Remove AMI images for Ohio and Tokyo regions.

Fix #54 : hardening.sh: line 275: [: missing ]
Optimize 9.2.14 audit items, and update README.md README-CN.md
2025-04-08 17:06:34 +02:00 · 2024-07-08 00:08:59 +08:00 · 2023-10-21 15:00:37 +08:00 · 2023-08-25 01:49:11 +08:00 · 2023-08-24 21:47:24 +08:00 · 2023-08-24 21:45:09 +08:00
320 changed files with 7068 additions and 3885 deletions
--- a/README-CN.md
+++ b/README-CN.md
@ -1,12 +1,12 @@
 # harbian-audit审计与加固

 ## 简介 
-此项目是一个Debian GNU/Linux加固发行版本审计工具。主要的测试环境是基于Debian GNU/Linux 9，其它版本未充分测试。此项目主要是针对的Debian GNU/Linux服务器版本，对桌面版本及SELinux相关的项没有实现。
-此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis)，根据Debian GNU/Linux 9的一些特性进行了优化，并根据安全部署合规STIG（[STIG Redhat V1R4](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip)）及CIS（[cisecurity.org](https://www.cisecurity.org/)）进行了安全检查项的添加，同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能，同时也有自动修改的功能。
+此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8及Ubuntu22，其它版本未充分测试。此项目主要是针对服务器版本，对桌面版本的项没有实现。
+此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis)，根据Debian GNU/Linux 9的一些特性进行了优化，并根据安全部署合规STIG（[STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip)）及CIS（[cisecurity.org](https://www.cisecurity.org/)）进行了安全检查项的添加，同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能，同时也有自动修改的功能。

 审计功能的使用示例： 
 ```console
-$ sudo bash bin/hardening.sh --audit-all
+# bash bin/hardening.sh --audit-all
 [...]
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
 13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -17,25 +17,25 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening

 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 278
-         Total Runned Checks : 278
-         Total Passed Checks : [ 239/278 ]
-         Total Failed Checks : [  39/278 ]
+      Total Available Checks : 271
+         Total Runned Checks : 271
+         Total Passed Checks : [ 226/271 ]
+         Total Failed Checks : [  44/271 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 85.97 %
+       Conformity Percentage : 83.39 %
 ```
 ## 快速上手使用介绍

