  * Fix unbound EXCEPTIONS variable in some cases
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Fri, 28 May 2021 15:02:34 +0200
+
+cis-hardening (3.1-4) unstable; urgency=medium
+
+  * Add test to check stderr is empty
+  * Fix 2.2.1.2 audit and apply
+  * Accept lower values as valid 5.2.7 and 5.2.23
+  * Add dir exceptions in 1.1.21 and 6.1.10
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 06 May 2021 10:07:22 +0200
+
+cis-hardening (3.1-3) unstable; urgency=medium
+
+  * Fix 4.1.11 permissions
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 12 Apr 2021 12:17:16 +0200
+
+cis-hardening (3.1-2) unstable; urgency=medium
+
+  * Fix case for sshd pattern searching
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Fri, 02 Apr 2021 09:16:16 +0200
+
+cis-hardening (3.1-1) unstable; urgency=medium
+
+  * Various mispeling fixes
+  * Fix div function that causes a display bug when runnin test with --only
+  * Fix 4.1.1.4 bad pattern bug
+  * Fix 5.4.2.2
+  * Various verification that package is installed or file exist before running check (openssh, apparmor, crontab)
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 25 Mar 2021 14:59:49 +0100
+
 cis-hardening (3.1-0) unstable; urgency=medium

  * Add missing HARDENING_LEVEL var for some checks
--- a/lib/common.sh
+++ b/lib/common.sh
@ -25,6 +25,9 @@ backup_file() {
 #

 case $LOGLEVEL in
+silent)
+    MACHINE_LOG_LEVEL=0
+    ;;
 error)
    MACHINE_LOG_LEVEL=1
    ;;
@ -121,6 +124,10 @@ div() {
    local _d=${3:-2}
    local _n=0000000000
    _n=${_n:0:$_d}
+    if (($1 == 0)); then
+        echo "0"
+        return
+    fi
    if (($2 == 0)); then
        echo "N.A"
        return
--- a/lib/main.sh
+++ b/lib/main.sh
@ -10,9 +10,16 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
+SAVED_LOGLEVEL=""

+if [ -n "${LOGLEVEL:-}" ]; then
+    SAVED_LOGLEVEL=$LOGLEVEL
+fi
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ -n "$SAVED_LOGLEVEL" ]; then
+    LOGLEVEL=$SAVED_LOGLEVEL
+fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -384,9 +384,9 @@ is_kernel_option_enabled() {
        fi
    else
        if [ "$MODPROBE_FILTER" != "" ]; then
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
        else
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
        fi

        if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
--- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -1,29 +1,35 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/exception
+    chmod 777 /home/secaudit/exception
+
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "All world writable directories have a sticky bit"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
-        describe Tests purposely failing
-        local targetdir="/home/secaudit/world_writable_folder"
-        mkdir $targetdir || true
-        chmod 777 "$targetdir"
-        register_test retvalshouldbe 1
-        register_test contain "Some world writable directories are not on sticky bit mode"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-        describe correcting situation
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    describe Tests purposely failing
+    local targetdir="/home/secaudit/world_writable_folder"
+    mkdir $targetdir || true
+    chmod 777 "$targetdir"
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All world writable directories have a sticky bit"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "All world writable directories have a sticky bit"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }
--- a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh
@ -7,6 +7,22 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    echo "maxsessions 1" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 1 is lower than recommended 10"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "maxsessions 15" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 15 is higher than recommended 10"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe Correcting situation
    # `apply` performs a service reload after each change in the config file
    # the service needs to be started for the reload to succeed
--- a/tests/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/tests/hardening/5.2.7_sshd_maxauthtries.sh
@ -7,6 +7,22 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 2 is lower than recommended 4"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 6 is higher than recommended 4"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe Correcting situation
    # `apply` performs a service reload after each change in the config file
    # the service needs to be started for the reload to succeed
--- a/tests/hardening/6.1.10_find_world_writable_file.sh
+++ b/tests/hardening/6.1.10_find_world_writable_file.sh
@ -1,32 +1,33 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg

