Merge pull request #12 from hardenedlinux/master

Pull from master to harbian-audit-deepin
2025-07-31 01:24:58 +02:00 · 2019-11-15 01:15:57 +08:00 · 2019-11-15 01:15:57 +08:00 · 3f9fef44b9
commit 3f9fef44b9
parent 7812833eba 61327ff523
43 changed files with 801 additions and 517 deletions
--- a/README-CN.md
+++ b/README-CN.md
@ -151,24 +151,41 @@ EXCEPTIONS=""
 4) 设置基本的iptables防火墙规则 
 根据实现场景进行防火墙规则的配置，可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则：
 [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
-执行如下的命令进行部署:
+
 基于iptables的部署:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh 
+$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
 $ sudo bash docs/configurations/etc.iptables.rules.v4.sh 
 $ sudo -s
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
 ```
-5) 使用passwd命令改变所有用户的密码，以满足pam_cracklib模块配置的密码复杂度及健壮性。
+基于nft的部署：
 按照以下命令修改nftables.conf(你的对外网口的名称，例如：eth0):
 ```
 $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
 $ sudo nft -f ./etc.nftables.conf 
 ```
 5) 当所有安全基线项都修复完成后，使用--final方法将完成以下的最终的工作：
   1.使用passwd命令去重新设置常规用户及root用户的密码，以满足pam_cracklib模块配置的密码强度和健壮性。
   2. 重新初始化aide工具的数据库。
 ```
 $ sudo bin/hardening.sh --final
 ```
 ## 特别注意 
-一些检查项需要依赖多次修复，且操作系统需要多次重启。需要进行两次修复的项有： 
+
 ### 必须在第一次修复应用后进行修复的项  
 8.1.32  因为此项一旦设置，审计规则将不能够再进行添加。
 ### 必须在所有项都修复应用后进行修复的项  
 8.4.1  8.4.2 这都是与aide检测文件完整性相关的项，最好是在所有项都修复好后再进行修复，以修复好的系统中的文件进行完整性的数据库的初始化。
 ### 一些检查项需要依赖多次修复，且操作系统需要多次重启 
 #### 需要进行两次修复的项  
 8.1.1.2  
 8.1.1.3  
 8.1.12  
 需要修复3次的项： 
 4.5  
 ## 玩（如何添加检查项）
@ -219,15 +236,15 @@ This document is a description of the additions to the sections not included in
 The HardenedLinux community has created public AMI images for three different regions.
 Destination region: US East(Ohio)   
-AMI ID: ami-0459b7f679f8941a4   
+AMI ID: ami-091d37e9d358aaa84   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 Destination region: EU(Frankfurt)  
-AMI ID: ami-022f30970530a0c5b   
+AMI ID: ami-073725a8c2cf45418   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-003de0c48c2711265   
+AMI ID: ami-06c0adb6ee5e7d417   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 #### 相关文档  
--- a/README.md
+++ b/README.md
@ -169,8 +169,7 @@ Set the corresponding firewall rules according to the applications used. Hardene
 to do the following:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh 
+$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
 $ sudo bash docs/configurations/etc.iptables.rules.v4.sh 
 $ sudo -s
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
@ -183,18 +182,28 @@ to do the following(your network interfacename(Example eth0)):
 $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
 $ sudo nft -f ./etc.nftables.conf 
 ```
-
+5) When all repairs are completed. --final method will:
-5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
+   1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
   2. Aide reinitializes.
 ```
 $ sudo bin/hardening.sh --final
 ```
 ## Special Note 
 Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). 
-Items that need to be fix twice:  
+### Items that must be applied after the first application(reboot after is better)
 8.1.32  Because this item is set, the audit rules will not be added. 
 ### Items that must be applied after all application is ok
 8.4.1   
 8.4.2   
 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. 
 ### Items that need to be fix twice  
 8.1.1.2  
 8.1.1.3  
 8.1.12  
 Items that need to be fix three times:   
 4.5  
 ## Hacking
@ -249,15 +258,15 @@ This document is a description of the additions to the sections not included in
 The HardenedLinux community has created public AMI images for three different regions.
 Destination region: US East(Ohio)   
-AMI ID: ami-0459b7f679f8941a4   
+AMI ID: ami-091d37e9d358aaa84   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 Destination region: EU(Frankfurt)  
-AMI ID: ami-022f30970530a0c5b   
+AMI ID: ami-073725a8c2cf45418  
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-003de0c48c2711265   
+AMI ID: ami-06c0adb6ee5e7d417   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
 #### Docs  
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 INIT_G_CONFIG=0
 FINAL_G_CONFIG=0
 usage() {
    cat << EOF
@ -32,11 +33,11 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
    --help -h
        Show this help
-	--init 
+    --init 
-		Initialize the global configuration file(/etc/default/cis-hardening) based 
+        Initialize the global configuration file(/etc/default/cis-hardening) based 
-		on the release version number.
+        on the release version number.
-	--apply
+    --apply
        Apply hardening for enabled scripts.
        Beware that NO confirmation is asked whatsoever, which is why you're warmly
        advised to use --audit before, which can be regarded as a dry-run mode.
@ -81,7 +82,13 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
        Example: 
-            bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
+            bin/hardening.sh --set-hardening-level 5 --allow-service dns,http	
    --final 
        The final action that needs to be done when all repairs are completed. The action items are:
        1. Use passwd to change the password of the regular and root user to update the user 
           password strength and robustness;
        2. Aide reinitializes.
 OPTIONS:
@ -148,6 +155,9 @@ while [[ $# > 0 ]]; do
 		--init)
 			INIT_G_CONFIG=1
 		;;
 		--final)
 			FINAL_G_CONFIG=1
 		;;
        *)
            usage
        ;;
@ -170,6 +180,7 @@ fi
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh
 # For --init
 if [ $INIT_G_CONFIG -eq 1 ]; then
 	if [ -r /etc/redhat-release ]; then
 		info "This OS is redhat/CentOS."