 ### 下载及初始化 
 ```console
 $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
-$ sudo cp debian/default /etc/default/cis-hardening
-$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ sudo bin/hardening.sh --init
+# cp etc/default.cfg /etc/default/cis-hardening
+# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
+# bin/hardening.sh --init
 ```
 ### 对所有的安全检查项进行审计 
 ```
-$ sudo bin/hardening.sh --audit-all
+# bin/hardening.sh --audit-all
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
 1.1_install_updates       [INFO] Working on 1.1_install_updates
 1.1_install_updates       [INFO] Checking Configuration
@ -46,17 +46,17 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 1.1_install_updates       [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 278
-         Total Runned Checks : 278
-         Total Passed Checks : [ 239/278 ]
-         Total Failed Checks : [  39/278 ]
+      Total Available Checks : 270
+         Total Runned Checks : 270
+         Total Passed Checks : [ 226/270 ]
+         Total Failed Checks : [  44/270 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 85.97 %
+       Conformity Percentage : 83.70 %
 ```
 ### 设置加固级别并进行自动修复  
 ```
-$ sudo bin/hardening.sh --set-hardening-level 5  
-$ sudo bin/hardening.sh --apply  
+# bin/hardening.sh --set-hardening-level 5  
+# bin/hardening.sh --apply  
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
 1.1_install_updates       [INFO] Working on 1.1_install_updates
 1.1_install_updates       [INFO] Checking Configuration
@ -75,17 +75,17 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 ### 需要预装的软件  
 如果是使用的最小安装方式安装的Debian GNU/Linux系统，在使用此项目之前，需要安装如下的软件：
 ```
-sudo apt-get install -y bc net-tools pciutils 
+# apt-get install -y bc net-tools pciutils 
 ```
 如果系统是Redhat/CentOS，在使用此项目前，需要安装如下的软件包：
 ```
-sudo yum install -y bc net-tools pciutils NetworkManager 
+# yum install -y bc net-tools pciutils NetworkManager epel-release 
 ```

 ### 需要预先进行的配置 
 在使用此项目前，必须给所有要用到的用户设置了密码。如果没有设置密码的话，将在进行自动化加固后不能够登录到系统。例如(用户：root和test）:
 ```
-$ sudo -s 
+ 
 # passwd 
 # passwd test 
 ```
@ -131,7 +131,7 @@ EXCEPTIONS=""

 ## 修复后必须进行的操作 (非常重要)
 当set-hardening-level配置为5（最高等级）且使用--apply运行了后，需要进行如下的操作：
-1) 当9.5项被修复后(Restrict Access to the su Command), 如果必须使用su的场景，例如如果使用ssh远程登录，当以普通用户登录后需要使用su命令时，可以使用如下命令进行解除限制：
+1) 当9.4项被修复后(Restrict Access to the su Command), 如果必须使用su的场景，例如如果使用ssh远程登录，当以普通用户登录后需要使用su命令时，可以使用如下命令进行解除限制：
 ```
 # sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su 
 ```
@ -155,8 +155,8 @@ EXCEPTIONS=""
 基于iptables的部署:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
-$ sudo -s
+# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
+
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
 ```
@ -164,19 +164,19 @@ $ sudo -s
 按照以下命令修改nftables.conf(你的对外网口的名称，例如：eth0):
 ```
 $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
-$ sudo nft -f ./etc.nftables.conf 
+# nft -f ./etc.nftables.conf 
 ```
 5) 当所有安全基线项都修复完成后，使用--final方法将完成以下的最终的工作：
   1.使用passwd命令去重新设置常规用户及root用户的密码，以满足pam_cracklib模块配置的密码强度和健壮性。
   2. 重新初始化aide工具的数据库。
 ```
-$ sudo bin/hardening.sh --final
+# bin/hardening.sh --final
 ```

 ## 特别注意 

 ### 必须在第一次修复应用后进行修复的项  
-8.1.32  因为此项一旦设置，审计规则将不能够再进行添加。
+8.1.35  因为此项一旦设置，审计规则将不能够再进行添加。

 ### 必须在所有项都修复应用后进行修复的项  
 8.4.1  8.4.2 这都是与aide检测文件完整性相关的项，最好是在所有项都修复好后再进行修复，以修复好的系统中的文件进行完整性的数据库的初始化。
@ -223,6 +223,9 @@ This document is a description of the additions to the sections not included in
 [How to config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)  
 [How to persistent iptables rules with debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd)  
 [How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)
+[How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)  
+[How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)
+[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)

 ### 应用场景示例文档列表   
 [Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)  
@ -233,20 +236,12 @@ This document is a description of the additions to the sections not included in
 ## harbian-audit合规制定的镜像  

 ### AMI(Amazon Machine Image) Public
-The HardenedLinux community has created public AMI images for three different regions.
-
-Destination region: US East(Ohio)   
-AMI ID: ami-091d37e9d358aaa84   
-AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
+The HardenedLinux community has created public AMI images for Frankfurt regions.

 Destination region: EU(Frankfurt)  
 AMI ID: ami-073725a8c2cf45418   
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   

-Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-06c0adb6ee5e7d417   
-AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
-
 #### 相关文档  
 [how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)  
 [how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)  
--- a/README.md
+++ b/README.md
@ -2,15 +2,15 @@

 ## Introduction 

-Hardened Debian GNU/Linux distro auditing.  
+Hardened Debian GNU/Linux and CentOS 8 distro auditing.  

-The main test environment is in debian 9, and other versions are not fully tested. There are no implementations of desktop and SELinux related items in this release.
+The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.

