fix: add tinyproxy in HTTP proxies

Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 1.0.1 to 1.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v1.0.1...v1.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/compile-manual.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Produce debian man
         run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
       - uses: EndBug/add-and-commit@v9

.github/workflows/functionnal-tests.yml

@@ -4,24 +4,24 @@ on:
   - pull_request
   - push
 jobs:
-  functionnal-tests-docker-debian9:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-      - name: Run the tests debian9
-        run: ./tests/docker_build_and_run_tests.sh debian9
   functionnal-tests-docker-debian10:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run the tests debian10
         run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run the tests debian11
         run: ./tests/docker_build_and_run_tests.sh debian11
+  functionnal-tests-docker-debian12:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian12
+        run: ./tests/docker_build_and_run_tests.sh debian12

.github/workflows/pre-release.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       # BUILD THE .DEB PACKAGE
       - name: Build
         run: |
@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest
@@ -34,7 +34,7 @@ jobs:
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v4.1.0
+        uses: metcalfc/changelog-generator@v4.3.1
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -8,9 +8,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.5.0
+        uses: luizm/action-sh-checker@v0.8.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
@@ -24,6 +24,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run shellcheck
         run: ./shellcheck/docker_build_and_run_shellcheck.sh

.github/workflows/tagged-release.yml

@@ -15,7 +15,7 @@ jobs:
         run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
       # CHECKOUT CODE
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ steps.vars.outputs.tag }}
       # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 9/10 Hardening
+cis-hardening - CIS Debian 10/11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 9/10 Hardening
 
 # DESCRIPTION
 
-Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
@@ -139,7 +139,7 @@ will create a timestamped backup in this directory.
 
 # COPYRIGHT
 
-Copyright 2020 OVHcloud
+Copyright 2023 OVHcloud
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,7 +1,4 @@
-# :lock: CIS Debian 9/10 Hardening
+# :lock: CIS Debian 10/11/12 Hardening
-
-:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
-report issues if you find any!
 
