bump to 4.0-1

fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186 )
On systems where /etc/sudoers.d might be updated often by some automated means, this check might raise a critical when a previously present file (during the ls) is no longer present (during its attempted read), so before raising a critical, re-check that it does exists first.
2025-07-16 22:02:17 +02:00 · 2023-07-10 07:21:13 +00:00 · 2023-07-03 17:05:45 +02:00 · 2023-05-05 12:32:22 +02:00 · 2023-05-02 18:06:59 +02:00 · 2023-05-02 18:01:53 +02:00
155 changed files with 3234 additions and 1096 deletions
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -7,10 +7,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Produce debian man
        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
-      - uses: EndBug/add-and-commit@v7
+      - uses: EndBug/add-and-commit@v9
        with:
          add: 'debian/cis-hardening.8'
          message: 'Regenerate man pages (Github action)'
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -4,24 +4,17 @@ on:
  - pull_request
  - push
 jobs:
  functionnal-tests-docker-debian9:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Run the tests debian9
        run: ./tests/docker_build_and_run_tests.sh debian9
  functionnal-tests-docker-debian10:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -11,7 +11,7 @@ jobs:
    steps:
      # CHECKOUT CODE
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
@ -21,7 +21,7 @@ jobs:
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
        with:
          delete_release: true
          tag_name: latest
@ -29,12 +29,12 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
-        uses: metcalfc/changelog-generator@v0.4.4
+        uses: metcalfc/changelog-generator@v4.1.0
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -8,9 +8,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.1.12
+        uses: luizm/action-sh-checker@v0.7.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
@ -24,6 +24,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run shellcheck
        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -7,8 +7,6 @@ on:
 jobs:
  build:
    name: Create Release
    # only runs on master
    if: github.event.base_ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      # GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      # CHECKOUT CODE
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          ref: ${{ steps.vars.outputs.tag }}
      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@ -35,7 +33,7 @@ jobs:
          find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
      # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
      - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
        with:
          delete_release: true
          tag_name: latest
--- a/README.md
+++ b/README.md
@ -1,7 +1,4 @@
-# :lock: CIS Debian 9/10 Hardening
+# :lock: CIS Debian 10/11 Hardening
 :tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
 report issues if you find any !
 <p align="center">
@ -16,7 +13,7 @@ report issues if you find any !
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
-Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 ```console
@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
-With `target` being like `debian9` or `debian10`.
+With `target` being like `debian10` or `debian11`.
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
@ -101,9 +102,13 @@ OPTIONS:
        Finally note that '--sudo' mode only works for audit mode.
    --set-log-level <level>
-        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
        Default value is : info
    --summary-json
        While performing system audit, this option sets LOGLEVEL to silent and
        only output a json summary at the end
    --batch
        While performing system audit, this option sets LOGLEVEL to 'ok' and
        captures all output to print only one line once the check is done, formatted like :
@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
    --sudo)
        SUDO_MODE='--sudo'
        ;;
    --summary-json)
        SUMMARY_JSON='--summary-json'
        ASK_LOGLEVEL=silent
        ;;
    --batch)
        BATCH_MODE='--batch'
        ASK_LOGLEVEL=ok
@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
    info "Treating $SCRIPT"
    if [ "$CREATE_CONFIG" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
    elif [ "$AUDIT" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
    elif [ "$APPLY" = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
    fi
    SCRIPT_EXITCODE=$?
@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
        BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
    fi
    becho "$BATCH_SUMMARY"
 elif [ "$SUMMARY_JSON" ]; then
    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
    else
        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
    fi
    printf '{'
    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
    printf '}\n'
 else
    printf "%40s\n" "################### SUMMARY ###################"
    printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -26,7 +26,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
@ -41,7 +41,7 @@ apply() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -26,7 +26,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
@ -41,7 +41,7 @@ apply() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
--- a/bin/hardening/1.1.1.8_disable_cramfs.sh
+++ b/bin/hardening/1.1.1.8_disable_cramfs.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of cramfs filesystems."
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$IS_CONTAINER" -eq 1 ]; then
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing!"
    else
        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
        else
            ok "$MODULE_NAME is disabled"
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.1_var_log_noexec.sh
+++ b/bin/hardening/1.1.11.1_var_log_noexec.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with noexec option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.2_var_log_nosuid.sh
+++ b/bin/hardening/1.1.11.2_var_log_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.11.3_var_log_nodev.sh
+++ b/bin/hardening/1.1.11.3_var_log_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12.1_var_log_audit_noexec.sh
+++ b/bin/hardening/1.1.12.1_var_log_audit_noexec.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with noexec option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
+++ b/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.12.3_var_log_audit_nodev.sh
+++ b/bin/hardening/1.1.12.3_var_log_audit_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var/log/audit partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var/log/audit"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.14.1_home_nosuid.sh
+++ b/bin/hardening/1.1.14.1_home_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/home partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/home"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.15_run_shm_nodev.sh
+++ b/bin/hardening/1.1.15_run_shm_nodev.sh
@ -24,7 +24,11 @@ OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.16_run_shm_nosuid.sh
+++ b/bin/hardening/1.1.16_run_shm_nosuid.sh
@ -24,7 +24,11 @@ OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.17_run_shm_noexec.sh
+++ b/bin/hardening/1.1.17_run_shm_noexec.sh
@ -24,7 +24,11 @@ OPTION="noexec"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
-    PARTITION=$(readlink -e "$PARTITION")
+    if [ -e "$PARTITION" ]; then
        PARTITION=$(readlink -e "$PARTITION")
    else
        PARTITION="/dev/shm"
    fi
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -17,12 +17,32 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 EXCEPTIONS=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    if [ -n "$EXCEPTIONS" ]; then
-    # shellcheck disable=SC2086
+        # maybe EXCEPTIONS allow us to filter out some FS
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    if [ -n "$RESULT" ]; then
        crit "Some world writable directories are not on sticky bit mode!"