-The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9, added and implemented check items for [STIG Redhat V1R4](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed. 
+The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed. 


 ```console
-$ sudo bash bin/hardening.sh --audit-all
+# bash bin/hardening.sh --audit-all
 [...]
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
 13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -21,21 +21,22 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening

 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 278
-         Total Runned Checks : 278
-         Total Passed Checks : [ 239/278 ]
-         Total Failed Checks : [  39/278 ]
+      Total Available Checks : 271
+         Total Runned Checks : 271
+         Total Passed Checks : [ 226/271 ]
+         Total Failed Checks : [  44/271 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 85.97 %
+       Conformity Percentage : 83.39 %
 ```
+
 ## Quickstart

 ```console
 $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
-$ sudo cp debian/default /etc/default/cis-hardening
-$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
-$ sudo bin/hardening.sh --init
-$ sudo bin/hardening.sh --audit-all
+# cp etc/default.cfg /etc/default/cis-hardening
+# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
+# bin/hardening.sh --init
+# bin/hardening.sh --audit-all
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
 1.1_install_updates       [INFO] Working on 1.1_install_updates
 1.1_install_updates       [INFO] Checking Configuration
@ -46,14 +47,14 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 1.1_install_updates       [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 278
-         Total Runned Checks : 278
-         Total Passed Checks : [ 239/278 ]
-         Total Failed Checks : [  39/278 ]
+      Total Available Checks : 270
+         Total Runned Checks : 270
+         Total Passed Checks : [ 226/270 ]
+         Total Failed Checks : [  44/270 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 85.97 %
-$ sudo bin/hardening.sh --set-hardening-level 5
-$ sudo bin/hardening.sh --apply 
+       Conformity Percentage : 83.70 %
+# bin/hardening.sh --set-hardening-level 5
+# bin/hardening.sh --apply 
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
 1.1_install_updates       [INFO] Working on 1.1_install_updates
 1.1_install_updates       [INFO] Checking Configuration
@ -73,18 +74,18 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening

 If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool. 
 ```
-sudo apt-get install -y bc net-tools pciutils network-manager 
+# apt-get install -y bc net-tools pciutils network-manager 
 ```

 Redhat/CentOS need install packages before use the hardening tool:
 ```
-sudo yum install -y bc net-tools pciutils NetworkManager 
+# yum install -y bc net-tools pciutils NetworkManager epel-release 
 ```

 ### Pre-Set 
 You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test): 
 ```
-$ sudo -s 
+ 
 # passwd 
 # passwd test 
 ```
@ -140,10 +141,24 @@ Use the command to harden your OS:
 # bash bin/hardening.sh --apply 
 ```

+### rsyslog config   
+If rsyslog is used, and you want to print the harbian-audit log to a separate log file, the configuration is as follows:  
+```
+user.info			/var/log/harbian-audit.log
+user.*				-/var/log/user.log
+```
+The log will be output to the file /var/log/harbian-audit.log.
+
+If you apply docs/configurations/etc.iptables.rules.v4.sh to your firewall rules, and want to print the iptables log to a separate log file, insert the following lines to rsyslog.conf:  
+```
+:msg,contains,"FW-"                     -/var/log/firewalllog.log
+&                                       stop
+```
+
 ## After remediation (Very important)
 When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:

-1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. 
+1) When applying 9.4(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. 
 If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
 ```
 # sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su 
@ -169,8 +184,8 @@ Set the corresponding firewall rules according to the applications used. Hardene
 to do the following:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
-$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
-$ sudo -s
+# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
+
 # iptables-save > /etc/iptables/rules.v4 
 # ip6tables-save > /etc/iptables/rules.v6 
 ```
@ -180,20 +195,20 @@ $ sudo -s
 to do the following(your network interfacename(Example eth0)):
 ```
 $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
-$ sudo nft -f ./etc.nftables.conf 
+# nft -f ./etc.nftables.conf 
 ```
 5) When all repairs are completed. --final method will:
   1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
   2. Aide reinitializes.
 ```
-$ sudo bin/hardening.sh --final
+# bin/hardening.sh --final
 ```

 ## Special Note 
 Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). 

 ### Items that must be applied after the first application(reboot after is better)
-8.1.32  Because this item is set, the audit rules will not be added. 
+8.1.35  Because this item is set, the audit rules will not be added. 