 
 <p align="center">
@@ -16,9 +13,12 @@ report issues if you find any!
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
+NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
+in production at OVHcloud on Debian 12 Operating Systems.
+
 ```console
 $ bin/hardening.sh --audit-all
 [...]
@@ -43,9 +43,11 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
-$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
+$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening
-$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
+$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening
-hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
+$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening
+$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening
+$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit
 1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
 1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
 1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
@@ -172,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian9` or `debian10`.
+With `target` being like `debian10` or `debian11`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.
@@ -244,6 +246,20 @@ built a secure environment. While we use it at OVHcloud to harden our PCI-DSS co
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
+A word about numbering, implementation and sustainability over time of this repository:
+This project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF
+has evolved, changing it's numbering, deleting obsolete checks.
+In order to keep retro-compatiblity with the last maintained Debian, the numbering
+has not been changed along with the PDF, because the configuration scripts are named after it.
+Changing the numbering might break automation for admins using it for years, and handling
+this issue without breaking anything would require a huge refactoring.
+As a consequence, please do not worry about numbering, the checks are there,
+but the numbering accross PDFs might differ.
+Please also note that all the check inside CIS Benchmark PDF might not be implemented
+in this set of scripts.
+We did choose the most relevant to us at OVHcloud, do not hesitate to make a
+Pull Request in order to add the missing script you might find relevant for you.
+
 Additionally, quoting the License:
 
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
@@ -257,6 +273,7 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+
 ## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/

bin/hardening.sh

@@ -192,7 +192,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ] && [ "$SET_HARDENING_LEVEL" -eq 0 ]; then
     usage
 fi
 
@@ -201,21 +201,21 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ] || [ -z "${CIS_CONF_DIR}" ] || [ -z "${CIS_CHECKS_DIR}" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR, CIS_CONF_DIR, CIS_CHECKS_DIR variables, aborting."
     exit 128
 fi
 
 # shellcheck source=../etc/hardening.cfg
-[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+[ -r "${CIS_CONF_DIR}"/hardening.cfg ] && . "${CIS_CONF_DIR}"/hardening.cfg
 if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/common.sh
-[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
+[ -r "${CIS_LIB_DIR}"/common.sh ] && . "${CIS_LIB_DIR}"/common.sh
 # shellcheck source=../lib/utils.sh
-[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
+[ -r "${CIS_LIB_DIR}"/utils.sh ] && . "${CIS_LIB_DIR}"/utils.sh
 # shellcheck source=../lib/constants.sh
-[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
+[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
@@ -257,7 +257,7 @@ fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
     declare -a HARDENING_EXCEPTIONS_LIST
-    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+    for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
         template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
         [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
     done
@@ -272,7 +272,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
         exit 1
     fi
 
-    for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+    for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
         SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
         script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
         if [ -z "$script_level" ]; then
@@ -281,7 +281,7 @@ if [ -n "$SET_HARDENING_LEVEL" ] && [ "$SET_HARDENING_LEVEL" != 0 ]; then
         fi
         wantedstatus=disabled
         [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
-        sed -i -re "s/^status=.+/status=$wantedstatus/" "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+        sed -i -re "s/^status=.+/status=$wantedstatus/" "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
     done
     echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
     exit 0
@@ -293,13 +293,13 @@ if [ "$CREATE_CONFIG" = 1 ] && [ "$EUID" -ne 0 ]; then
 fi
 
 # Parse every scripts and execute them in the required mode
-for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
+for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
         SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
         # shellcheck disable=SC2001
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi
@@ -307,19 +307,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
 
     info "Treating $SCRIPT"
     if [ "$CREATE_CONFIG" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        debug "$SCRIPT --create-config-files-only"
         LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
     elif [ "$AUDIT" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
+        debug "$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
         LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
         LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
+        debug "$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
         LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$APPLY" = 1 ]; then
-        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
+        debug "$SCRIPT"
         LOGLEVEL=$LOGLEVEL "$SCRIPT"
     fi
 
@@ -332,8 +332,8 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
         PASSED_CHECKS=$((PASSED_CHECKS + 1))
         if [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
             SCRIPT_BASENAME=$(basename "$SCRIPT" .sh)
-            sed -i -re 's/^status=.+/status=enabled/' "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            sed -i -re 's/^status=.+/status=enabled/' "${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
-            info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
+            info "Status set to enabled in ${CIS_CONF_DIR}/conf.d/$SCRIPT_BASENAME.cfg"
         fi
         ;;
     1)