@ -194,6 +205,36 @@ else
 	exit 128
 fi
 # For --final 
 if [ $FINAL_G_CONFIG -eq 1 ]; then
 	# Reset passwd for regular and root user 
 	USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}')
 	for USER in $USERSNAME; do
 		RESETCONTIN="n"
 		read -p "Will password of $USER be reset, are you sure to continue?(y/N)"  RESETCONTIN
 		if [ "$RESETCONTIN" == "y" ]; then
 			passwd $USER 
 		else
 			continue
 		fi
 	done
 	RESETCONTIN="n"
 	read -p "Will password of root be reset, are you sure to continue?(y/N)"  RESETCONTIN
 	if [ "$RESETCONTIN" == "y" ]; then
 		passwd
 	fi
 	# Reinit aide database 
 	info "Will reinitialize the AIDE database"
 	if [ $OS_RELEASE -eq 1 ]; then
 		aideinit
 	elif [ $OS_RELEASE -eq 2 ]; then
 		aide --init
        mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 	fi
 	exit 0
 fi
 # If --allow-service-list is specified, don't run anything, just list the supported services
 if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
    declare -a HARDENING_EXCEPTIONS_LIST
--- a/bin/hardening/2.1_tmp_partition.sh
+++ b/bin/hardening/2.1_tmp_partition.sh
@ -16,7 +16,10 @@ HARDENING_LEVEL=2
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
-TMPMOUNTNAME="tmp.mount"
+SERVICENAME="tmp.mount"
 SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -36,19 +39,12 @@ audit () {
 		fi
 	else
    	warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then
+		is_service_active $SERVICENAME
-	 		ok "$TMPMOUNTNAME service is active!"
+		if [ $FNRET -eq 0 ]; then
-       		is_mounted "$PARTITION"
+	 		ok "$SERVICENAME service is active!"
 			if [ $FNRET -gt 0 ]; then
       			warn "$PARTITION is not mounted"
           		FNRET=3
        	else
       			ok "$PARTITION is mounted"
          		FNRET=0
 			fi
 		else
-    		crit "$TMPMOUNTNAME service is not active!"
+    		crit "$SERVICENAME service is inactive!"
-			FNRET=4			
+			FNRET=3			
 		fi
 	fi
 }
@ -63,12 +59,30 @@ apply () {
 		warn "mounting $PARTITION"
        mount $PARTITION
 	elif [ $FNRET = 3 ]; then
-        $SUDO_CMD systemctl daemon-reload
+		if [ $OS_RELEASE -eq 1 ]; then 
-        $SUDO_CMD systemctl start "$TMPMOUNTNAME"
+			if [ -e $DEBIAN_SERVICEPATH ]; then
-	elif [ $FNRET = 4 ]; then
+				$SUDO_CMD systemctl enable "$SERVICENAME"
-        $SUDO_CMD systemctl enable "$TMPMOUNTNAME"
+				$SUDO_CMD systemctl daemon-reload
-	    $SUDO_CMD systemctl daemon-reload 
+				$SUDO_CMD systemctl start "$SERVICENAME"
-	    $SUDO_CMD systemctl start "$TMPMOUNTNAME"
+			else
 				if [ -e $SERVICEPATH_DEBIAN ]; then
 					cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH
 					$SUDO_CMD systemctl enable "$SERVICENAME"
 					$SUDO_CMD systemctl daemon-reload
 					$SUDO_CMD systemctl start "$SERVICENAME"
 				else
 					crit "System unit file $DEBIAN_SERVICEPATH is not exist!"
 				fi
 			fi
 		elif [ $OS_RELEASE -eq 2 ]; then 
 			if [ -e $REDHAT_SERVICEPATH ]; then
 				$SUDO_CMD systemctl enable "$SERVICENAME"
 				$SUDO_CMD systemctl daemon-reload
 				$SUDO_CMD systemctl start "$SERVICENAME"
 			else
 				crit "System unit file $REDHAT_SERVICEPATH is not exist!"
 			fi
 		fi
 	fi
 }
--- a/bin/hardening/2.2_tmp_nodev.sh
+++ b/bin/hardening/2.2_tmp_nodev.sh
@ -18,8 +18,9 @@ HARDENING_LEVEL=2
 PARTITION="/tmp"
 OPTION="nodev"
 SERVICENAME="tmp.mount"
-SERVICEPATH="/usr/share/systemd/tmp.mount"
+SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -46,43 +47,45 @@ audit () {
       fi
    else
        warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-        if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
+		if [ $OS_RELEASE -eq 1 ]; then
-			if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-				has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION 
+		elif [ $OS_RELEASE -eq 2 ]; then
-			else
+			UNITSERVICEPATH=$REDHAT_SERVICEPATH
-				has_mount_option_systemd $SERVICEPATH $OPTION 
+		fi
-			fi
+        if [ -e $UNITSERVICEPATH ]; then
-            if [ $FNRET -gt 0 ]; then
+			has_mount_option_systemd $UNITSERVICEPATH $OPTION 
-                crit "$PARTITION has no option $OPTION in systemd service!"
+           	if [ $FNRET -gt 0 ]; then
-                FNRET=3
+               	crit "$PARTITION has no option $OPTION in systemd service!"
-            else
+               	FNRET=3
-                ok "$PARTITION has $OPTION in systemd service"
+           	else
-                has_mounted_option $PARTITION $OPTION
+               	ok "$PARTITION has $OPTION in systemd service"
-                if [ $FNRET -gt 0 ]; then
+               	has_mounted_option $PARTITION $OPTION
-                    warn "$PARTITION is not mounted with $OPTION at runtime"
+               	if [ $FNRET -gt 0 ]; then
                  	warn "$PARTITION is not mounted with $OPTION at runtime"
                    FNRET=5
                else
                    ok "$PARTITION mounted with $OPTION"
 		            FNRET=0
                fi
            fi
-        else
+		else
-			if [ $OS_RELEASE -eq 2 ]; then
+			crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
-				crit "$REDHAT_SERVICEPATH is not exist!"	
+			FNRET=2 
-			else
+		fi
-				crit "$SERVICEPATH is not exist!"