        # shellcheck disable=SC2001
@ -35,9 +55,16 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
        # shellcheck disable=SC2086
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        warn "Setting sticky bit on world writable directories"
        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
--- a/bin/hardening/1.1.6.1_var_nodev.sh
+++ b/bin/hardening/1.1.6.1_var_nodev.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var partition with nodev option."
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 OPTION="nodev"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.1.6.2_var_nosuid.sh
+++ b/bin/hardening/1.1.6.2_var_nosuid.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="/var partition with nosuid option."
 # Quick factoring as many script use the same logic
 PARTITION="/var"
 OPTION="nosuid"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        has_mount_option "$PARTITION" "$OPTION"
        if [ "$FNRET" -gt 0 ]; then
            crit "$PARTITION has no option $OPTION in fstab!"
            FNRET=1
        else
            ok "$PARTITION has $OPTION in fstab"
            has_mounted_option "$PARTITION" "$OPTION"
            if [ "$FNRET" -gt 0 ]; then
                warn "$PARTITION is not mounted with $OPTION at runtime"
                FNRET=3
            else
                ok "$PARTITION mounted with $OPTION"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    elif [ "$FNRET" = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab "$PARTITION" "$OPTION"
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    elif [ "$FNRET" = 3 ]; then
        info "Remounting $PARTITION from fstab"
        remount_partition "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No param for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
 PERMISSIONSOK='400 600'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -33,7 +34,7 @@ audit() {
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -51,7 +52,7 @@ apply() {
        chown "$USER":"$GROUP" "$FILE"
    fi
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
    else
@ -63,25 +64,25 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    does_user_exist "$USER"
    if [ "$FNRET" != 0 ]; then
        crit "$USER does not exist"
-        exit 128
+        exit 2
    fi
    does_group_exist "$GROUP"
    if [ "$FNRET" != 0 ]; then
        crit "$GROUP does not exist"
-        exit 128
+        exit 2
    fi
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.2_bootloader_password.sh
+++ b/bin/hardening/1.5.2_bootloader_password.sh
@ -51,19 +51,18 @@ apply() {
    else
        ok "$PWD_PATTERN is present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
    if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
+        warn "Grub is not installed, not handling configuration"
-        exit 128
+        exit 2
    fi
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
-        exit 128
+        exit 2
    fi
 }
--- a/bin/hardening/1.5.3_root_password.sh
+++ b/bin/hardening/1.5.3_root_password.sh
@ -38,7 +38,6 @@ apply() {
    else
        ok "$PATTERN is not present in $FILE"
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/1.6.1_enable_nx_support.sh
+++ b/bin/hardening/1.6.1_enable_nx_support.sh
@ -35,31 +35,39 @@ nx_supported_and_enabled() {
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" != 0 ]; then
+        ok "Container detected, cannot read dmesg!"
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
        fi
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
            else
                ok "NX is supported and enabled"
            fi
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_dmesg "$PATTERN"
+    if [ "$IS_CONTAINER" -eq 1 ]; then
-    if [ "$FNRET" != 0 ]; then
+        ok "Container detected, cannot read dmesg!"
        nx_supported_and_enabled
        if [ "$FNRET" != 0 ]; then
            crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
        else
            ok "NX is supported and enabled"
        fi
    else
-        ok "$PATTERN is present in dmesg"
+        does_pattern_exist_in_dmesg "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            nx_supported_and_enabled
            if [ "$FNRET" != 0 ]; then
                crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
            else
                ok "NX is supported and enabled"
            fi
        else
            ok "$PATTERN is present in dmesg"
        fi
    fi
 }
--- a/bin/hardening/1.6.3.1_disable_apport.sh
+++ b/bin/hardening/1.6.3.1_disable_apport.sh
@ -0,0 +1,69 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # 1.6.3.1 Ensure apport is disabled (Scored)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable apport to avoid confidential data leaks."
 PACKAGE='apport'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed!"
    else
        ok "$PACKAGE is absent"
    fi
    :
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        apt-get purge "$PACKAGE" -y
        apt-get autoremove
    else
        ok "$PACKAGE is absent"
    fi
    :
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/1.7.1.2_enable_apparmor.sh
+++ b/bin/hardening/1.7.1.2_enable_apparmor.sh
@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGES are configured"
+        is_pkg_installed "grub-common"
        if [ "$FNRET" != 0 ]; then
            if [ "$IS_CONTAINER" -eq 1 ]; then
                ok "Grub is not installed in container"
            else
                warn "Grub is not installed"
                exit 128
            fi
        else
            ERROR=0
            RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
            # define custom IFS and save default one
            d_IFS=$IFS
            c_IFS=$'\n'
            IFS=$c_IFS
            for line in $RESULT; do
                if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
                    crit "$line is not configured"
                    ERROR=1
                fi
            done
            IFS=$d_IFS
            if [ "$ERROR" = 0 ]; then
                ok "$PACKAGES are configured"
            fi
        fi
    fi
 }
@ -62,26 +76,35 @@ apply() {
        fi
    done
-    ERROR=0
+    is_pkg_installed "grub-pc"
-    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    if [ "$FNRET" != 0 ]; then
-
+        if [ "$IS_CONTAINER" -eq 1 ]; then
-    # define custom IFS and save default one
+            ok "Grub is not installed in container"
-    d_IFS=$IFS
+        else
-    c_IFS=$'\n'
+            warn "You should use grub. Install it yourself"
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
        $SUDO_CMD update-grub
    else
-        ok "$PACKAGES are configured"
+        ERROR=0
        RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
        # define custom IFS and save default one
        d_IFS=$IFS
        c_IFS=$'\n'
        IFS=$c_IFS
        for line in $RESULT; do
            if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
                crit "$line is not configured"
                ERROR=1
            fi
        done
        IFS=$d_IFS
        if [ $ERROR = 1 ]; then
            $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
            $SUDO_CMD update-grub
        else
            ok "$PACKAGES are configured"
        fi
    fi
 }
--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
            ok "No profiles are unconfined"
-    if [ -n "$RESULT_UNCONFINED" ]; then
+        else
-        ok "No profiles are unconfined"
+            crit "Some processes are unconfined while they have defined profile"
-
+        fi
    else
        crit "Some processes are unconfined while they have defined profile"
    fi
 }
@ -46,6 +49,7 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGES is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    ERROR=0
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            ERROR=1
        else
            ok "$PACKAGE is installed"
        fi
    done
    if [ "$ERROR" = 0 ]; then
        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
-    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        if [ -n "$RESULT_UNCONFINED" ]; then
-    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+            ok "No profiles are unconfined"
        else
            crit "Some processes are unconfined while they have defined profile"
        fi
-    if [ -n "$RESULT_UNCONFINED" ]; then
+        if [ -n "$RESULT_COMPLAIN" ]; then
-        ok "No profiles are unconfined"
+            ok "No profiles are in complain mode"
-    else
+        else
-        crit "Some processes are unconfined while they have defined profile"
+            crit "Some processes are in complain mode"
-    fi
+        fi
    if [ -n "$RESULT_COMPLAIN" ]; then
        ok "No profiles are in complain mode"
    else
        crit "Some processes are in complain mode"
    fi
 }
@ -52,13 +55,14 @@ apply() {
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" != 0 ]; then
            crit "$PACKAGE is absent!"