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.6_disable_udf.sh

@@ -60,17 +60,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.1.8_disable_cramfs.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable mounting of cramfs filesystems."
+
+KERNEL_OPTION="CONFIG_CRAMFS"
+MODULE_NAME="cramfs"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing or disable this check!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            crit "$MODULE_NAME is enabled!"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$IS_CONTAINER" -eq 1 ]; then
+        # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
+        ok "Container detected, consider host enforcing!"
+    else
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
+            warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
+        else
+            ok "$MODULE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.10_var_tmp_noexec.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.11.1_var_log_noexec.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with noexec option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="noexec"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11.2_var_log_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11.3_var_log_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.11_var_log_partition.sh

@@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.12.1_var_log_audit_noexec.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with noexec option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="noexec"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12.2_var_log_audit_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12.3_var_log_audit_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var/log/audit partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var/log/audit"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.13_home_partition.sh

@@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.14.1_home_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/home partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/home"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.14_home_nodev.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.15_run_shm_nodev.sh

@@ -81,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.16_run_shm_nosuid.sh

@@ -81,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.17_run_shm_noexec.sh

@@ -81,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.18_removable_device_nodev.sh

@@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.19_removable_device_nosuid.sh

@@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.20_removable_device_noexec.sh

@@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -81,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.22_disable_automounting.sh

@@ -52,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -62,17 +62,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.2_tmp_partition.sh

@@ -63,17 +63,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.3_tmp_nodev.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.4_tmp_nosuid.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.5_tmp_noexec.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.6.1_var_nodev.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var partition with nodev option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var"
+OPTION="nodev"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.6.2_var_nosuid.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="/var partition with nosuid option."
+
+# Quick factoring as many script use the same logic
+PARTITION="/var"
+OPTION="nosuid"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    info "Verifying that $PARTITION is a partition"
+    FNRET=0
+    is_a_partition "$PARTITION"
+    if [ "$FNRET" -gt 0 ]; then
+        crit "$PARTITION is not a partition"
+        FNRET=2
+    else
+        ok "$PARTITION is a partition"
+        has_mount_option "$PARTITION" "$OPTION"
+        if [ "$FNRET" -gt 0 ]; then
+            crit "$PARTITION has no option $OPTION in fstab!"
+            FNRET=1
+        else
+            ok "$PARTITION has $OPTION in fstab"
+            has_mounted_option "$PARTITION" "$OPTION"
+            if [ "$FNRET" -gt 0 ]; then
+                warn "$PARTITION is not mounted with $OPTION at runtime"
+                FNRET=3
+            else
+                ok "$PARTITION mounted with $OPTION"
+            fi
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$FNRET" = 0 ]; then
+        ok "$PARTITION is correctly set"
+    elif [ "$FNRET" = 2 ]; then
+        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+    elif [ "$FNRET" = 1 ]; then
+        info "Adding $OPTION to fstab"
+        add_option_to_fstab "$PARTITION" "$OPTION"
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    elif [ "$FNRET" = 3 ]; then
+        info "Remounting $PARTITION from fstab"
+        remount_partition "$PARTITION"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    # No param for this script
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.1.6_var_partition.sh

@@ -65,17 +65,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.7_var_tmp_partition.sh

@@ -65,17 +65,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.8_var_tmp_nodev.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.1.9_var_tmp_nosuid.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.3.1_install_sudo.sh

@@ -50,17 +50,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.3.2_pty_sudo.sh

@@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.3.3_logfile_sudo.sh

@@ -64,17 +64,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.4.1_install_tripwire.sh

@@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.4.2_tripwire_cron.sh

@@ -68,17 +68,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -91,17 +91,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.5.2_bootloader_password.sh

@@ -71,17 +71,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.5.3_root_password.sh

@@ -50,17 +50,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.6.1_enable_nx_support.sh

@@ -81,17 +81,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.6.2_enable_randomized_vm_placement.sh

@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.6.3.1_disable_apport.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.3.1 Ensure apport is disabled (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Disable apport to avoid confidential data leaks."
+
+PACKAGE='apport'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed!"
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        crit "$PACKAGE is installed, purging it"
+        apt-get purge "$PACKAGE" -y
+        apt-get autoremove
+    else
+        ok "$PACKAGE is absent"
+    fi
+    :
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.6.3_disable_prelink.sh

