bump to 4.0-1

On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.

.github/workflows/compile-manual.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Produce debian man
         run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
-      - uses: EndBug/add-and-commit@v7
+      - uses: EndBug/add-and-commit@v9
         with:
           add: 'debian/cis-hardening.8'
           message: 'Regenerate man pages (Github action)'

.github/workflows/functionnal-tests.yml

@@ -4,24 +4,17 @@ on:
   - pull_request
   - push
 jobs:
-  functionnal-tests-docker-debian9:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-      - name: Run the tests debian9
-        run: ./tests/docker_build_and_run_tests.sh debian9
   functionnal-tests-docker-debian10:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the tests debian10
         run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the tests debian11
         run: ./tests/docker_build_and_run_tests.sh debian11

.github/workflows/pre-release.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       # BUILD THE .DEB PACKAGE
       - name: Build
         run: |
@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest
@@ -29,12 +29,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # GET LATEST VERSION TAG
       - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
         id: get-latest-tag
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v0.4.4
+        uses: metcalfc/changelog-generator@v4.1.0
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -8,9 +8,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.1.12
+        uses: luizm/action-sh-checker@v0.7.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
@@ -24,6 +24,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run shellcheck
         run: ./shellcheck/docker_build_and_run_shellcheck.sh

.github/workflows/tagged-release.yml

@@ -7,8 +7,6 @@ on:
 jobs:
   build:
     name: Create Release
-    # only runs on master
-    if: github.event.base_ref == 'refs/heads/master'
     runs-on: ubuntu-latest
     steps:
       # GET VERSION TAG
@@ -17,7 +15,7 @@ jobs:
         run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           ref: ${{ steps.vars.outputs.tag }}
       # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@@ -35,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest

README.md

@@ -1,7 +1,4 @@
-# :lock: CIS Debian 9/10 Hardening
-
-:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
-report issues if you find any!
+# :lock: CIS Debian 10/11 Hardening
 
 
 <p align="center">
@@ -16,7 +13,7 @@ report issues if you find any!
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 ```console
@@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian9` or `debian10`.
+With `target` being like `debian10` or `debian11`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 
@@ -101,9 +102,13 @@ OPTIONS:
         Finally note that '--sudo' mode only works for audit mode.
 
     --set-log-level <level>
-        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --summary-json
+        While performing system audit, this option sets LOGLEVEL to silent and
+        only output a json summary at the end
+
     --batch
         While performing system audit, this option sets LOGLEVEL to 'ok' and
         captures all output to print only one line once the check is done, formatted like :
@@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
     --sudo)
         SUDO_MODE='--sudo'
         ;;
+    --summary-json)
+        SUMMARY_JSON='--summary-json'
+        ASK_LOGLEVEL=silent
+        ;;
     --batch)
         BATCH_MODE='--batch'
         ASK_LOGLEVEL=ok
@@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
     info "Treating $SCRIPT"
     if [ "$CREATE_CONFIG" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
     elif [ "$AUDIT" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$APPLY" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
     fi
 
     SCRIPT_EXITCODE=$?
@@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
     fi
     becho "$BATCH_SUMMARY"
+elif [ "$SUMMARY_JSON" ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    else
+        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
+    fi
+    printf '{'
+    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
+    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
+    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
+    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
+    printf '}\n'
 else
     printf "%40s\n" "################### SUMMARY ###################"
     printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -26,7 +26,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else
@@ -41,7 +41,7 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
         else

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -26,7 +26,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else
@@ -41,7 +41,7 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
         else

bin/hardening/1.1.1.8_disable_cramfs.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of cramfs filesystems."
+
+KERNEL_OPTION="CONFIG_CRAMFS"
+MODULE_NAME="cramfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11.1_var_log_noexec.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with noexec option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="noexec"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11.2_var_log_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11.3_var_log_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12.1_var_log_audit_noexec.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with noexec option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="noexec"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12.2_var_log_audit_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12.3_var_log_audit_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.14.1_home_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/home partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/home"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -17,12 +17,32 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
+EXCEPTIONS=''
+
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    if [ -n "$EXCEPTIONS" ]; then
+        # maybe EXCEPTIONS allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         # shellcheck disable=SC2001
@@ -35,9 +55,16 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        warn "Setting sticky bit on world writable directories"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"
     fi

bin/hardening/1.1.6.1_var_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.6.2_var_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -33,7 +34,7 @@ audit() {
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -51,7 +52,7 @@ apply() {
         chown "$USER":"$GROUP" "$FILE"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -63,7 +64,7 @@ apply() {
 # This function will check config parameters required
 check_config() {
 