+	fi
 			fi
            FNRET=2  
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
 	if [ $OS_RELEASE -eq 1 ]; then
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
 	elif [ $OS_RELEASE -eq 2 ]; then
 		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ $FNRET = 2 ]; then
-        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+		crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
    elif [ $FNRET = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
        fi
    elif [ $FNRET = 3 ]; then
        info "Adding $OPTION to systemd"
-		if [ $OS_RELEASE -eq 2 ]; then
+		add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
 			add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
 		else
 			add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
 		fi
        remount_partition_by_systemd $SERVICENAME $PARTITION
    elif [ $FNRET = 4 ]; then
        info "Remounting $PARTITION from fstab"
--- a/bin/hardening/2.3_tmp_nosuid.sh
+++ b/bin/hardening/2.3_tmp_nosuid.sh
@ -17,9 +17,10 @@ HARDENING_LEVEL=2
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="nosuid"
-SERVICEPATH="/usr/share/systemd/tmp.mount"
+SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 SERVICENAME="tmp.mount"
 REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -45,44 +46,46 @@ audit () {
            FNRET=1
       fi
    else
-        warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
+		warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
+		if [ $OS_RELEASE -eq 1 ]; then
-			if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-				has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION 
+		elif [ $OS_RELEASE -eq 2 ]; then
 			UNITSERVICEPATH=$REDHAT_SERVICEPATH
 		fi
 		if [ -e $UNITSERVICEPATH ]; then
 			has_mount_option_systemd $UNITSERVICEPATH $OPTION 
 			if [ $FNRET -gt 0 ]; then
 				crit "$PARTITION has no option $OPTION in systemd service!"
 				FNRET=3
 			else
-				has_mount_option_systemd $SERVICEPATH $OPTION 
+				ok "$PARTITION has $OPTION in systemd service"
 				has_mounted_option $PARTITION $OPTION
 				if [ $FNRET -gt 0 ]; then
 					warn "$PARTITION is not mounted with $OPTION at runtime"
 					FNRET=5
 				else
 					ok "$PARTITION mounted with $OPTION"
 					FNRET=0
 				fi
 			fi
-            if [ $FNRET -gt 0 ]; then
+		else
-                crit "$PARTITION has no option $OPTION in systemd service!"
+			crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
-                FNRET=3
+			FNRET=2  
-            else
+		fi
-                ok "$PARTITION has $OPTION in systemd service"
+	fi
                has_mounted_option $PARTITION $OPTION
                if [ $FNRET -gt 0 ]; then
                    warn "$PARTITION is not mounted with $OPTION at runtime"
                    FNRET=5
                else
                    ok "$PARTITION mounted with $OPTION"
 		            FNRET=0
                fi
            fi
        else
 			if [ $OS_RELEASE -eq 2 ]; then
 				crit "$REDHAT_SERVICEPATH is not exist!"
 			else
 				crit "$SERVICEPATH is not exist!"
            fi
            FNRET=2  
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
 	if [ $OS_RELEASE -eq 1 ]; then
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
 	elif [ $OS_RELEASE -eq 2 ]; then
 		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ $FNRET = 2 ]; then
-        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+        crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
    elif [ $FNRET = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
        fi
    elif [ $FNRET = 3 ]; then
        info "Adding $OPTION to systemd"
-		if [ $OS_RELEASE -eq 2 ]; then
+		add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
 			add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
        else
 			add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
 		fi
        remount_partition_by_systemd $SERVICENAME $PARTITION
    elif [ $FNRET = 4 ]; then
        info "Remounting $PARTITION from fstab"
--- a/bin/hardening/2.4_tmp_noexec.sh
+++ b/bin/hardening/2.4_tmp_noexec.sh
@ -17,9 +17,10 @@ HARDENING_LEVEL=2
 # Quick factoring as many script use the same logic
 PARTITION="/tmp"
 OPTION="noexec"
-SERVICEPATH="/usr/share/systemd/tmp.mount"
+SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 SERVICENAME="tmp.mount"
 REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -46,43 +47,45 @@ audit () {
       fi
    else
        warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-        if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then
+		if [ $OS_RELEASE -eq 1 ]; then
-			if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-				has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION
+		elif [ $OS_RELEASE -eq 2 ]; then
 			UNITSERVICEPATH=$REDHAT_SERVICEPATH
 		fi
 		if [ -e $UNITSERVICEPATH ]; then
 			has_mount_option_systemd $UNITSERVICEPATH $OPTION
 			if [ $FNRET -gt 0 ]; then
 				crit "$PARTITION has no option $OPTION in systemd service!"
 				FNRET=3
 			else
-				has_mount_option_systemd $SERVICEPATH $OPTION 
+				ok "$PARTITION has $OPTION in systemd service"
 				has_mounted_option $PARTITION $OPTION
 				if [ $FNRET -gt 0 ]; then
 					warn "$PARTITION is not mounted with $OPTION at runtime"
 					FNRET=5
 				else
 					ok "$PARTITION mounted with $OPTION"
 					FNRET=0
 				fi
 			fi
-            if [ $FNRET -gt 0 ]; then
+		else
-                crit "$PARTITION has no option $OPTION in systemd service!"
+			crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!"
-                FNRET=3
+			FNRET=2 
-            else
+		fi
-                ok "$PARTITION has $OPTION in systemd service"
+	fi
                has_mounted_option $PARTITION $OPTION
                if [ $FNRET -gt 0 ]; then
                    warn "$PARTITION is not mounted with $OPTION at runtime"
                    FNRET=5
                else
                    ok "$PARTITION mounted with $OPTION"
 		            FNRET=0
                fi
            fi
        else
 			if [ $OS_RELEASE -eq 2 ]; then
 				crit "$REDHAT_SERVICEPATH is not exist!"
            else
 				crit "$SERVICEPATH is not exist!"
            fi
            FNRET=2  
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
 	if [ $OS_RELEASE -eq 1 ]; then
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
 	elif [ $OS_RELEASE -eq 2 ]; then
 		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ $FNRET = 2 ]; then
-        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
+		crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!"