            apt_install "$PACKAGE"
        else
            ok "$PACKAGE is installed"
        fi
    done
-    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
-    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
    if [ -n "$RESULT_UNCONFINED" ]; then
        ok "No profiles are unconfined"
--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
+    status=$(systemctl is-enabled "$SERVICE_NAME")
-    if [ "$FNRET" = 0 ]; then
+    if [ "$status" = "enabled" ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
--- a/bin/hardening/2.2.1.3_configure_chrony.sh
+++ b/bin/hardening/2.2.1.3_configure_chrony.sh
@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
    else
-        ok "$PACKAGE is installed, checking configuration"
+        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
        else
            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
        fi
    fi
 }
@ -46,7 +40,11 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        warn "$PACKAGE is not installed, not handling configuration"
        exit 2
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/2.2.1.4_configure_ntp.sh
+++ b/bin/hardening/2.2.1.4_configure_ntp.sh
@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
    else
-        ok "$PACKAGE is installed, checking configuration"
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
-        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+    fi
-        if [ "$FNRET" != 0 ]; then
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
-            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
+    if [ "$FNRET" != 0 ]; then
-        else
+        crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    else
-        fi
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
        if [ "$FNRET" != 0 ]; then
            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
        else
            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
        fi
    fi
 }
@ -77,7 +71,11 @@ apply() {
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        warn "$PACKAGE is not installed, not handling configuration"
        exit 2
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/2.2.15_mta_localhost.sh
+++ b/bin/hardening/2.2.15_mta_localhost.sh
@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking netport ports opened"
+    is_pkg_installed net-tools
-    RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    if [ "$FNRET" != 0 ]; then
-    RESULT=${RESULT:-}
+        warn "netsat not installed, cannot execute check"
-    debug "Result is $RESULT"
+        exit 2
    if [ -z "$RESULT" ]; then
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
-        info "Checking $RESULT"
+        info "Checking netport ports opened"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
+        RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
-            ok "MTA is configured to localhost only"
+        RESULT=${RESULT:-}
        debug "Result is $RESULT"
        if [ -z "$RESULT" ]; then
            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            crit "MTA listens worldwide"
+            info "Checking $RESULT"
            if grep -q "127.0.0.1" <<<"$RESULT"; then
                ok "MTA is configured to localhost only"
            else
                crit "MTA listens worldwide"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking netport ports opened"
+    is_pkg_installed net-tools
-    RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
+    if [ "$FNRET" != 0 ]; then
-    RESULT=${RESULT:-}
+        warn "netsat not installed, cannot execute check"
-    debug "Result is $RESULT"
+        exit 2
    if [ -z "$RESULT" ]; then
        ok "Nothing listens on 25 port, probably unix socket configured"
    else
-        info "Checking $RESULT"
+        info "Checking netport ports opened"
-        if grep -q "127.0.0.1" <<<"$RESULT"; then
+        RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
-            ok "MTA is configured to localhost only"
+        RESULT=${RESULT:-}
        debug "Result is $RESULT"
        if [ -z "$RESULT" ]; then
            ok "Nothing listens on 25 port, probably unix socket configured"
        else
-            warn "MTA listens worldwide, correct this considering your MTA"
+            info "Checking $RESULT"
            if grep -q "127.0.0.1" <<<"$RESULT"; then
                ok "MTA is configured to localhost only"
            else
                warn "MTA listens worldwide, correct this considering your MTA"
            fi
        fi
    fi
    :
 }
 # This function will check config parameters required
--- a/bin/hardening/3.4.2_disable_sctp.sh
+++ b/bin/hardening/3.4.2_disable_sctp.sh
@ -28,7 +28,7 @@ audit() {
        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
        ok "Container detected, consider host enforcing or disable this check!"
    else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
            crit "$MODULE_NAME is enabled!"
        else
--- a/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
 PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
 FW_CMD="iptables"
 FW_TIMEOUT="10"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,9 +29,9 @@ audit() {
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
-        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
        if [[ -z "$ipt" ]]; then
-            crit "Empty return from $PACKAGE command. Aborting..."
+            crit "Empty return from $FW_CMD command. Aborting..."
            return
        fi
        for chain in $FW_CHAINS; do
--- a/bin/hardening/4.1.1.3_audit_bootloader.sh
+++ b/bin/hardening/4.1.1.3_audit_bootloader.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Enable auditing for processes that start prior to auditd."
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit=1"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit=1'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -18,7 +18,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."