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
         warn "Grub is not installed, not handling configuration"
         exit 2

bin/hardening/1.5.2_bootloader_password.sh

@@ -55,9 +55,9 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
+        warn "Grub is not installed, not handling configuration"
         exit 2
     fi
     if [ "$FNRET" != 0 ]; then

bin/hardening/1.6.3.1_disable_apport.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.3.1 Ensure apport is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable apport to avoid confidential data leaks."
+
+PACKAGE='apport'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed!"
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed, purging it"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -33,7 +33,7 @@ audit() {
     done
 
     if [ "$ERROR" = 0 ]; then
-        is_pkg_installed "grub-pc"
+        is_pkg_installed "grub-common"
         if [ "$FNRET" != 0 ]; then
             if [ "$IS_CONTAINER" -eq 1 ]; then
                 ok "Grub is not installed in container"

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -32,8 +32,8 @@ audit() {
         fi
     done
     if [ "$ERROR" = 0 ]; then
-        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
 
         if [ -n "$RESULT_UNCONFINED" ]; then
             ok "No profiles are unconfined"
@@ -61,8 +61,8 @@ apply() {
         fi
     done
 
-    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
-    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
 
     if [ -n "$RESULT_UNCONFINED" ]; then
         ok "No profiles are unconfined"

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
         ok "$SERVICE_NAME is enabled"
     else
         crit "$SERVICE_NAME is disabled"

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -25,18 +25,12 @@ CONF_FILE='/etc/chrony/chrony.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed, checking configuration"
     does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
     else
         ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
     fi
-    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -46,7 +40,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/2.2.1.4_configure_ntp.sh

@@ -20,18 +20,13 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed, checking configuration"
     does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
         crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
@@ -44,7 +39,6 @@ audit() {
     else
         ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
     fi
-    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -77,7 +71,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/3.4.2_disable_sctp.sh

@@ -28,7 +28,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else

bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh

@@ -20,6 +20,8 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
 PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
+FW_CMD="iptables"
+FW_TIMEOUT="10"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -27,9 +29,9 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
-        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
         if [[ -z "$ipt" ]]; then
-            crit "Empty return from $PACKAGE command. Aborting..."
+            crit "Empty return from $FW_CMD command. Aborting..."
             return
         fi
         for chain in $FW_CHAINS; do

bin/hardening/4.1.10_record_failed_access_file.sh

@@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -30,14 +31,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -45,18 +53,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.11_record_privileged_commands.sh

@@ -17,10 +17,12 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."
 
+SUDO_CMD='sudo -n'
 # Find all files with setuid or setgid set
-AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
     awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -29,14 +31,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -44,18 +53,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.12_record_successful_mount.sh

@@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
 
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
 -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -28,14 +29,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -43,18 +51,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.13_record_file_deletions.sh

@@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
 
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -28,14 +29,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -43,18 +51,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.14_record_sudoers_edit.sh

@@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
 
 AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
 -w /etc/sudoers.d/ -p wa -k sudoers'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -28,14 +29,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -43,18 +51,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.15_record_sudo_usage.sh

@@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Collect system administration actions (sudolog)."
 
 AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -27,14 +28,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -42,18 +50,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.16_record_kernel_modules.sh

@@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -30,14 +31,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -45,18 +53,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.17_freeze_auditd_conf.sh

@@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Make the audit configuration immutable."
 
 AUDIT_PARAMS='-e 2'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -27,14 +28,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -42,18 +50,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.3_record_date_time_edit.sh

@@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
 -a always,exit -F arch=b64 -S clock_settime -k time-change
 -a always,exit -F arch=b32 -S clock_settime -k time-change
 -w /etc/localtime -p wa -k time-change'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -31,14 +32,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -46,18 +54,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.4_record_user_group_edit.sh

@@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
 -w /etc/gshadow -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/security/opasswd -p wa -k identity'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -31,14 +32,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -46,18 +54,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.5_record_network_edit.sh

@@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
 -w /etc/network -p wa -k system-locale'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -32,14 +33,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -47,18 +55,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.6_record_mac_edit.sh