-    #run this test only if we're not in docker
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
-        describe Running on blank host
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        # shellcheck disable=2154
-        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    register_test contain "No world writable files found"
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-        describe Tests purposely failing
-        local targetfile="/home/secaudit/worldwritable"
-        touch "$targetfile"
-        chmod 777 "$targetfile"
-        register_test retvalshouldbe 1
-        register_test contain "Some world writable files are present"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    describe Tests purposely failing
+    local targetfile="/home/secaudit/worldwritable"
+    touch "$targetfile"
+    chmod 777 "$targetfile"
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-        describe correcting situation
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "No world writable files found"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }
--- a/tests/hardening/6.1.11_find_unowned_files.sh
+++ b/tests/hardening/6.1.11_find_unowned_files.sh
@ -1,6 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/6.1.11/
+    touch /home/secaudit/6.1.11/test
+    chown 1200 /home/secaudit/6.1.11/test
+
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "No unowned files found"
--- a/tests/hardening/6.1.12_find_ungrouped_files.sh
+++ b/tests/hardening/6.1.12_find_ungrouped_files.sh
@ -1,6 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/6.1.12/
+    touch /home/secaudit/6.1.12/test
+    chown 1200:1200 /home/secaudit/6.1.12/test
+
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "No ungrouped files found"
--- a/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
+++ b/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh
@ -22,11 +22,19 @@ test_audit() {
    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    mv /tmp/shadow.bak /etc/shadow
-    chpasswd <<EOF
+    chpasswd -c SHA512 <<EOF
 secaudit:mypassword
 EOF
    describe Pass: Found properly hashed password
    register_test retvalshouldbe 0
    register_test contain "User secaudit has suitable SHA512 hashed password"
    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    chpasswd -c SHA512 -s 1000 <<EOF
+secaudit:mypassword
+EOF
+    describe Pass: Found properly hashed password with custom round number
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has suitable SHA512 hashed password"
+    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/launch_tests.sh
+++ b/tests/launch_tests.sh
@ -131,12 +131,12 @@ play_consistency_tests() {
    fi
 }

-# Actually runs one signel audit script
+# Actually runs one single audit script
 _run() {
    usecase_name=$1
    shift
    printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
-    bash -c "$*" >"$outdir/$usecase_name.log" && true
+    bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
    echo $? >"$outdir/$usecase_name.retval"
    ret=$(<"$outdir"/"$usecase_name".retval)
    get_stdout
@ -188,15 +188,25 @@ for test_file in $tests_list; do
    echo ""
 done