    elif [ $FNRET = 1 ]; then
        info "Adding $OPTION to fstab"
        add_option_to_fstab $PARTITION $OPTION
@ -95,11 +98,7 @@ apply () {
        fi
    elif [ $FNRET = 3 ]; then
        info "Adding $OPTION to systemd"
-		if [ $OS_RELEASE -eq 2 ]; then
+		add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME
 			add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME
        else
 			add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME
 		fi
        remount_partition_by_systemd $SERVICENAME $PARTITION
    elif [ $FNRET = 4 ]; then
        info "Remounting $PARTITION from fstab"
--- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
+++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh
@ -17,31 +17,53 @@ VIRULSERVER='clamav-daemon'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    if [ $(dpkg -l  | grep -c $VIRULSERVER) -ge 1 ]; then
+	if [ $OS_RELEASE -eq 1 ]; then
-        if [ $(systemctl | grep  $VIRULSERVER | grep -c "active running") -ne 1 ]; then
+    	if [ $(dpkg -l  | grep -c $VIRULSERVER) -ge 1 ]; then
-            crit "$VIRULSERVER is not runing"
+        	if [ $(systemctl | grep  $VIRULSERVER | grep -c "active running") -ne 1 ]; then
-            FNRET=2
+            	crit "$VIRULSERVER is not runing"
-        else
+            	FNRET=2
-            ok "$VIRULSERVER is enable"
+        	else
-            FNRET=0
+            	ok "$VIRULSERVER is enable"
-        fi
+            	FNRET=0
-    else
+        	fi
-        crit "$VIRULSERVER is not installed"
+    	else
-        FNRET=1
+        	crit "$VIRULSERVER is not installed"
-    fi
+        	FNRET=1
    	fi
 	elif [ $OS_RELEASE -eq 2 ]; then
 		if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then
 			ok "Clamav is installed"
 		else
 			crit "Clamav is not install"
 		fi
 	else 
 		crit "Current OS is not support!"
 	fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+	if [ $OS_RELEASE -eq 1 ]; then
-        ok "$VIRULSERVER is enable"
+		if [ $FNRET = 0 ]; then
-    elif [ $FNRET = 1 ]; then
+			ok "$VIRULSERVER is enable"
-        warn "Install $VIRULSERVER"
+		elif [ $FNRET = 1 ]; then
-        apt-get install -y $VIRULSERVER
+        	warn "Install $VIRULSERVER"
-    else
+        	apt-get install -y $VIRULSERVER
-        warn "Start server $VIRULSERVER"
+    	else
-        systemctl start $VIRULSERVER
+        	warn "Start server $VIRULSERVER"
-    fi
+        	systemctl start $VIRULSERVER
    	fi
 	elif [ $OS_RELEASE -eq 2 ]; then
    	if [ $FNRET = 0 ]; then
        	ok "$VIRULSERVER is enable"
    	elif [ $FNRET = 1 ]; then
        	warn "Install $VIRULSERVER"
        	yum install -y $VIRULSERVER
    	else
        	warn "Start server $VIRULSERVER"
        	systemctl start $VIRULSERVER
    	fi
 	fi
 }
 # This function will check config parameters required
--- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
+++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh
@ -13,51 +13,71 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=4
 VIRULSERVER='clamav-daemon'
 CLAMAVCONF_DIR='/etc/clamav/clamd.conf'
 UPDATE_SERVER='clamav-freshclam'
 audit_debian () {
 	UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}')
 	if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then
 		NOWTIME=$(date +"%s")
 		# This file extension name maybe change to .cvd or .cld
 		VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*)
 		INTERVALTIME=$((${NOWTIME}-${VIRUSTIME}))
 		if [ "${INTERVALTIME}" -ge 604800 ];then
 			crit "Clamav database file has a date older than seven days from the current date"
 			FNRET=3
 		else
 			ok "Clamav database file has a date less than seven days from the current date"
 			FNRET=0
 		fi
 	else
 		crit "Clamav config file or update dir is not exist"
 		FNRET=2
 	fi
 }
 # todo
 audit_redhat () {
 	:
 }
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    if [ $(systemctl | grep  $VIRULSERVER | grep "active running" | wc -l) -ne 1 ]; then
+	if [ $OS_RELEASE -eq 1 ]; then
-        crit "$VIRULSERVER is not runing"
+		audit_debian
-        FNRET=1
+	elif [ $OS_RELEASE -eq 2 ]; then
-    else
+		audit_redhat
-        ok "$VIRULSERVER is runing"
+	else
-        UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}')
+		crit "Current OS is not support!"
-        if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then
+	fi
-            NOWTIME=$(date +"%s")
+}
-			# This file extension name maybe change to .cvd or .cld
+
-            VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*)
+apply_debian () {
-            INTERVALTIME=$((${NOWTIME}-${VIRUSTIME}))
+    if [ $FNRET = 0 ]; then
-            if [ "${INTERVALTIME}" -ge 604800 ];then
+        ok "Clamav database file has a date less than seven days from the current date"
-                crit "Database file has a date older than seven days from the current date"
+    elif [ $FNRET = 2 ]; then
-                FNRET=3
+        warn "Clamav config file or update dir is not exist, please check that is exist or check config"
-            else
+    elif [ $FNRET = 3 ]; then
-                ok "Database file has a date less than seven days from the current date"
+        warn "Clamav database file has a date older than seven days from the current date, start clamav-freshclam.service to update"
-                FNRET=0
+        apt-get install -y $UPDATE_SERVER
-            fi
+        systemctl start $UPDATE_SERVER
        else
            crit "Clamav config file or update dir is not exist"
            FNRET=2
        fi
    fi
 }
 # todo
 apply_redhat () {
 	:
 }
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
+	if [ $OS_RELEASE -eq 1 ]; then
-        ok "Database file has a date less than seven days from the current date"
+		apply_debian
-    elif [ $FNRET = 1 ]; then
+	elif [ $OS_RELEASE -eq 2 ]; then
-        warn "Install $VIRULSERVER"
+		apply_redhat
-        apt-get install -y $VIRULSERVER
+	else
-    elif [ $FNRET = 2 ]; then
+		crit "Current OS is not support!"
-        warn "Clamav config file or update dir is not exist, please check that is exist or check config"
+	fi
    elif [ $FNRET = 3 ]; then
        warn "Database file has a date older than seven days from the current date, start clamav-freshclam.service to update"
        apt-get install -y $UPDATE_SERVER
        systemctl start $UPDATE_SERVER
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
+++ b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh
@ -39,7 +39,7 @@ audit () {
 			if [ "$PROTO_TYPE" == 'udp6' ]; then
 				PROTO_TYPE="udp"
 			fi
-			LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}')
+			LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}')
 			if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then
        		info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules."
 			else	
--- a/bin/hardening/8.1.16_record_sudo_usage.sh
+++ b/bin/hardening/8.1.16_record_sudo_usage.sh
@ -14,7 +14,6 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=4
 SUDOLOG='/var/log/sudo.log' 
 AUDIT_VALUE='-w /var/log/sudo.log -p wa -k sudoaction'
 FILE='/etc/audit/rules.d/audit.rules'
@ -23,18 +22,12 @@ audit () {
    # define custom IFS and save default one
    d_IFS=$IFS
    IFS=$'\n'
-	if [ -f $SUDOLOG ]; then
+	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-		debug "$AUDIT_VALUE should be in file $FILE"
+	if [ $FNRET != 0 ]; then
-		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+		crit "$AUDIT_VALUE is not in file $FILE"
 		if [ $FNRET != 0 ]; then
 			crit "$AUDIT_VALUE is not in file $FILE"
 			FNRET=2
 		else 
 			ok "$AUDIT_VALUE is present in $FILE"
 		fi
 	else
 		crit "file $SUDOLOG is not exist!"