 FILE='/etc/default/grub'
-OPTIONS='GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"'
+OPTIONS='GRUB_CMDLINE_LINUX=audit_backlog_limit=8192'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,7 +30,7 @@ audit() {
        for GRUB_OPTION in $OPTIONS; do
            GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
            GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
-            PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+            PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
            debug "$GRUB_PARAM should be set to $GRUB_VALUE"
            does_pattern_exist_in_file "$FILE" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
@ -55,7 +55,7 @@ apply() {
        GRUB_PARAM=$(echo "$GRUB_OPTION" | cut -d= -f 1)
        GRUB_VALUE=$(echo "$GRUB_OPTION" | cut -d= -f 2,3)
        debug "$GRUB_PARAM should be set to $GRUB_VALUE"
-        PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
+        PATTERN="^$GRUB_PARAM=.*$GRUB_VALUE"
        does_pattern_exist_in_file "$FILE" "$PATTERN"
        if [ "$FNRET" != 0 ]; then
            warn "$PATTERN is not present in $FILE, adding it"
--- a/bin/hardening/4.1.10_record_failed_access_file.sh
+++ b/bin/hardening/4.1.10_record_failed_access_file.sh
@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -17,11 +17,12 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."
 # Find all files with setuid or setgid set
 SUDO_CMD='sudo -n'
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+# Find all files with setuid or setgid set
 AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.12_record_successful_mount.sh
+++ b/bin/hardening/4.1.12_record_successful_mount.sh
@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
 -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.13_record_file_deletions.sh
+++ b/bin/hardening/4.1.13_record_file_deletions.sh
@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.14_record_sudoers_edit.sh
+++ b/bin/hardening/4.1.14_record_sudoers_edit.sh
@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
 AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
 -w /etc/sudoers.d/ -p wa -k sudoers'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,14 +29,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -43,18 +51,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.15_record_sudo_usage.sh
+++ b/bin/hardening/4.1.15_record_sudo_usage.sh
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Collect system administration actions (sudolog)."
 AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,14 +28,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.16_record_kernel_modules.sh
+++ b/bin/hardening/4.1.16_record_kernel_modules.sh
@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.17_freeze_auditd_conf.sh
+++ b/bin/hardening/4.1.17_freeze_auditd_conf.sh
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Make the audit configuration immutable."
 AUDIT_PARAMS='-e 2'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,14 +28,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.3_record_date_time_edit.sh
+++ b/bin/hardening/4.1.3_record_date_time_edit.sh
@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
 -a always,exit -F arch=b64 -S clock_settime -k time-change
 -a always,exit -F arch=b32 -S clock_settime -k time-change
 -w /etc/localtime -p wa -k time-change'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -31,14 +32,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.4_record_user_group_edit.sh
+++ b/bin/hardening/4.1.4_record_user_group_edit.sh
@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
 -w /etc/gshadow -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/security/opasswd -p wa -k identity'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -31,14 +32,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -46,18 +54,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.5_record_network_edit.sh
+++ b/bin/hardening/4.1.5_record_network_edit.sh
@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
 -w /etc/network -p wa -k system-locale'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -32,14 +33,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.6_record_mac_edit.sh
+++ b/bin/hardening/4.1.6_record_mac_edit.sh
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
 AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,14 +28,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.7_record_login_logout.sh
+++ b/bin/hardening/4.1.7_record_login_logout.sh
@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
 AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 -w /var/log/tallylog -p wa -k logins'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -29,14 +30,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.8_record_session_init.sh
+++ b/bin/hardening/4.1.8_record_session_init.sh
@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
 AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
 -w /var/log/wtmp -p wa -k session
 -w /var/log/btmp -p wa -k session'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -29,14 +30,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -44,18 +52,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.1.9_record_dac_edit.sh
+++ b/bin/hardening/4.1.9_record_dac_edit.sh
@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
 -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -32,14 +33,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
-        IFS=$c_IFS
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$FNRET" != 0 ]; then
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            crit "$AUDIT_VALUE is not in file $FILE"
+            IFS=$c_IFS
-        else
+            if [ "$FNRET" != 0 ]; then
-            ok "$AUDIT_VALUE is present in $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -47,18 +55,31 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        IFS=$d_IFS
-        if [ "$FNRET" != 0 ]; then
+        SEARCH_RES=0
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
            IFS=$c_IFS
            if [ "$FNRET" != 0 ]; then
                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
            else
                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        done
        if [ "$SEARCH_RES" = 0 ]; then
            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
 }
 # This function will check config parameters required
--- a/bin/hardening/4.2.1.2_enable_syslog-ng.sh
+++ b/bin/hardening/4.2.1.2_enable_syslog-ng.sh
@ -17,29 +17,40 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure syslog-ng service is activated."
 PACKAGE='syslog-ng'
 SERVICE_NAME="syslog-ng"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    info "Checking if $SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
-    is_service_enabled "$SERVICE_NAME"
+    if [ "$FNRET" != 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is not installed!"
        ok "$SERVICE_NAME is enabled"
    else
-        crit "$SERVICE_NAME is disabled"
+        info "Checking if $SERVICE_NAME is enabled"
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" = 0 ]; then
            ok "$SERVICE_NAME is enabled"
        else
            crit "$SERVICE_NAME is disabled"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    info "Checking if $SERVICE_NAME is enabled"
+    is_pkg_installed "$PACKAGE"
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" != 0 ]; then
-        info "Enabling $SERVICE_NAME"
+        crit "$PACKAGE is not installed!"
        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
    else
-        ok "$SERVICE_NAME is enabled"
+        info "Checking if $SERVICE_NAME is enabled"
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" != 0 ]; then
            info "Enabling $SERVICE_NAME"
            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
        else
            ok "$SERVICE_NAME is enabled"
        fi
    fi
 }
--- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 # Note: this is not exacly the same check as the one described in CIS PDF
 PACKAGE='syslog-ng'
 PERMISSIONS=''
 USER=''
 GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
+    is_pkg_installed "$PACKAGE"
-    for FILE in $FILES; do
+    if [ "$FNRET" != 0 ]; then
-        does_file_exist "$FILE"
+        crit "$PACKAGE is not installed!"