@@ -18,7 +18,8 @@ HARDENING_LEVEL=4
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
 
 AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -27,14 +28,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -42,18 +50,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.7_record_login_logout.sh

@@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
 AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 -w /var/log/tallylog -p wa -k logins'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -29,14 +30,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -44,18 +52,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.8_record_session_init.sh

@@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
 AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
 -w /var/log/wtmp -p wa -k session
 -w /var/log/btmp -p wa -k session'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -29,14 +30,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -44,18 +52,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/4.1.9_record_dac_edit.sh

@@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
 -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -32,14 +33,21 @@ audit() {
     c_IFS=$'\n'
     IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
         IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
             IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
     IFS=$d_IFS
@@ -47,18 +55,31 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
     for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-            ok "$AUDIT_VALUE is present in $FILE"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
             fi
         done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
+    done
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/5.2.10_disable_root_login.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^$SSH_PARAM"
+            does_pattern_exist_in_file_nocase "$FILE" "^$SSH_PARAM"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.18_sshd_limit_access.sh

@@ -34,7 +34,7 @@ audit() {
             # shellcheck disable=SC2001
             SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -59,12 +59,12 @@ apply() {
         # shellcheck disable=SC2001
         SSH_VALUE=$(sed "s/'//g" <<<"$SSH_VALUE")
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.20_enable_ssh_pam.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.22_configure_ssh_max_startups.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -32,11 +32,21 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+            does_pattern_exist_in_file_nocase $FILE "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
                     crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -55,17 +65,22 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
                     replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.4_sshd_protocol.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.5_sshd_loglevel.sh

@@ -61,7 +61,7 @@ apply() {
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -32,11 +32,21 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
                     crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -55,17 +65,22 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            warn "$PATTERN is not present in $FILE"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
                     replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -32,7 +32,7 @@ audit() {
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file "$FILE" "$PATTERN"
+            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
@@ -55,12 +55,12 @@ apply() {
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
             warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -15,7 +15,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
 
 CONF_FILE="/etc/pam.d/common-password"
 CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
@@ -26,6 +26,9 @@ audit() {
     if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
         crit "$CONF_FILE is not readable"
     else
+        if [ "$DEB_MAJ_VER" -ge "11" ]; then
+            CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
+        fi
         # shellcheck disable=SC2001
         does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
         if [ "$FNRET" = 0 ]; then
@@ -47,9 +50,13 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
+            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
+            else
                 add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
             fi
         fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/5.4.5_default_timeout.sh

@@ -31,21 +31,21 @@ audit() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         fi
@@ -64,21 +64,21 @@ apply() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                    debug "$PATTERN is not present in $file_in_dir"
                 else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    ok "$PATTERN is present in $file_in_dir"
                     SEARCH_RES=1
                     break
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                ok "$PATTERN is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         fi
@@ -87,8 +87,7 @@ apply() {
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
         touch "$FILE"
         chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
-        add_end_of_file "$FILE" "readonly TMOUT"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
         add_end_of_file "$FILE" "export TMOUT"
     else
         ok "$PATTERN is present in $FILES_TO_SEARCH"

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -17,12 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"
 
+EXCLUDED=''
+
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+    if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         # shellcheck disable=SC2001
@@ -35,10 +55,16 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
     else
         ok "No world writable files found, nothing to apply"
     fi

bin/hardening/6.1.11_find_unowned_files.sh

@@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
 USER='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some unowned files are present"
         # shellcheck disable=SC2001
@@ -44,13 +57,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         warn "Applying chown on all unowned files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
     else
         ok "No unowned files found, nothing to apply"
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
 GROUP='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
         # shellcheck disable=SC2001
@@ -44,13 +58,14 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
     fi
     if [ -n "$RESULT" ]; then
         warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
     else
         ok "No ungrouped files found, nothing to apply"
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -18,16 +18,30 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are suid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/6.1.14_find_sgid_files.sh

@@ -18,16 +18,31 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are sgid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/6.1.3_etc_gshadow-_permissions.sh

@@ -25,6 +25,10 @@ GROUPSOK='root shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
@@ -37,10 +41,15 @@ audit() {
         else
             crit "$FILE ownership was not set to $USER:$GROUPSOK"
         fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
@@ -55,6 +64,7 @@ apply() {
             info "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/6.1.6_etc_passwd-_permissions.sh