+stderrunexpected=""
+for file in "$outdir"/*_err.log; do
+    if [ -s "$file" ]; then
+        stderrunexpected="$stderrunexpected $(basename "$file")"
+    fi
+done
+
 printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
-if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
+if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
    echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
+    echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
+
 else
    (
        echo -e "\033[41mOne or more tests failed :(\033[0m"
        echo -e "- $nbfailedret unexpected return values ${listfailedret}"
        echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
        echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
+        echo -e "- stderr detected on $stderrunexpected"
    ) | tee "$outdir"/summary
 fi
 echo
Author	SHA1	Message	Date
Sebastien BLAISOT	97914976c8	Skip NTP and Chrony config check if they are not installed (#120 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 10:49:08 +01:00
Sebastien BLAISOT	66c8ccf495	Fix 3.4.2 audit rule (#123 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 10:23:11 +01:00
Sebastien BLAISOT	b53bf1795c	Fix grub detection (#119 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 08:58:32 +01:00
Sebastien BLAISOT	1a874b2b35	Allow grub.cfg permission to be 600 (#121 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-11-30 18:47:19 +01:00
Sebastien BLAISOT	7266ec7cb4	Honor --set-log-level parameter (#127 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-11-30 18:42:33 +01:00
Jan Schmidle	8f855ac159	fix: kernel module detection (#129 ) * fix: add filter to hfs * fix is_kernel_option_enabled check as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output. Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-10-20 14:51:29 +02:00
Sebastien BLAISOT	ad192c9457	Add silent mode and json summary (#128 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-10-20 13:22:59 +02:00
Sebastien BLAISOT	3d2d97a727	FIX(1.7.1.4): don't abort script in case of unconfined processes (#130 )	2021-10-20 13:14:36 +02:00
Sebastien BLAISOT	6e2fb1570c	FIX(2.2.1.4): Validate debian default ntp config (#118 )	2021-10-15 16:19:51 +02:00
dependabot[bot]	faf5b155e5	Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>	2021-08-10 13:57:13 +02:00
dependabot[bot]	43887d4165	Bump luizm/action-sh-checker from 0.1.13 to 0.3.0 (#111 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.1.13 to 0.3.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.13...v0.3.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-08-10 13:47:31 +02:00
dependabot[bot]	499ebf2f9b	Bump dev-drprasad/delete-tag-and-release from v0.1.3 to v0.2.0 (#72 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.3 to v0.2.0. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.3...085c6969f18bad0de1b9f3fe6692a3cd01f64fe5) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>	2021-08-10 10:39:53 +02:00
Thibault Ayanides	afed5a9dce	99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112 )	2021-08-10 10:30:35 +02:00
dependabot[bot]	01c3d1b98c	Bump luizm/action-sh-checker from v0.1.12 to v0.1.13 (#73 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.12 to v0.1.13. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.12...164368daf52a9126460854f9c0de00abc079a350) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>	2021-08-10 09:43:59 +02:00
dependabot[bot]	25e899168f	Bump actions-ecosystem/action-get-latest-tag from 1 to 1.4.1 (#101 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1 to 1.4.1. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1...v1.4.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>	2021-08-10 09:36:28 +02:00
Thibault Ayanides	9a2e3a0e0d	Fix 5.4.5 pattern search (#108 ) fix #107	2021-08-09 10:49:56 +02:00
Thibault Ayanides	334d743125	fix EXCEPTIONS management (#104 ) * FIX(1.1.21, 6.1.10) fix EXCEPTIONS management * Update changelog * Refactor test for 6.1.10-14	2021-06-02 13:47:19 +02:00
Thibault Ayanides	4ed8adf790	Update changelog (#103 )	2021-05-28 15:06:48 +02:00
Thibault Ayanides	f4328deeb2	Fix unbound variable (#102 )	2021-05-28 15:00:58 +02:00
Thibault Ayanides	29505255ff	Update changelog (#99 )	2021-05-07 09:16:15 +02:00
Thibault Ayanides	9e6c9a0d8a	Accept lower values (#95 ) * IMP(5.2.23): accept lower value as valid * IMP(5.2.7): accept lower value as valid	2021-04-27 16:04:13 +02:00
Thibault Ayanides	1cade2e375	FIX(2.2.1.2): custom func not working for systemd (#90 ) fix #87	2021-04-27 13:49:05 +02:00
Thibault Ayanides	fc8a2b2561	FIX: add commands to sudoers (#91 )	2021-04-27 13:31:59 +02:00
Thibault Ayanides	cadc25c28c	Dir exceptions (#96 ) * IMP(1.1.21): add EXCEPTIONS * IMP(6.1.10): add EXCEPTIONS	2021-04-26 17:05:22 +02:00
Thibault Ayanides	8c6c9a7571	IMP(tests): checks that stderr is empty Fix #97	2021-04-26 17:01:19 +02:00
Thibault Ayanides	dd41988933	Update changelog	2021-04-13 11:00:29 +02:00
Thibault Ayanides	f6c6e6a0a8	FIX(4.1.11): add SUDO to find suid files	2021-04-13 11:00:29 +02:00
Thibault Ayanides	d26ad48416	Update changelog	2021-04-02 09:25:41 +02:00
Thibault Ayanides	d110a2aa19	Ignore case for sshd conf fix #85	2021-04-02 09:25:41 +02:00
Thibault Ayanides	cbd81b8ab2	Update changelog (#82 )	2021-03-26 12:16:50 +01:00
Thibault Ayanides	1c51e4cec4	Check that package are installed before launching check (#69 ) * FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-03-25 14:01:57 +01:00
Thibault Ayanides	f8ac58700d	FIX(4.1.1.4): bad pattern (#67 ) fix #61	2021-03-25 13:50:08 +01:00
Thibault Ayanides	1c1393c7e3	Fix div function to manage 0 on numerator (#79 ) fix #77 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-03-23 08:36:36 +01:00
Thibault Ayanides	c50f200c5c	FIX(5.4.5.2): explicit sha512 fix #74	2021-03-22 15:22:50 +01:00
Simão Gomes Viana	c0ecc9cd6f	README: fix spelling and spacing in first line	2021-03-19 08:36:31 +01:00