-        if [ "$FNRET" != 0 ]; then
+    else
-            warn "$FILE does not exist"
+        FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-        else
+        for FILE in $FILES; do
            does_file_exist "$FILE"
            if [ "$FNRET" != 0 ]; then
                warn "$FILE does not exist"
            else
                FOUND_EXC=0
                if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                    debug "$FILE is found in exceptions"
                    debug "Setting special user:group:perm"
                    FOUND_EXC=1
                    local user_bak="$USER"
                    local group_bak="$GROUP"
                    local perm_bak="$PERMISSIONS"
                    USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
                    GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
                    PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
                fi
                has_file_correct_ownership "$FILE" "$USER" "$GROUP"
                if [ "$FNRET" = 0 ]; then
                    ok "$FILE has correct ownership ($USER:$GROUP)"
                else
                    crit "$FILE ownership was not set to $USER:$GROUP"
                fi
                has_file_correct_permissions "$FILE" "$PERMISSIONS"
                if [ "$FNRET" = 0 ]; then
                    ok "$FILE has correct permissions ($PERMISSIONS)"
                else
                    crit "$FILE permissions were not set to $PERMISSIONS"
                fi
                if [ "$FOUND_EXC" = 1 ]; then
                    debug "Resetting user:group:perm"
                    USER="$user_bak"
                    GROUP="$group_bak"
                    PERMISSIONS="$perm_bak"
                fi
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        for FILE in $FILES; do
            does_file_exist "$FILE"
            if [ "$FNRET" != 0 ]; then
                info "$FILE does not exist"
                filedir=$(dirname "${FILE#/var/log/}")
                if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
                    debug "Creating /var/log/$filedir for $FILE"
                    debug "mkdir -p /var/log/$filedir"
                    mkdir -p /var/log/"$filedir"
                fi
                touch "$FILE"
            fi
            FOUND_EXC=0
-            if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
+            if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
                debug "$FILE is found in exceptions"
                debug "Setting special user:group:perm"
                FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
            fi
            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct ownership ($USER:$GROUP)"
+                ok "$FILE has correct ownership"
            else
-                crit "$FILE ownership was not set to $USER:$GROUP"
+                warn "fixing $FILE ownership to $USER:$GROUP"
                chown "$USER":"$GROUP" "$FILE"
            fi
            has_file_correct_permissions "$FILE" "$PERMISSIONS"
            if [ "$FNRET" = 0 ]; then
-                ok "$FILE has correct permissions ($PERMISSIONS)"
+                ok "$FILE has correct permissions"
            else
-                crit "$FILE permissions were not set to $PERMISSIONS"
+                info "fixing $FILE permissions to $PERMISSIONS"
                chmod 0"$PERMISSIONS" "$FILE"
            fi
            if [ "$FOUND_EXC" = 1 ]; then
                debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
                GROUP="$group_bak"
                PERMISSIONS="$perm_bak"
            fi
-        fi
+        done
-    done
+    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for FILE in $FILES; do
        does_file_exist "$FILE"
        if [ "$FNRET" != 0 ]; then
            info "$FILE does not exist"
            filedir=$(dirname "${FILE#/var/log/}")
            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
                debug "Creating /var/log/$filedir for $FILE"
                debug "mkdir -p /var/log/$filedir"
                mkdir -p /var/log/"$filedir"
            fi
            touch "$FILE"
        fi
        FOUND_EXC=0
        if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
            debug "$FILE is found in exceptions"
            debug "Setting special user:group:perm"
            FOUND_EXC=1
            local user_bak="$USER"
            local group_bak="$GROUP"
            local perm_bak="$PERMISSIONS"
            USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
            GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
            PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            warn "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
        if [ "$FOUND_EXC" = 1 ]; then
            debug "Resetting user:group:perm"
            USER="$user_bak"
            GROUP="$group_bak"
            PERMISSIONS="$perm_bak"
        fi
    done
 }
 # This function will create the config file for this check with default values
--- a/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
+++ b/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
@ -17,40 +17,52 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
 PACKAGE='syslog-ng'
 PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [ "$FOUND" = 1 ]; then
        ok "$PATTERN is present in $FILES"
    else
-        crit "$PATTERN is not present in $FILES"
+        FOUND=0
        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
        for FILE in $FILES; do
            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                FOUND=1
            fi
        done
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [ "$FOUND" = 1 ]; then
        ok "$PATTERN is present in $FILES"
    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
+        FOUND=0
        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
        for FILE in $FILES; do
            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                FOUND=1
            fi
        done
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
        fi
    fi
 }
--- a/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
+++ b/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
@ -17,64 +17,74 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
 PACKAGE='syslog-ng'
 REMOTE_HOST=""
 PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$REMOTE_HOST" ]]; then
        info "This is the remote host, checking that it only accepts logs from specified zone"
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES"
        fi
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
+        FOUND=0
-        if [ "$FOUND" = 1 ]; then
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-            crit "$PATTERN is present in $FILES"
+        for FILE in $FILES; do
-        else
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-            ok "$PATTERN is not present in $FILES"
+            if [ "$FNRET" = 0 ]; then
-        fi
+                FOUND=1
            fi
        done
        if [[ "$REMOTE_HOST" ]]; then
            info "This is the remote host, checking that it only accepts logs from specified zone"
            if [ "$FOUND" = 1 ]; then
                ok "$PATTERN is present in $FILES"
            else
                crit "$PATTERN is not present in $FILES"
            fi
        else
            info "This is the not the remote host checking that it doesn't accept remote logs"
            if [ "$FOUND" = 1 ]; then
                crit "$PATTERN is present in $FILES"
            else
                ok "$PATTERN is not present in $FILES"
            fi
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    FOUND=0
+    is_pkg_installed "$PACKAGE"
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
+    if [ "$FNRET" != 0 ]; then
-    for FILE in $FILES; do
+        crit "$PACKAGE is not installed!"