 ### Items that must be applied after all application is ok
 8.4.1   
@ -201,9 +216,6 @@ Some check items check a variety of situations and are interdependent, they must
 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. 

 ### Items that need to be fix twice  
-8.1.1.2  
-8.1.1.3  
-8.1.12  
 4.5  

 ## Hacking
@ -245,6 +257,7 @@ This document is a description of the additions to the sections not included in
 [How to deploy audisp-remote for auditd log](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd)  
 [How to migrating from iptables to nftables in debian10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md)  
 [How to persistent nft rules with debian 10](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd)  
+[How to fix SELinux access denied](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_fix_SELinux_access_denied.mkd)

 ### Use case docs  
 [Nodejs + redis + mysql demo](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/use-cases/nodejs-redis-mysql-usecase/README.md)  
@ -255,20 +268,12 @@ This document is a description of the additions to the sections not included in
 ## harbian-audit complianced image 

 ### AMI(Amazon Machine Image) Public
-The HardenedLinux community has created public AMI images for three different regions.
-
-Destination region: US East(Ohio)   
-AMI ID: ami-091d37e9d358aaa84   
-AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
+The HardenedLinux community has created public AMI images for Frankfurt regions.

 Destination region: EU(Frankfurt)  
 AMI ID: ami-073725a8c2cf45418  
 AMI Name: harbian-audit complianced for Debian GNU/Linux 9   

-Destination region: Asia Pacific(Tokyo)  
-AMI ID: ami-06c0adb6ee5e7d417   
-AMI Name: harbian-audit complianced for Debian GNU/Linux 9   
-
 #### Docs  
 [how to creating and making an AMI public](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd)  
 [how to use harbian-audit complianced for GNU/Linux Debian 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd)  
@ -279,7 +284,6 @@ AMI Name: harbian-audit complianced for Debian GNU/Linux 9
 [How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd)  
 [How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd)   

-
 ## harbian-audit License   
 GPL 3.0 

@ -307,12 +311,8 @@ Additionally, quoting the License:

 3-Clause BSD

-
 ## Reference

- **Center for Internet Security**: https://www.cisecurity.org/
- **STIG V1R4**: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip 
- **Firewall Rules**: https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw
-
-
-
+- **Center for Internet Security**: [https://www.cisecurity.org](https://www.cisecurity.org)
+- **STIG V1R4**: [https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip) 
+- **Firewall Rules**: [https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw](https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw)
--- a/bin/harbianaudit.sh
+++ b/bin/harbianaudit.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+# For make deb package 
+/opt/harbianaudit/bin/hardening.sh --init
+/opt/harbianaudit/bin/hardening.sh --audit-all
+/opt/harbianaudit/bin/hardening.sh --set-hardening-level 5
+sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/7.4.4_hosts_deny.cfg
+sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
+sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
+sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
+sed -i 's/^status=.*/status=disabled/' /opt/harbianaudit/etc/conf.d/9.4_pam_restrict_su.cfg
+/opt/harbianaudit/bin/hardening.sh --apply
+sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.1.35_freeze_auditd_conf.cfg
+sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.1_install_aide.cfg
+sed -i 's/^status=.*/status=enabled/' /opt/harbianaudit/etc/conf.d/8.4.2_aide_cron.cfg
+/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.1
+/opt/harbianaudit/bin/hardening.sh --apply --only 8.4.2
+/opt/harbianaudit/bin/hardening.sh --apply --only 8.1.35
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -25,6 +25,7 @@ SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 INIT_G_CONFIG=0
 FINAL_G_CONFIG=0
+DONT_BY_UID_G_CONFIG=127

 usage() {
    cat << EOF
@ -90,6 +91,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
           password strength and robustness;
        2. Aide reinitializes.