@@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
 
 FILE='/etc/passwd-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
@@ -36,10 +41,15 @@ audit() {
         else
             crit "$FILE ownership was not set to $USER:$GROUP"
         fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
@@ -54,6 +64,7 @@ apply() {
             info "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/6.1.7_etc_shadow-_permissions.sh

@@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
 
 FILE='/etc/shadow-'
 PERMISSIONS='600'
+PERMISSIONSOK='640 600'
 USER='root'
 GROUP='shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
@@ -36,10 +41,15 @@ audit() {
         else
             crit "$FILE ownership was not set to $USER:$GROUP"
         fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
@@ -54,6 +64,7 @@ apply() {
             info "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/6.1.8_etc_group-_permissions.sh

@@ -19,12 +19,17 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
 
 FILE='/etc/group-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
@@ -36,10 +41,15 @@ audit() {
         else
             crit "$FILE ownership was not set to $USER:$GROUP"
         fi
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
+    else
         has_file_correct_permissions "$FILE" "$PERMISSIONS"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
@@ -54,6 +64,7 @@ apply() {
             info "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/6.2.9_users_homedir_ownership.sh

@@ -23,30 +23,13 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    debug "Checking homedir exists"
-    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
-            crit "The home directory ($DIR) of user $USER does not exist."
-            ERRORS=$((ERRORS + 1))
-        fi
-    done
-
-    if [ "$ERRORS" = 0 ]; then
-        ok "All home directories exists"
-    fi
-    debug "Checking homedir ownership"
     RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: '{print $1}' <<<"$LINE")
         USERID=$(awk -F: '{print $2}' <<<"$LINE")
         DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+        if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
                 EXCEP_FOUND=0

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
 
 FILE="/etc/sudoers"
 DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
+# spaces will be expanded to [[:space:]]* when using the regex
 # improves readability in audit report
 REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
 EXCEPT=""
+MAX_FILES_TO_LOG=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # expand spaces to [[:space:]]*
+    # shellcheck disable=2001
+    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
+
+    local skiplog
+    skiplog=0
+    if [ $MAX_FILES_TO_LOG != 0 ]; then
+        # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
+        # logging in the loop, to avoid flooding the logs and getting timed out
+        local nbfiles
+        # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
+        nbfiles=$(ls -f "$DIRECTORY" | wc -l)
+        if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
+            skiplog=1
+            info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
+        fi
+    fi
+
     FILES=""
     if $SUDO_CMD [ ! -r "$FILE" ]; then
         crit "$FILE is not readable"
@@ -41,14 +60,20 @@ audit() {
     fi
     for file in $FILES; do
         if $SUDO_CMD [ ! -r "$file" ]; then
+            debug "$file is not readable, but it might just have disappeared since we've listed the folder contents, re-check that it exists"
+            if $SUDO_CMD [ -e "$file" ]; then
                 crit "$file is not readable"
             else
-            # shellcheck disable=2001
-            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
-                ok "There is no carte-blanche sudo permission in $file"
+                debug "$file has disappeared, ignore it"
+                continue
+            fi
         else
-                # shellcheck disable=2001
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
+            if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
+                if [ $skiplog = 0 ]; then
+                    ok "There is no carte-blanche sudo permission in $file"
+                fi
+            else
+                RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
                 for line in $RET; do
                     if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
                         # shellcheck disable=2001
@@ -73,8 +98,16 @@ apply() {
 create_config() {
     cat <<EOF
 status=audit
+
 # Put EXCEPTION account names here, space separated
 EXCEPT="root %root %sudo %wheel"
+
+# If we find more than this amount of files in sudoers.d/,
+# we'll reduce the logging in the loop to avoid getting
+# timed out because we spend too much time logging.
+# Using 0 disables this feature and will never reduce the
+# logging, regardless of the number of files.
+MAX_FILES_TO_LOG=0
 EOF
 }
 # This function will check config parameters required

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -109,7 +109,7 @@ audit() {
         crit "/etc/ssh/sshd_config is not readable."
     else
         ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
-        if [ "x$ret" = "x#KO" ]; then
+        if [ "$ret" = "#KO" ]; then
             debug "No AuthorizedKeysFile defined in sshd_config."
         else
             AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@@ -137,7 +137,7 @@ audit() {
             continue
         else
             info "User $user has a valid shell ($shell)."
-            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                 check_dir /root
                 continue
             elif $SUDO_CMD [ ! -d /home/"$user" ]; then