        does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            FOUND=1
        fi
    done
    if [[ "$REMOTE_HOST" ]]; then
        info "This is the remote host, checking that it only accepts logs from specified zone"
        if [ "$FOUND" = 1 ]; then
            ok "$PATTERN is present in $FILES"
        else
            crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
        fi
    else
-        info "This is the not the remote host checking that it doesn't accept remote logs"
+        FOUND=0
-        if [ "$FOUND" = 1 ]; then
+        FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
-            warn "$PATTERN is present in $FILES, "
+        for FILE in $FILES; do
-        else
+            does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-            ok "$PATTERN is not present in $FILES"
+            if [ "$FNRET" = 0 ]; then
-        fi
+                FOUND=1
            fi
        done
        if [[ "$REMOTE_HOST" ]]; then
            info "This is the remote host, checking that it only accepts logs from specified zone"
            if [ "$FOUND" = 1 ]; then
                ok "$PATTERN is present in $FILES"
            else
                crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
            fi
        else
            info "This is the not the remote host checking that it doesn't accept remote logs"
            if [ "$FOUND" = 1 ]; then
                warn "$PATTERN is present in $FILES, "
            else
                ok "$PATTERN is not present in $FILES"
            fi
        fi
    fi
 }
--- a/bin/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -27,18 +27,19 @@ audit() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        crit "$FILE does not exist"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
@ -48,20 +49,21 @@ apply() {
    if [ "$FNRET" != 0 ]; then
        info "$FILE does not exist"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct ownership"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        else
-    if [ "$FNRET" = 0 ]; then
+            warn "fixing $FILE ownership to $USER:$GROUP"
-        ok "$FILE has correct permissions"
+            chown "$USER":"$GROUP" "$FILE"
-    else
+        fi
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
+            does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.18_sshd_limit_access.sh
+++ b/bin/hardening/5.2.18_sshd_limit_access.sh
@ -34,7 +34,7 @@ audit() {
            # shellcheck disable=SC2001
            SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -59,12 +59,12 @@ apply() {
        # shellcheck disable=SC2001
        SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
+++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
@ -17,6 +17,7 @@ HARDENING_LEVEL=1
 # shellcheck disable=2034
 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
 PACKAGE='openssh-server'
 FILE='/etc/ssh/sshd_config'
 PERMISSIONS='600'
 USER='root'
@ -24,40 +25,50 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct ownership"
+        ok "$PACKAGE is not installed!"
    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            ok "$FILE has correct ownership"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct permissions"
+            crit "$FILE ownership was not set to $USER:$GROUP"
-    else
+        fi
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            crit "$FILE permissions were not set to $PERMISSIONS"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_file_exist "$FILE"
+    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
-        info "$FILE does not exist"
+        ok "$PACKAGE is not installed"
        touch "$FILE"
    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
    else
-        warn "fixing $FILE ownership to $USER:$GROUP"
+        does_file_exist "$FILE"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" != 0 ]; then
-    fi
+            info "$FILE does not exist"
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            touch "$FILE"
-    if [ "$FNRET" = 0 ]; then
+        fi
-        ok "$FILE has correct permissions"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    else
+        if [ "$FNRET" = 0 ]; then
-        info "fixing $FILE permissions to $PERMISSIONS"
+            ok "$FILE has correct ownership"
-        chmod 0"$PERMISSIONS" "$FILE"
+        else
            warn "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
        has_file_correct_permissions "$FILE" "$PERMISSIONS"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct permissions"
        else
            info "fixing $FILE permissions to $PERMISSIONS"
            chmod 0"$PERMISSIONS" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/5.2.20_enable_ssh_pam.sh
+++ b/bin/hardening/5.2.20_enable_ssh_pam.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
@ -32,11 +32,21 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
                if [ "$FNRET" != 0 ]; then
                    crit "$PATTERN is not present in $FILE"
                else
                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
                    else
                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
                    fi
                fi
            fi
        done
    fi
@ -55,17 +65,22 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
                else
                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
                fi
            fi
            /etc/init.d/ssh reload
        fi
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.5_sshd_loglevel.sh
+++ b/bin/hardening/5.2.5_sshd_loglevel.sh
@ -61,7 +61,7 @@ apply() {
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -32,11 +32,21 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
                if [ "$FNRET" != 0 ]; then
                    crit "$PATTERN is not present in $FILE"
                else
                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
                    else
                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
                    fi
                fi
            fi
        done
    fi
@ -55,17 +65,22 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
-            warn "$PATTERN is not present in $FILE, adding it"
+            warn "$PATTERN is not present in $FILE"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
                else
                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
                fi
            fi
            /etc/init.d/ssh reload
        fi
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -32,7 +32,7 @@ audit() {
            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
@ -55,12 +55,12 @@ apply() {
        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
            else
--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
 CONF_FILE="/etc/pam.d/common-password"
 CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
@ -26,6 +26,9 @@ audit() {
    if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
        crit "$CONF_FILE is not readable"
    else
        if [ "$DEB_MAJ_VER" -ge "11" ]; then
            CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
        fi
        # shellcheck disable=SC2001
        does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
        if [ "$FNRET" = 0 ]; then
@ -47,7 +50,11 @@ apply() {
            ok "$CONF_LINE is present in $CONF_FILE"
        else
            warn "$CONF_LINE is not present in $CONF_FILE"
-            add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+            if [ "$DEB_MAJ_VER" -ge "11" ]; then
                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
            else
                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
            fi
        fi
    fi
 }
--- a/bin/hardening/5.4.5_default_timeout.sh
+++ b/bin/hardening/5.4.5_default_timeout.sh
@ -31,21 +31,21 @@ audit() {
            debug "$FILE_SEARCHED is a directory"
            # shellcheck disable=2044
            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                    SEARCH_RES=1
                    break
                fi
            done
        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                debug "$PATTERN is not present in $FILE_SEARCHED"
            else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        fi
@ -64,21 +64,21 @@ apply() {
            debug "$FILE_SEARCHED is a directory"
            # shellcheck disable=2044
            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                    SEARCH_RES=1