 		FNRET=1
 	else 
 		ok "$AUDIT_VALUE is present in $FILE"
 	fi
 	IFS=$d_IFS
 }
@ -45,15 +38,6 @@ apply () {
    d_IFS=$IFS
    IFS=$'\n'
 	if [ $FNRET = 1 ]; then
 		warn "file $SUDOLOG is not exist! Set default logfile path in /etc/sudoers."
 		sed -i '$aDefaults	logfile="/var/log/sudo.log"' /etc/sudoers
 		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
 		if [ $FNRET != 0 ]; then
 			warn "$AUDIT_VALUE is not in file $FILE, adding it"
            add_end_of_file $FILE $AUDIT_VALUE
 			check_auditd_is_immutable_mode
 		fi
 	elif [ $FNRET = 2 ]; then
 		warn "$AUDIT_VALUE is not in file $FILE, adding it"
 		add_end_of_file $FILE $AUDIT_VALUE
 		check_auditd_is_immutable_mode
--- a/bin/hardening/8.1.17_record_kernel_modules.sh
+++ b/bin/hardening/8.1.17_record_kernel_modules.sh
@ -14,13 +14,13 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=4
-ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
+ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -w /bin/kmod -p x -k modules
 -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
-ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
+ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -w /bin/kmod -p x -k modules
@ -34,8 +34,8 @@ audit () {
    d_IFS=$IFS
    IFS=$'\n'
 	is_64bit_arch
-	if [ $FNRET=0 ]; then 
+	if [ $FNRET=0 ]; then
-		AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS			
+		AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
 	else
 		AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
 	fi
--- a/bin/hardening/8.1.18_record_Events_netfilter.sh
+++ b/bin/hardening/8.1.18_record_Events_netfilter.sh
--- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh
+++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh
@ -10,17 +10,18 @@
 #
 set -u # One variable unset, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
 -a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
 set -e # One error, it's over
 HARDENING_LEVEL=4
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
 AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -71,7 +72,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
+++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
@ -10,17 +10,22 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
 AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -71,7 +76,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
+++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
@ -10,19 +10,26 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
 AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -73,7 +80,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
+++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
@ -10,15 +10,18 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
 -a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
 -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
 AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
 -a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -69,7 +72,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh
+++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh
@ -10,14 +10,15 @@
 #
 set -u # One variable unset, it's over
-
+set -e # One error, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
 AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -68,7 +69,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
+++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
@ -10,14 +10,15 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
 AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
 AUDIT_PARAMS=""
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    # define custom IFS and save default one
@ -68,7 +69,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
+++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
@ -5,66 +5,75 @@
 #
 #
-# 8.1.26  Recored pam_tally/pam_tally2 command usage (Scored)
+# 8.1.26  Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com> Author add this 
 #
 set -u # One variable unset, it's over
 HARDENING_LEVEL=4
 AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
 -a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 HARDENING_LEVEL=4
 AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
 -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    # define custom IFS and save default one
+	# This feature is only for debian
-    d_IFS=$IFS
+	if [ $OS_RELEASE -eq 2 ]; then
-    c_IFS=$'\n'
+		ok "CentOS/Redhat is not support, so pass"
-    IFS=$c_IFS
+	elif [ $OS_RELEASE -eq 1 ]; then
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
+    	# define custom IFS and save default one
-		check_audit_path $AUDIT_VALUE 
+    	d_IFS=$IFS
-		if [ $FNRET -eq 1 ];then
+    	c_IFS=$'\n'
-			crit "path is not exsit! Please check file path is exist!"
+    	IFS=$c_IFS
-			continue
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
-		else
+			check_audit_path $AUDIT_VALUE 
-        	debug "$AUDIT_VALUE should be in file $FILE"
+			if [ $FNRET -eq 1 ];then
-        	IFS=$d_IFS
+				crit "path is not exsit! Please check file path is exist!"
-        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+				continue
-        	IFS=$c_IFS
+			else
-        	if [ $FNRET != 0 ]; then
+        		debug "$AUDIT_VALUE should be in file $FILE"
-            	crit "$AUDIT_VALUE is not in file $FILE"
+        		IFS=$d_IFS
-        	else
+        		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-            	ok "$AUDIT_VALUE is present in $FILE"
+        		IFS=$c_IFS
-        	fi
+        		if [ $FNRET != 0 ]; then
-		fi
+            		crit "$AUDIT_VALUE is not in file $FILE"
-    done
+        		else
-    IFS=$d_IFS
+            		ok "$AUDIT_VALUE is present in $FILE"
        		fi
 			fi
    	done
    	IFS=$d_IFS
 	fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
-    IFS=$'\n'
+	# This feature is only for debian
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
+	if [ $OS_RELEASE -eq 2 ]; then
-		check_audit_path $AUDIT_VALUE 
+		ok "CentOS/Redhat is not support, so pass"
-		if [ $FNRET -eq 1 ];then
+	elif [ $OS_RELEASE -eq 1 ]; then
-			crit "path is not exsit! Please check file path is exist!"
+    	IFS=$'\n'
-			continue
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
-		else
+			check_audit_path $AUDIT_VALUE 
-        	debug "$AUDIT_VALUE should be in file $FILE"
+			if [ $FNRET -eq 1 ];then
-        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+				crit "path is not exsit! Please check file path is exist!"