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -49,7 +49,6 @@ apply() {
             info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
             replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
         fi
-        /etc/init.d/ssh reload >/dev/null 2>&1
     fi
 }
 

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
-        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+        elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "
             ok "User $user has suitable SHA512 hashed password."
         else

cisharden.sudoers

@@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /sbin/sysctl -a,\
                         /bin/dmesg "",\
                         /bin/netstat,\
+                        /usr/sbin/lsmod,\
+                        /sbin/lsmod,\
+                        /sbin/modprobe,\
+                        /usr/sbin/modprobe -n -v*,\
                         /usr/sbin/apparmor_status
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

debian/changelog

@@ -1,3 +1,111 @@
+cis-hardening (4.0-1) unstable; urgency=medium
+
+  * fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
+  * fix: change auditd file rule remediation (#179)
+  * fix: correct debian package compression override (#181)
+  * fix: ensure mountpoints are properly detected (#177)
+  * fix: correct search in 5.4.5_default_timeout in apply mode (#178)
+  * fix: force xz compression during .deb build (#180)
+  * feat: official Debian 11 compatibility (#176)
+  * Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Mon, 10 Jul 2023 07:18:55 +0000
+
+cis-hardening (3.8-1) unstable; urgency=medium
+
+  * fix: timeout of 99.1.3 (#168)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Thu, 23 Mar 2023 10:00:06 +0000
+
+cis-hardening (3.7-1) unstable; urgency=medium
+
+  * feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
+
+ -- Yannick Martin <yannick.martin@ovhcloud.com>  Mon, 04 Jul 2022 14:34:03 +0200
+
+cis-hardening (3.6-1) unstable; urgency=medium
+
+  * feat: Filter the filesystem to check when the list is built. (#156)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Fri, 24 Jun 2022 15:49:00 +0000
+
+cis-hardening (3.5-1) unstable; urgency=medium
+
+  * fix: add 10s wait timeout on iptables command (#151)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 23 Mar 2022 17:28:08 +0100
+
+cis-hardening (3.4-1) unstable; urgency=medium
+
+  * fix: allow passwd-, group- and shadow- debian default permissions (#149)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Fri, 18 Mar 2022 15:43:24 +0000
+
+cis-hardening (3.3-1) unstable; urgency=medium
+
+  * fix: missing shadowtools backup files is ok (#132)
+  * feat: Dissociate iptables pkg name from command (#137)
+  * fix: Catch unexpected failures (#140)
+  * fix: Avoid find failures on too many files (#144)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 02 Mar 2022 13:25:33 +0100
+
+cis-hardening (3.2-2) unstable; urgency=medium
+
+  * Fix empty fstab test 
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 08 Dec 2021 13:59:49 +0100
+
+cis-hardening (3.2-1) unstable; urgency=medium
+
+  - Skip NTP and Chrony config check if they are not installed (#120)
+  - Fix 3.4.2 audit rule (#123)
+  - Fix grub detection (#119)
+  - Allow grub.cfg permission to be 600 (#121)
+  - Honor --set-log-level parameter (#127)
+  - fix: kernel module detection (#129)
+  - Add silent mode and json summary (#128)
+  - FIX(1.7.1.4): don't abort script in case of unconfined processes (#130)
+  - FIX(2.2.1.4): Validate debian default ntp config (#118)
+  - 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112)
+  - Fix 5.4.5 pattern search (#108)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Wed, 01 Dec 2021 10:56:47 +0000
+
+cis-hardening (3.1-6) unstable; urgency=medium
+
+  * Improve EXCEPTIONS management (1.1.21,6.1.10)
+  * Fix bug linked with regex quoting (6.1.10-11-12-13-14)
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Wed, 02 Jun 2021 09:45:40 +0200
+
+cis-hardening (3.1-5) unstable; urgency=medium
+
+  * Fix unbound EXCEPTIONS variable in some cases
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Fri, 28 May 2021 15:02:34 +0200
+
+cis-hardening (3.1-4) unstable; urgency=medium
+
+  * Add test to check stderr is empty
+  * Fix 2.2.1.2 audit and apply
+  * Accept lower values as valid 5.2.7 and 5.2.23
+  * Add dir exceptions in 1.1.21 and 6.1.10
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 06 May 2021 10:07:22 +0200
+
+cis-hardening (3.1-3) unstable; urgency=medium
+
+  * Fix 4.1.11 permissions
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 12 Apr 2021 12:17:16 +0200
+
+cis-hardening (3.1-2) unstable; urgency=medium
+
+  * Fix case for sshd pattern searching
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Fri, 02 Apr 2021 09:16:16 +0200
+
 cis-hardening (3.1-1) unstable; urgency=medium
 