@@ -54,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.6.4_restrict_core_dumps.sh

@@ -87,17 +87,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.6.5_restrict_ptrace_scope.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 1.6.2 Ensure ptrace_scope is restricted
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure ptrace_scope is restricted."
+
+SYSCTL_PARAM='kernel.yama.ptrace_scope'
+SYSCTL_EXP_RESULT=2
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
+        crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
+        warn "$SYSCTL_PARAM does not exist -- Typo?"
+    else
+        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    if [ "$FNRET" != 0 ]; then
+        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+        set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
+    elif [ "$FNRET" = 255 ]; then
+        warn "$SYSCTL_PARAM does not exist -- Typo?"
+    else
+        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/1.7.1.1_install_apparmor.sh

@@ -54,17 +54,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -118,17 +118,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -75,17 +75,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -89,17 +89,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.1_remove_os_info_motd.sh

@@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.2_remove_os_info_issue.sh

@@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.3_remove_os_info_issue_net.sh

@@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.4_motd_perms.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.5_etc_issue_perms.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.1.6_etc_issue_net_perms.sh

@@ -76,17 +76,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.8.2_graphical_warning_banners.sh

@@ -37,17 +37,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/1.9_install_updates.sh

@@ -53,17 +53,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.1.1_disable_xinetd.sh

@@ -51,17 +51,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.1.2_disable_bsd_inetd.sh

@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.1.1_use_time_sync.sh

@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure time synchronization is in use"
 
-PACKAGES="ntp chrony"
+PACKAGES="systemd-timesyncd ntp chrony"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -49,17 +49,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -44,17 +44,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -52,17 +52,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.1.4_configure_ntp.sh

@@ -83,17 +83,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.10_disable_http_server.sh

@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.12_disable_samba.sh

@@ -71,17 +71,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.13_disable_http_proxy.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure HTTP-proxy is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=http
 
-PACKAGES='squid3 squid'
+PACKAGES='squid3 squid tinyproxy'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.15_mta_localhost.sh

@@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
 audit() {
     is_pkg_installed net-tools
     if [ "$FNRET" != 0 ]; then
-        warn "netsat not installed, cannot execute check"
+        warn "netstat not installed, cannot execute check"
         exit 2
     else
         info "Checking netport ports opened"
@@ -47,7 +47,7 @@ audit() {
 apply() {
     is_pkg_installed net-tools
     if [ "$FNRET" != 0 ]; then
-        warn "netsat not installed, cannot execute check"
+        warn "netstat not installed, cannot execute check"
         exit 2
     else
         info "Checking netport ports opened"
@@ -77,17 +77,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.16_disable_rsync.sh

@@ -68,17 +68,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.17_disable_nis.sh

@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable NIS Server."
 
-PACKAGES='nis'
+PACKAGES='nis ypserv'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.18_disable_tftp.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# 2.2.18 Ensure TFTP server is not enabled  (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure Trivial File Transfer Protocol server is not enabled."
+# shellcheck disable=2034
+HARDENING_EXCEPTION=tftp
+
+PACKAGES='tftpd tftpd-hpa'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed!"
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            apt-get purge "$PACKAGE" -y
+            apt-get autoremove -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.4_disable_print_server.sh

@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.5_disable_dhcp.sh

@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.6_disable_ldap.sh

@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.8_disable_dns_server.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=dns
 
-PACKAGES='bind9 unbound'
+PACKAGES='bind9 unbound dnsmasq'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -57,17 +57,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.2.9_disable_ftp.sh

@@ -58,17 +58,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.3.1_disable_nis.sh

@@ -17,29 +17,32 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
 
-PACKAGE='nis'
+PACKAGES='nis ypbind-mt'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" = 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is installed!"
+        if [ "$FNRET" = 0 ]; then
-    else
+            crit "$PACKAGE is installed!"
-        ok "$PACKAGE is absent"
+        else
-    fi
+            ok "$PACKAGE is absent"
-    :
+        fi
+    done
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" = 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is installed, purging it"
+        if [ "$FNRET" = 0 ]; then
-        apt-get purge "$PACKAGE" -y
+            crit "$PACKAGE is installed, purging it"
-        apt-get autoremove -y
+            apt-get purge "$PACKAGE" -y
-    else
+            apt-get autoremove -y
-        ok "$PACKAGE is absent"
+        else
-    fi
+            ok "$PACKAGE is absent"
+        fi
+    done
 }
 
 # This function will check config parameters required
@@ -52,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -56,17 +56,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.3.3_disable_talk_client.sh

@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -55,17 +55,17 @@ if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
     . /etc/default/cis-hardening
 fi
-if [ -z "$CIS_ROOT_DIR" ]; then
+if [ -z "$CIS_LIB_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
     exit 128
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
     # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
 else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
     exit 128
 fi