-        	if [ $FNRET != 0 ]; then
+				continue
-            	warn "$AUDIT_VALUE is not in file $FILE, adding it"
+			else
-            	add_end_of_file $FILE $AUDIT_VALUE
+        		debug "$AUDIT_VALUE should be in file $FILE"
-				check_auditd_is_immutable_mode
+        		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-        	else
+        		if [ $FNRET != 0 ]; then
-            	ok "$AUDIT_VALUE is present in $FILE"
+            		warn "$AUDIT_VALUE is not in file $FILE, adding it"
-        	fi
+            		add_end_of_file $FILE $AUDIT_VALUE
-		fi
+					check_auditd_is_immutable_mode
-    done
+        		else
            		ok "$AUDIT_VALUE is present in $FILE"
        		fi
 			fi
    	done
 	fi
 }
 # This function will check config parameters required
--- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
+++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
@ -10,16 +10,17 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
-AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change
+AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F dir=$(find /etc/audit/ -name rules.d) -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change
+-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
 -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
@ -27,7 +28,6 @@ AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F p
 -a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
 -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
@ -39,7 +39,7 @@ audit () {
    for AUDIT_VALUE in $AUDIT_PARAMS; do
 		check_audit_path $AUDIT_VALUE 
 		if [ $FNRET -eq 1 ];then
-			crit "path is not exsit! Please check file path is exist!"
+			crit "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE"
 			continue
 		else
        	debug "$AUDIT_VALUE should be in file $FILE"
--- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh
+++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh
@ -8,16 +8,16 @@
 # 8.1.28  Recored Events that privileged-acl command usage (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 # todo to ensure path in debian 
 set -u # One variable unset, it's over
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 HARDENING_LEVEL=4
-AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
--- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh
+++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh
@ -10,13 +10,14 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 HARDENING_LEVEL=4
-AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
+AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
-
+AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
-set -e # One error, it's over
+AUDIT_PARAMS=""
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -68,7 +69,11 @@ apply () {
 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 1 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
 	elif [ $OS_RELEASE -eq 2 ]; then
 		AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
 	fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
+++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
@ -10,13 +10,12 @@
 #
 set -u # One variable unset, it's over
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 HARDENING_LEVEL=4
-AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
+AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
--- a/bin/hardening/8.1.32_freeze_auditd_conf.sh
+++ b/bin/hardening/8.1.32_freeze_auditd_conf.sh
--- a/bin/hardening/8.1.7_record_mac_edit.sh
+++ b/bin/hardening/8.1.7_record_mac_edit.sh
@ -11,6 +11,7 @@
 # todo test for centos
 set -u # One variable unset, it's over
 set -e # One error, it's over
 HARDENING_LEVEL=4
@ -19,17 +20,16 @@ SELINUX_PKG_REDHAT="selinux-policy"
 SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
 -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng"
+-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng"
 APPARMOR_PKG="apparmor"
 AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
 -w /etc/apparmor.d/ -p wa -k MAC-policy
 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/8.4.1_install_aide.sh
+++ b/bin/hardening/8.4.1_install_aide.sh
@ -40,7 +40,7 @@ apply () {
 			mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 
 		else
        	apt_install $PACKAGE
-	    	aideinit
+	    	aideinit -y -f
        	info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
 		fi
    fi
--- a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh
+++ b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh
@ -41,7 +41,9 @@ apply () {
 	else
 		warn  "Permissions of all log files are not correctly configured! Set it"
 		chmod -R $PERMISS_SET $LOGDIR/*
-		rm $ERRPERFILELIST
+		if [ -r $ERRPERFILELIST ]; then
 			rm $ERRPERFILELIST
 		fi
 	fi
 }
--- a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh
+++ b/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh
@ -1,93 +0,0 @@
 #!/bin/bash
 #
 # harbian audit 7/8/9  Hardening
 #
 #
 # 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 PACKAGE='openssh-server'
 OPTIONS='UsePrivilegeSeparation=sandbox'
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                crit "$PATTERN is not present in $FILE"
            fi
        done
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
    for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
                if [ $FNRET != 0 ]; then
                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
                else
                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
                fi
                /etc/init.d/ssh reload > /dev/null 2>&1
            fi
    done
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd
+++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd
@ -24,7 +24,8 @@ The creation process is as follows:
 ### Pre-Install 
 ```
-$ sudo apt update && sudo apt install -y bc net-tools vim unzip
+$ sudo apt update 
 $ sudo apt install -y bc net-tools  bc net-tools pciutils network-manager vim unzip
 ```
 ### Get harbian-audit project 
@ -45,27 +46,55 @@ admin@ip:/opt/harbian-audit-master# passwd admin
 ```
 #### Audit && Apply: 
 ##### First audit && apply:
 ```
 admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening
 admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening 
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all 
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg 
-admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.7_remove_nopasswd_sudoers.cfg
+admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin    ALL=(ALL:ALL) ALL" /etc/sudoers 
 admin@ip:/opt/harbian-audit-master$ sudo reboot 
 ```
-After reboot: 
+##### Second audit && apply(After reboot)  
 Configuring  the firewall:
 ```
-admin@ip:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh 
+admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
 admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME 
 admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME 
 admin@ip:/opt/harbian-audit-master$ sudo -s 
 admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 
 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
 admin@ip:/opt/harbian-audit-master# exit
 ```
-Related how to use harbian-audit to adit and apply, please reference: 
+Apply need to apply twice items and that items of must apply after first apply:
-[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)  
+```
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg 
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
 admin@ip:/opt/harbian-audit-master$ sudo reboot 
 ```
 ##### Third apply(after reboot)  
 Apply need to apply three times items:
 ```
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg 
 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2
 admin@ip:/opt/harbian-audit-master$ sudo reboot 
 ```  
 ### Set issues 
 ```
@ -86,9 +115,9 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/*
 $ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg 
 ```
-#### AIDE RE-INIT 
+#### Uninstall 
 ```
-$ sudo aideinit -y -f 
+$ sudo apt-get purge --autoremove unzip -y 
 ```
 #### Clear the current log:
@ -110,6 +139,13 @@ $ sudo -s
 # echo > /var/log/tallylog 
 # echo > /var/log/lastlog 
 # echo > /var/log/wtmp 
 # echo > /var/log/sudo.log
 ```
 #### Final apply
 Reset password for all users and reinit aide database: 
 ```
 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final 
 ```
 #### Clear bash hostory 
@ -144,8 +180,9 @@ $ history -cw
 ![17](./picture/create-AMI-from-instance-17.png)  
-## Reference 
+## Reference  
 [https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
 [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)  
 [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)  
 [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)   
--- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd
+++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd
@ -1,5 +1,9 @@
 # How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9
 In the following context, deploy with the following name:  
 Network interface: eth0   
 username: harbian-audit   
 ## Pre-work  
 In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation.  
@ -42,14 +46,14 @@ Then follow the wizard to install step by step.