+    --dont-auditd-by-uid <1/0>
+        Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if 
+        set 0 will use uid. Default is 0.
+
 OPTIONS:

    --only <test_number>
@ -158,6 +163,10 @@ while [[ $# > 0 ]]; do
 		--final)
 			FINAL_G_CONFIG=1
 		;;
+		--dont-auditd-by-uid)
+			DONT_BY_UID_G_CONFIG="$2"
+			shift
+		;;
        *)
            usage
        ;;
@ -175,20 +184,45 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    exit 128
 fi

+# For --dont-auditd-by-uid
+if [ -z "$DONT_BY_UID_G_CONFIG" ]; then
+	usage
+else
+	if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
+		if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
+			echo "Set dont use uid for auditd rules"
+			sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
+		else
+			echo "Set use uid for auditd rules"
+			sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
+		fi
+		exit 0
+	fi
+fi
+
 [ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
 [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh

+### Debian: OS_RELEASE=1  Redhat/centos: OS_RELEASE=2 Ubuntu: OS_RELEASE=3 Debian9~12: OS_RELEASE=9~12
 # For --init
 if [ $INIT_G_CONFIG -eq 1 ]; then
 	if [ -r /etc/redhat-release ]; then
 		info "This OS is redhat/CentOS."
 		sed -i 's/^OS_RELEASE=.*/OS_RELEASE=2/g' /etc/default/cis-hardening 
 		. /etc/default/cis-hardening
+	elif [ -r /etc/lsb-release ]; then
+		if [ $(grep -i Ubuntu /etc/lsb-release -c) -ge 1 ]; then
+			info "This OS is Ubuntu."
+			sed -i 's/^OS_RELEASE=.*/OS_RELEASE=3/g' /etc/default/cis-hardening 
+			. /etc/default/cis-hardening
+		fi
 	elif [ -r /etc/debian_version ]; then
-		info "This OS is Debian."
-		:
+		get_debian_ver
+		sed -i "s/^OS_RELEASE=.*/OS_RELEASE=${FNRET}/g" /etc/default/cis-hardening 
+		info "This OS is Debian $FNRET."
+		. /etc/default/cis-hardening
 	else
 		crit "This OS not support!"
 		exit 128
@ -198,8 +232,18 @@ fi

 if [ $OS_RELEASE -eq 1 ]; then
 	info "Start auditing for Debian."
+elif [ $OS_RELEASE -eq 9 ]; then
+	info "Start auditing for Debian9."
+elif [ $OS_RELEASE -eq 10 ]; then
+	info "Start auditing for Debian10."
+elif [ $OS_RELEASE -eq 11 ]; then
+	info "Start auditing for Debian11."
+elif [ $OS_RELEASE -eq 12 ]; then
+	info "Start auditing for Debian12."
 elif [ $OS_RELEASE -eq 2 ]; then
 	info "Start auditing for redhat/CentOS."
+elif [ $OS_RELEASE -eq 3 ]; then
+	info "Start auditing for Ubuntu."
 else
 	crit "This OS not support!"
 	exit 128
@ -226,10 +270,12 @@ if [ $FINAL_G_CONFIG -eq 1 ]; then

 	# Reinit aide database 
 	info "Will reinitialize the AIDE database"
-	if [ $OS_RELEASE -eq 1 ]; then
+	if [ $OS_RELEASE -eq 1 -o $OS_RELEASE -eq 3 ]; then
 		aideinit
 	elif [ $OS_RELEASE -eq 2 ]; then
 		aide --init
+	else
+		aide --config /etc/aide/aide.conf --init
        mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 	fi
 	exit 0
@ -339,14 +385,20 @@ done

 TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))