   * Various mispeling fixes

debian/rules

@@ -16,6 +16,9 @@ PACKAGE = $(shell dh_listpackages)
 %:
 	dh $@
 
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+
 override_dh_install:
 	dh_install
 	mkdir -p $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/

lib/common.sh

@@ -25,6 +25,9 @@ backup_file() {
 #
 
 case $LOGLEVEL in
+silent)
+    MACHINE_LOG_LEVEL=0
+    ;;
 error)
     MACHINE_LOG_LEVEL=1
     ;;
@@ -100,6 +103,20 @@ debug() {
     if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
 }
 
+exception() {
+    # Trap exit code is the same as the trapped one unless we call an explicit exit
+    TRAP_CODE=$?
+    if [ "$ACTIONS_DONE" -ne 1 ]; then
+        if [ "$BATCH_MODE" -eq 1 ]; then
+            BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT KO{Unexpected exit code: $TRAP_CODE}"
+            becho "$BATCH_OUTPUT"
+        else
+            crit "Check failed with unexpected exit code: $TRAP_CODE"
+        fi
+        exit 1 # Means critical status
+    fi
+}
+
 #
 # sudo wrapper
 # issue crit state if not allowed to perform sudo

lib/constants.sh

@@ -57,6 +57,6 @@ get_distribution
 get_debian_major_version
 
 # shellcheck disable=SC2034
-SMALLEST_SUPPORTED_DEBIAN_VERSION=9
+SMALLEST_SUPPORTED_DEBIAN_VERSION=10
 # shellcheck disable=SC2034
-HIGHEST_SUPPORTED_DEBIAN_VERSION=10
+HIGHEST_SUPPORTED_DEBIAN_VERSION=11

lib/main.sh

@@ -10,9 +10,17 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
+SAVED_LOGLEVEL=""
+ACTIONS_DONE=0
 
+if [ -n "${LOGLEVEL:-}" ]; then
+    SAVED_LOGLEVEL=$LOGLEVEL
+fi
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ -n "$SAVED_LOGLEVEL" ]; then
+    LOGLEVEL=$SAVED_LOGLEVEL
+fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh
@@ -104,6 +112,9 @@ if [ -z "$status" ]; then
     exit 2
 fi
 
+# We want to trap unexpected failures in check scripts
+trap exception EXIT
+
 case $status in
 enabled | true)
     info "Checking Configuration"
@@ -121,6 +132,7 @@ audit)
     ;;
 disabled | false)
     info "$SCRIPT_NAME is disabled, ignoring"
+    ACTIONS_DONE=1
     exit 2 # Means unknown status
     ;;
 *)
@@ -128,6 +140,8 @@ disabled | false)
     ;;
 esac
 
+ACTIONS_DONE=1
+
 if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
     if [ "$BATCH_MODE" -eq 1 ]; then
         BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"

lib/utils.sh

@@ -349,10 +349,10 @@ is_kernel_option_enabled() {
         fi
 
         ANSWER=$(cut -d = -f 2 <<<"$RESULT")
-        if [ "x$ANSWER" = "xy" ]; then
+        if [ "$ANSWER" = "y" ]; then
             debug "Kernel option $KERNEL_OPTION enabled"
             FNRET=0
-        elif [ "x$ANSWER" = "xn" ]; then
+        elif [ "$ANSWER" = "n" ]; then
             debug "Kernel option $KERNEL_OPTION disabled"
             FNRET=1
         else
@@ -384,9 +384,9 @@ is_kernel_option_enabled() {
         fi
     else
         if [ "$MODPROBE_FILTER" != "" ]; then
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
         else
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
         fi
 