                    break
                fi
            done
        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
            if [ "$FNRET" != 0 ]; then
                debug "$PATTERN is not present in $FILE_SEARCHED"
            else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                SEARCH_RES=1
            fi
        fi
@ -87,8 +87,7 @@ apply() {
        warn "$PATTERN is not present in $FILES_TO_SEARCH"
        touch "$FILE"
        chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
        add_end_of_file "$FILE" "readonly TMOUT"
        add_end_of_file "$FILE" "export TMOUT"
    else
        ok "$PATTERN is present in $FILES_TO_SEARCH"
--- a/bin/hardening/6.1.10_find_world_writable_file.sh
+++ b/bin/hardening/6.1.10_find_world_writable_file.sh
@ -17,12 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"
 EXCLUDED=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    if [ -n "$EXCLUDED" ]; then
-    # shellcheck disable=SC2086
+        # maybe EXCLUDED allow us to filter out some FS
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    if [ -n "$RESULT" ]; then
        crit "Some world writable files are present"
        # shellcheck disable=SC2001
@ -35,10 +55,16 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        warn "chmoding o-w all files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
    else
        ok "No world writable files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.11_find_unowned_files.sh
+++ b/bin/hardening/6.1.11_find_unowned_files.sh
@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
 USER='root'
 EXCLUDED=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are unowned files"
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # maybe EXCLUDED allow us to filter out some FS
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    if [ -n "$RESULT" ]; then
        crit "Some unowned files are present"
        # shellcheck disable=SC2001
@ -44,13 +57,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
    else
        ok "No unowned files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.12_find_ungrouped_files.sh
+++ b/bin/hardening/6.1.12_find_ungrouped_files.sh
@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
 GROUP='root'
 EXCLUDED=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are ungrouped files"
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # maybe EXCLUDED allow us to filter out some FS
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    if [ -n "$RESULT" ]; then
        crit "Some ungrouped files are present"
        # shellcheck disable=SC2001
@ -44,13 +58,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
    if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
    else
        ok "No ungrouped files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.13_find_suid_files.sh
+++ b/bin/hardening/6.1.13_find_suid_files.sh
@ -18,16 +18,30 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
 IGNORED_PATH=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are suid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        # maybe IGNORED_PATH allow us to filter out some FS
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
--- a/bin/hardening/6.1.14_find_sgid_files.sh
+++ b/bin/hardening/6.1.14_find_sgid_files.sh
@ -18,16 +18,31 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
 IGNORED_PATH=''
 # find emits following error if directory or file disappear during
 # tree traversal: find: ‘/tmp/xxx’: No such file or directory
 FIND_IGNORE_NOSUCHFILE_ERR=false
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are sgid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        # maybe IGNORED_PATH allow us to filter out some FS
        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
--- a/bin/hardening/6.1.3_etc_gshadow-_permissions.sh
+++ b/bin/hardening/6.1.3_etc_gshadow-_permissions.sh
@ -25,35 +25,45 @@ GROUPSOK='root shadow'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+            ok "$FILE has correct permissions"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct ownership"
+            crit "$FILE permissions were not set to $PERMISSIONS"
-    else
+        fi
-        crit "$FILE ownership was not set to $USER:$GROUPSOK"
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUPSOK"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct permissions"
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+        else
-    if [ "$FNRET" = 0 ]; then
+            info "fixing $FILE permissions to $PERMISSIONS"
-        ok "$FILE has correct ownership"
+            chmod 0"$PERMISSIONS" "$FILE"
-    else
+        fi
-        info "fixing $FILE ownership to $USER:$GROUP"
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            info "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/6.1.6_etc_passwd-_permissions.sh
+++ b/bin/hardening/6.1.6_etc_passwd-_permissions.sh
@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
 FILE='/etc/passwd-'
 PERMISSIONS='600'
 PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            ok "$FILE has correct permissions"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct ownership"
+            crit "$FILE permissions were not set to $PERMISSIONS"
-    else
+        fi
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct permissions"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        else
-    if [ "$FNRET" = 0 ]; then
+            info "fixing $FILE permissions to $PERMISSIONS"
-        ok "$FILE has correct ownership"
+            chmod 0"$PERMISSIONS" "$FILE"
-    else
+        fi
-        info "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            info "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/6.1.7_etc_shadow-_permissions.sh
+++ b/bin/hardening/6.1.7_etc_shadow-_permissions.sh
@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
 FILE='/etc/shadow-'
 PERMISSIONS='600'
 PERMISSIONSOK='640 600'
 USER='root'
 GROUP='shadow'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            ok "$FILE has correct permissions"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct ownership"
+            crit "$FILE permissions were not set to $PERMISSIONS"
-    else
+        fi
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct permissions"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        else
-    if [ "$FNRET" = 0 ]; then
+            info "fixing $FILE permissions to $PERMISSIONS"
-        ok "$FILE has correct ownership"
+            chmod 0"$PERMISSIONS" "$FILE"
-    else
+        fi
-        info "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            info "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/6.1.8_etc_group-_permissions.sh
+++ b/bin/hardening/6.1.8_etc_group-_permissions.sh
@ -19,40 +19,51 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
 FILE='/etc/group-'
 PERMISSIONS='600'
 PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
-    fi
+        if [ "$FNRET" = 0 ]; then
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            ok "$FILE has correct permissions"
-    if [ "$FNRET" = 0 ]; then
+        else
-        ok "$FILE has correct ownership"
+            crit "$FILE permissions were not set to $PERMISSIONS"
-    else
+        fi
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
+        if [ "$FNRET" = 0 ]; then
-    fi
+            ok "$FILE has correct permissions"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        else
-    if [ "$FNRET" = 0 ]; then
+            info "fixing $FILE permissions to $PERMISSIONS"
-        ok "$FILE has correct ownership"
+            chmod 0"$PERMISSIONS" "$FILE"
-    else
+        fi
-        info "fixing $FILE ownership to $USER:$GROUP"
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            info "fixing $FILE ownership to $USER:$GROUP"
            chown "$USER":"$GROUP" "$FILE"
        fi
    fi
 }
--- a/bin/hardening/6.2.3_users_homedir_exist.sh
+++ b/bin/hardening/6.2.3_users_homedir_exist.sh
--- a/bin/hardening/6.2.9_users_homedir_ownership.sh
+++ b/bin/hardening/6.2.9_users_homedir_ownership.sh
@ -23,30 +23,13 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    debug "Checking homedir exists"
    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do
        debug "Working on $LINE"
        USER=$(awk -F: '{print $1}' <<<"$LINE")
        USERID=$(awk -F: '{print $2}' <<<"$LINE")
        DIR=$(awk -F: '{print $3}' <<<"$LINE")
        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
            crit "The home directory ($DIR) of user $USER does not exist."