 ### Pre-Install  
 ```
-root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip
+root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager
 ```
 ### Get harbian-audit project 
 ```
 $ cd /opt
 root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip 
-root@harbian:/opt# sudo unzip master.zip 
+root@harbian:/opt# unzip master.zip 
 root@harbian:/opt# cd harbian-audit-master/ 
 ``` 
@ -59,17 +63,21 @@ root@harbian:/opt# cd harbian-audit-master/
 ```
 root@harbian:/opt/harbian-audit-master# cp debian/default /etc/default/cis-hardening 
 root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening  
-root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all 
+root@harbian:/opt/harbian-audit-master#  bash bin/hardening.sh --init  
 root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all  
 root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 
 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg 
 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg 
 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg 
 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg 
 root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply 
 root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit    ALL=(ALL:ALL) ALL" /etc/sudoers
 root@harbian:/opt/harbian-audit-master# reboot  
 ```
-After reboot: 
+After reboot:
 ```
-harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh   
+harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh  eth0
 harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s   
 root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4   
 root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6  
@ -84,7 +92,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L
 ### Set grub passwd   
 superusers: harbiansuper   
-passwd: harbian_AUDIT,12@)  
+passwd: harbian_AUDIT,09!)
 Related how to config grub2 password protection, please reference:   
 [how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)   
@ -102,17 +110,31 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
 ### Clean up  
 #### Uninstall   
 ```
 $ sudo apt-get purge --autoremove unzip -y   
 ```
 #### Clean harbian-audit temp file and conf  
 ```
 $ sudo rm /opt/master.zip 
 $ sudo rm /opt/harbian-audit-master/tmp/backups/*
-$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg 
+$ cd /opt/harbian-audit-master/etc/conf.d
 $ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) 
 ```
-#### AIDE RE-INIT  
+#### Final fix  
 ```
-$ sudo aideinit -y -f  
+$ cd /opt/harbian-audit-master 
-```  
+$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
 $ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg 
 $ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg 
 $ sudo bash bin/hardening.sh --apply --only 8.1.32
 $ sudo bash bin/hardening.sh --apply --only 8.4.1
 $ sudo bash bin/hardening.sh --apply --only 8.4.2
 $ sudo rm /opt/harbian-audit-master/tmp/backups/*
 $ sudo rm /opt/harbian-audit-master/etc/conf.d/*
 ``` 
 #### Clear the current log   
 ```
@ -135,6 +157,11 @@ $ sudo -s
 # echo > /var/log/wtmp 
 ```
 #### AIDE RE-INIT  
 ```
 $ sudo aideinit -y -f  
 ``` 
 #### Clear bash hostory  
 ```
 # echo > ~/.bash_history 
@ -147,6 +174,6 @@ $ sudo poweroff
 ## sign QEMU image 
 ssh to QEMU server, find QEMU image dir, sign the QEMU image: 
 ```
-root@debian-9:/opt/images# gpg -b harbian-audit_Debian_9.qcow2 
+root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2
 ```
--- a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd
+++ b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd
@ -1,50 +1,32 @@
 # How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9 
 ## Overview 
-Image name: harbian-audit_Debian_9.qcow2  
+Image name: debian9.9-harbian-0910.qcow2  
-Disk size: 50G 
+Disk size: 20G 
-File system: 
+
 ```
 harbian-audit@harbian:~$ df -h 
 Filesystem                    Size  Used Avail Use% Mounted on
 udev                          2.0G     0  2.0G   0% /dev
 tmpfs                         396M  5.5M  391M   2% /run
 /dev/mapper/harbian--vg-root   15G  1.3G   12G  10% /
 tmpfs                         2.0G  8.0K  2.0G   1% /dev/shm
 tmpfs                         5.0M     0  5.0M   0% /run/lock
 tmpfs                         2.0G     0  2.0G   0% /sys/fs/cgroup
 /dev/vda1                     236M   37M  187M  17% /boot
 tmpfs                         2.0G     0  2.0G   0% /tmp
 /dev/mapper/harbian--vg-home   27G   45M   25G   1% /home
 tmpfs                         396M     0  396M   0% /run/user/1000
 ```
 grub password protection:   
 username: harbiansuper  
-password: harbian_AUDIT,12@)  
+password: harbian_AUDIT,09!)  
 Users info:   
 user: root  
 passwd: 1qaz@WSX3edc$RFV5tgb     
-user: harbian-audit   
+user: auditadmin   
 passwd: 2wsx#EDC4rfv%TGB6yhn   
 ## Get QEMU image   
 ### Download address  
-[https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing](https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing)   
+[debian9.9-harbian-0910.qcow2.tar.gz](https://drive.google.com/file/d/1HwaHF94AJx-95HeIVi4cUFA5aiQ_diz2/view?usp=sharing)       
 ![1](./picture/download_01.png)  
 ![2](./picture/download_02.png)  
 ![3](./picture/download_03.png)  
 ### Verify  
 ```
-$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig 
+$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig  
-$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig 
+$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig 
-$ gpg --verify harbian-audit_Debian_9.qcow2.tar.gz.sig harbian-audit_Debian_9.qcow2.tar.gz
+$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz
-$ tar -xzvf harbian-audit_Debian_9.qcow2.tar.gz   
+$ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz   
-$ gpg --verify harbian-audit_Debian_9.qcow2.sig harbian-audit_Debian_9.qcow2  
+$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2  
 ```
 ## Use the QEMU image to create virtual machine  
--- a/docs/complianced_image/QEMU/picture/download_01.png
+++ b/docs/complianced_image/QEMU/picture/download_01.png
--- a/docs/complianced_image/QEMU/picture/download_02.png
+++ b/docs/complianced_image/QEMU/picture/download_02.png
--- a/docs/complianced_image/QEMU/picture/download_03.png
+++ b/docs/complianced_image/QEMU/picture/download_03.png
--- a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig
+++ b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig
--- a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig
+++ b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig
--- a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig
+++ b/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig
--- a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig
+++ b/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig
--- a/docs/configurations/etc.audit.rules.d.audit.rules_for_debian
+++ b/docs/configurations/etc.audit.rules.d.audit.rules_for_debian
@ -11,7 +11,6 @@
 ## Set failure mode to syslog
 -f 1
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
 -a always,exit -F arch=b64 -S clock_settime -k time-change
@ -28,7 +27,9 @@
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
 -w /etc/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
+-w /etc/apparmor/ -p wa -k MAC-policy
 -w /etc/apparmor.d/ -p wa -k MAC-policy
 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