         if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
@@ -415,15 +415,18 @@ is_kernel_option_enabled() {
 is_a_partition() {
     local PARTITION=$1
     FNRET=128
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
         debug "/etc/fstab not found or empty, searching mountpoint"
-        if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
+        if mountpoint -q "$PARTITION"; then
             FNRET=0
         fi
     else
         if grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"; then
             debug "$PARTITION found in fstab"
             FNRET=0
+        elif mountpoint -q "$PARTITION"; then
+            debug "$PARTITION found in /proc fs"
+            FNRET=0
         else
             debug "Unable to find $PARTITION in fstab"
             FNRET=1
@@ -448,8 +451,8 @@ is_mounted() {
 has_mount_option() {
     local PARTITION=$1
     local OPTION=$2
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
-        debug "/etc/fstab not found or empty, readin current mount options"
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
+        debug "/etc/fstab not found or empty, reading current mount options"
         has_mounted_option "$PARTITION" "$OPTION"
     else
         if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
@@ -461,6 +464,9 @@ has_mount_option() {
         if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "$OPTION"; then
             debug "$OPTION has been detected in fstab for partition $PARTITION"
             FNRET=0
+        elif mountpoint -q "$PARTITION"; then
+            debug "$OPTION not detected in fstab, but $PARTITION is a mount point searching in /proc fs"
+            has_mounted_option "$PARTITION" "$OPTION"
         else
             debug "Unable to find $OPTION in fstab for partition $PARTITION"
             FNRET=1

tests/docker/Dockerfile.debian8

@@ -1,22 +0,0 @@
-FROM debian:jessie
-
-LABEL vendor="OVH"
-LABEL project="debian-cis"
-LABEL url="https://github.com/ovh/debian-cis"
-LABEL description="This image is used to run tests"
-
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
-
-COPY --chown=500:500 . /opt/debian-cis/
-
-COPY debian/default /etc/default/cis-hardening
-RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
-
-COPY cisharden.sudoers /etc/sudoers.d/secaudit
-RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
-
-
-ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
-

tests/docker/Dockerfile.debian9

@@ -1,22 +0,0 @@
-FROM debian:stretch
-
-LABEL vendor="OVH"
-LABEL project="debian-cis"
-LABEL url="https://github.com/ovh/debian-cis"
-LABEL description="This image is used to run tests"
-
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
-
-COPY --chown=500:500 . /opt/debian-cis/
-
-COPY debian/default /etc/default/cis-hardening
-RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
-
-COPY cisharden.sudoers /etc/sudoers.d/secaudit
-RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
-
-
-ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
-

tests/hardening/1.1.1.8_disable_cramfs.sh

@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.11.1_var_log_noexec.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.11.2_var_log_nosuid.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.11.3_var_log_nodev.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.12.1_var_log_audit_noexec.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.12.2_var_log_audit_nosuid.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.12.3_var_log_audit_nodev.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.14.1_home_nosuid.sh

@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}

tests/hardening/1.1.15_run_shm_nodev.sh

@@ -2,19 +2,25 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 1
-    dismiss_count_for_test
+    register_test retvalshouldbe 0
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo "dummy entry" >>/etc/fstab
+
+    describe Fstab with a real entry to match runtime partitions
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup
     rm /run/shm
+    sed "/dummy entry/d" /etc/fstab
 
     ##################################################################
     # For this test, we only check that it runs properly on a blank  #

tests/hardening/1.1.16_run_shm_nosuid.sh

@@ -3,18 +3,24 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo "dummy entry" >>/etc/fstab
+
+    describe Fstab with a real entry to match runtime partitions
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup
     rm /run/shm
+    sed "/dummy entry/d" /etc/fstab
 
     ##################################################################
     # For this test, we only check that it runs properly on a blank  #

tests/hardening/1.1.17_run_shm_noexec.sh

@@ -3,18 +3,24 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo "dummy entry" >>/etc/fstab
+
+    describe Fstab with a real entry to match runtime partitions
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup
     rm /run/shm
+    sed "/dummy entry/d" /etc/fstab
 
     ##################################################################
     # For this test, we only check that it runs properly on a blank  #

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,14 +1,20 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/exception
+    chmod 777 /home/secaudit/exception
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "All world writable directories have a sticky bit"
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
+
     describe Tests purposely failing
     local targetdir="/home/secaudit/world_writable_folder"
     mkdir $targetdir || true
@@ -17,6 +23,12 @@ test_audit() {
     register_test contain "Some world writable directories are not on sticky bit mode"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
@@ -25,5 +37,5 @@ test_audit() {
     register_test retvalshouldbe 0
     register_test contain "All world writable directories have a sticky bit"
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
+
 }