            ERRORS=$((ERRORS + 1))
        fi
    done
    if [ "$ERRORS" = 0 ]; then
        ok "All home directories exists"
    fi
    debug "Checking homedir ownership"
    RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
    for LINE in $RESULT; do
        debug "Working on $LINE"
        USER=$(awk -F: '{print $1}' <<<"$LINE")
        USERID=$(awk -F: '{print $2}' <<<"$LINE")
        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+        if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
            OWNER=$(stat -L -c "%U" "$DIR")
            if [ "$OWNER" != "$USER" ]; then
                EXCEP_FOUND=0
--- a/bin/hardening/99.1.3_acc_sudoers_no_all.sh
+++ b/bin/hardening/99.1.3_acc_sudoers_no_all.sh
@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
 FILE="/etc/sudoers"
 DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
+# spaces will be expanded to [[:space:]]* when using the regex
 # improves readability in audit report
 REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
 EXCEPT=""
 MAX_FILES_TO_LOG=0
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    # expand spaces to [[:space:]]*
    # shellcheck disable=2001
    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
    local skiplog
    skiplog=0
    if [ $MAX_FILES_TO_LOG != 0 ]; then
        # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
        # logging in the loop, to avoid flooding the logs and getting timed out
        local nbfiles
        # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
        nbfiles=$(ls -f "$DIRECTORY" | wc -l)
        if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
            skiplog=1
            info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
        fi
    fi
    FILES=""
    if $SUDO_CMD [ ! -r "$FILE" ]; then
        crit "$FILE is not readable"
@ -41,14 +60,20 @@ audit() {
    fi
    for file in $FILES; do
        if $SUDO_CMD [ ! -r "$file" ]; then
-            crit "$file is not readable"
+            debug "$file is not readable, but it might just have disappeared since we've listed the folder contents, re-check that it exists"
-        else
+            if $SUDO_CMD [ -e "$file" ]; then
-            # shellcheck disable=2001
+                crit "$file is not readable"
            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
                ok "There is no carte-blanche sudo permission in $file"
            else
-                # shellcheck disable=2001
+                debug "$file has disappeared, ignore it"
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
+                continue
            fi
        else
            if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
                if [ $skiplog = 0 ]; then
                    ok "There is no carte-blanche sudo permission in $file"
                fi
            else
                RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
                for line in $RET; do
                    if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
                        # shellcheck disable=2001
@ -73,8 +98,16 @@ apply() {
 create_config() {
    cat <<EOF
 status=audit
 # Put EXCEPTION account names here, space separated
 EXCEPT="root %root %sudo %wheel"
 # If we find more than this amount of files in sudoers.d/,
 # we'll reduce the logging in the loop to avoid getting
 # timed out because we spend too much time logging.
 # Using 0 disables this feature and will never reduce the
 # logging, regardless of the number of files.
 MAX_FILES_TO_LOG=0
 EOF
 }
 # This function will check config parameters required
--- a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
+++ b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        ok "$FILE exist"
-    fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
-        ok "$FILE has correct ownership"
+        else
-    else
+            crit "$FILE permissions were not set to $PERMISSIONS"
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist"
        touch "$FILE"
        warn "You may want to fill it with allowed networks"
    else
        ok "$FILE exist"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
+++ b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh
@ -24,22 +24,36 @@ GROUP='root'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
-    if [ "$FNRET" = 0 ]; then
+    if [ "$FNRET" != 0 ]; then
-        ok "$FILE has correct permissions"
+        crit "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
+        ok "$FILE exist"
-    fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
-    if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
-        ok "$FILE has correct ownership"
+        else
-    else
+            crit "$FILE permissions were not set to $PERMISSIONS"
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
        if [ "$FNRET" = 0 ]; then
            ok "$FILE has correct ownership"
        else
            crit "$FILE ownership was not set to $USER:$GROUP"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_file_exist "$FILE"
    if [ "$FNRET" != 0 ]; then
        warn "$FILE does not exist"
        touch "$FILE"
        warn "You may want to fill it with allowed networks"
    else
        ok "$FILE exist"
    fi
    has_file_correct_permissions "$FILE" "$PERMISSIONS"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct permissions"
--- a/bin/hardening/99.5.2.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh
@ -109,7 +109,7 @@ audit() {
        crit "/etc/ssh/sshd_config is not readable."
    else
        ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
-        if [ "x$ret" = "x#KO" ]; then
+        if [ "$ret" = "#KO" ]; then
            debug "No AuthorizedKeysFile defined in sshd_config."
        else
            AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@ -137,7 +137,7 @@ audit() {
            continue
        else
            info "User $user has a valid shell ($shell)."
-            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                check_dir /root
                continue
            elif $SUDO_CMD [ ! -d /home/"$user" ]; then
--- a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
+++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
@ -49,7 +49,6 @@ apply() {
            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
            replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
        fi
        /etc/init.d/ssh reload >/dev/null 2>&1
    fi
 }
--- a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
+++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh
@ -37,7 +37,7 @@ audit() {
            pw_found+="$user "
            ok "User $user has a disabled password."
        # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
-        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+        elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
            pw_found+="$user "
            ok "User $user has suitable SHA512 hashed password."
        else
--- a/Show More
+++ b/Show More