 -w /var/log/faillog -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 -w /var/log/tallylog -p wa -k logins
@ -45,20 +46,49 @@
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
 -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
 -w /etc/sudoers -p wa -k sudoers
 -w /etc/sudoers.d/ -p wa -k sudoers
-e 2
+-w /var/log/sudo.log -p wa -k sudoaction
 -w /var/log/auth.log -p wa -k sudoaction
 -w /sbin/insmod -p x -k modules 
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
 -w /bin/kmod -p x -k modules
 -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
 -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
 -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -70,26 +100,31 @@
 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
 -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
 -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
 -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam
 -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
 -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
+-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-w /etc/audit/auditd.conf -p wa -k config_file_change
+-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-w /etc/audit/rules.d/ -p wa -k config_file_change
+-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-w /etc/default/grub -p wa -k config_file_change
+-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-w /etc/fstab -p wa -k config_file_change
+-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-w /etc/hosts.deny -p wa -k config_file_change
+-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-w /etc/login.defs -p wa -k config_file_change
+-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-w /etc/pam.d/ -p wa -k config_file_change
+-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-w /etc/profile -p wa -k config_file_change
+-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
-w /etc/profile.d/ -p wa -k config_file_change
+-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-w /etc/security/ -p wa -k config_file_change
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-w /etc/iptables/ -p wa -k config_file_change
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-w /etc/sysctl.conf -p wa -k config_file_change
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
 -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
 -a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
 -a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
 -e 2
--- a/docs/configurations/etc.iptables.rules.v4.sh
+++ b/docs/configurations/etc.iptables.rules.v4.sh
@ -1,6 +1,16 @@
 #!/bin/bash
 IPT="/sbin/iptables"
- 
+PUB_IFS="ens33"
 if [ $# -lt 1 ]; then
 	echo "Must be set to greater than or equal to a public network interface. "
 	echo "usage: $0 eth0, or $0 eth0 eth1"
 	exit 1
 else
 	PUB_IFS="$@"
 	echo "Public interface is $PUB_IFS"
 fi
 echo "Starting IPv4 Wall..."
 $IPT -F
 $IPT -X
@ -11,7 +21,6 @@ IPT="/sbin/iptables"
 $IPT -N LOGDROP
 modprobe ip_conntrack
 PUB_IFS="ens33"
 #unlimited 
 $IPT -A INPUT -i lo -j ACCEPT
@ -76,11 +85,10 @@ do
    $IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    $IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-    # allow ssh/http/ntp/dhclint only
+    # allow ssh/ntp/dhclint/http/https only
    $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
    $IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
    ip6tables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
--- a/docs/configurations/etc.iptables.rules.v6.sh
+++ b/docs/configurations/etc.iptables.rules.v6.sh
@ -0,0 +1,107 @@
 #!/bin/bash
 IPT="/sbin/ip6tables"
 PUB_IFS="ens33"
 if [ $# -lt 1 ]; then
 	echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1"
 	exit 1
 else
 	PUB_IFS="$@"
 	echo "Public interface is $PUB_IFS"
 fi
 echo "Starting IPv6 Wall..."
 $IPT -F
 $IPT -X
 $IPT -t nat -F
 $IPT -t nat -X
 $IPT -t mangle -F
 $IPT -t mangle -X
 $IPT -N LOGDROP
 modprobe ip_conntrack
 #unlimited 
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT -A OUTPUT -o lo -j ACCEPT
 # DROP all incomming traffic
 $IPT -P INPUT DROP
 $IPT -P OUTPUT DROP
 $IPT -P FORWARD DROP
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT -A OUTPUT -o lo -j ACCEPT
 $IPT -A INPUT -s fe80::/64 -j DROP
 $IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
 $IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
 $IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
 $IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
 $IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
 $IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
 $IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
 for PUB_IF in $PUB_IFS
 do 
 # sync
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"     
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 # Fragments
    $IPT -A INPUT -i ${PUB_IF} -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
    $IPT -A INPUT -i ${PUB_IF} -j DROP
 # block bad stuff
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    # No smb/windows sharing packets - too much logging
    $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
    $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
    $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set
    $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP
 done
    # Allow full outgoing connection but no incomming stuff
    $IPT -A INPUT -p ipv6-icmp -m ipv6-icmp  --icmpv6-type 4 -j ACCEPT
    $IPT -A OUTPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 8 -j ACCEPT
    # allow ssh/ntp/dhclint/http/https only
    $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
    $IPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
    # allow incoming ICMP ping pong stuff
    $IPT -A INPUT -p ipv6-icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p ipv6-icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    # prevent ssh brute force attack
    $IPT -A LOGDROP -j LOG
    $IPT -A LOGDROP -j DROP
 # Log everything else
 # *** Required for psad ****
 $IPT -A INPUT -j LOG
 $IPT -A FORWARD -j LOG
 $IPT -A INPUT -j DROP
 exit 0
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -5,6 +5,22 @@
 # debian version check 
 #
 is_debian_ge_9()
 {
 	if [ -r /etc/debian_version ]; then
    	if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 9 ]; then
        	debug "Debian version is greater than or equal to 9"
        	FNRET=0
    	else
        	debug "Debian version is less than 9"
        	FNRET=1
    	fi
 	else
 		debug "Current OS is not Debian."
 		FNRET=2
 	fi
 }
 is_debian_9()
 {
 	if [ -r /etc/debian_version ]; then
@ -136,12 +152,16 @@ has_file_correct_ownership() {
 has_file_correct_permissions() {
    local FILE=$1
    local PERMISSIONS=$2
-    
+    if [ -e $FILE ]; then
-    if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
+    	if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
-        FNRET=0
+        	FNRET=0
-    else
+    	else
        	FNRET=1
    	fi 
 	else
        FNRET=1
-    fi 
+		info "$FILE is not exist!" 
 	fi
 }
 does_pattern_exist_in_file() {
@ -254,7 +274,7 @@ is_service_active() {
 	if [ $OS_RELEASE -eq 2 ]; then
 		FNRET=0
 	else
-    	is_debian_9
+		is_debian_ge_9
 	fi
    if [ $FNRET = 0 ]; then
        if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then