-printf "%40s\n" "################### SUMMARY ###################"
-printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS"
-printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
-printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
+HARSUMMARY="/dev/shm/harbian-audit.summary"
+printf "%40s\n" "################### SUMMARY ###################" > ${HARSUMMARY}
+printf "%30s %s\n"        "Total Available Checks :" "$TOTAL_CHECKS" >> ${HARSUMMARY}
+printf "%30s %s\n"        "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
+printf "%30s [ %7s ]\n"   "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" >> ${HARSUMMARY}
+printf "%30s [ %7s ]\n"   "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"  >> ${HARSUMMARY}
+printf "%30s %.2f %%\n"   "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
 if [ $TOTAL_TREATED_CHECKS != 0 ]; then
-    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
+    printf "%30s %.2f %%\n"   "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" >> ${HARSUMMARY}
 else
-    printf "%30s %s %%\n"   "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 
+    printf "%30s %s %%\n"   "Conformity Percentage :" "N.A"  >> ${HARSUMMARY} # No check runned, avoid division by 0 
 fi
+
+cat ${HARSUMMARY}
+cat ${HARSUMMARY} | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
+rm -f ${HARSUMMARY}
+
--- a/bin/hardening/1.1_install_updates.sh
+++ b/bin/hardening/1.1_install_updates.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 9/CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

@ -30,7 +30,7 @@ audit_debian ()
    fi
 }

-audit_redhat ()
+audit_centos ()
 {
 	info "Checking if yum needs an update"
 	info "Fetching upgrades ..."
@ -47,13 +47,10 @@ audit_redhat ()
 # This function will be called if the script status is on enabled / audit mode
 audit () 
 {
-	if [ $OS_RELEASE -eq 1 ]; then
-		audit_debian
-	elif [ $OS_RELEASE -eq 2 ]; then
-		audit_redhat
+	if [ $OS_RELEASE -eq 2 ]; then
+		audit_centos
 	else
-		crit "Current OS is not support!"
-		FNRET=44 
+		audit_debian
 	fi
 }

@ -67,7 +64,7 @@ apply_debian ()
    fi
 }

-apply_redhat ()
+apply_centos ()
 {
 	if [ $FNRET -eq 100 ]; then 
 		info "Applying Upgrades..."
@ -82,12 +79,10 @@ apply_redhat ()
 # This function will be called if the script status is on enabled mode
 apply () 
 {
-	if [ $OS_RELEASE -eq 1 ]; then
-		apply_debian
-	elif [ $OS_RELEASE -eq 2 ]; then
-		apply_redhat
+	if [ $OS_RELEASE -eq 2 ]; then
+		apply_centos
 	else
-		crit "Current OS is not support!"
+		apply_debian
 	fi
 }

--- a/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
+++ b/bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 9/CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
 #

 #
@ -19,7 +19,7 @@ YUM_CONF='/etc/yum.conf'

 audit_debian ()
 {
-    if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
+    if [ $(grep -v "^#" /etc/apt/ -Ir | grep -c "${OPTION}.*true") -gt 0 ]; then
        crit "The signature of packages option is disable "
        FNRET=1
    else
@ -28,7 +28,7 @@ audit_debian ()
    fi
 }

-audit_redhat ()
+audit_centos ()
 {
 	if [ $(grep -c "^$YUM_OPTION" $YUM_CONF) -gt 0 ]; then
 		if [ $(grep "^$YUM_OPTION" $YUM_CONF | awk -F"=" '{print $2}') -eq 1 ]; then
@ -47,13 +47,10 @@ audit_redhat ()
 # This function will be called if the script status is on enabled / audit mode
 audit () 
 {
-	if [ $OS_RELEASE -eq 1 ]; then
-        audit_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        audit_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        audit_centos
    else
-        crit "Current OS is not support!"
-        FNRET=44
+        audit_debian
    fi
 }

@ -63,33 +60,34 @@ apply_debian () {
        ok "The signature of packages option is enable "
    else
        warn "Set to enabled signature of packages option"
-        for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -r | grep -v "^#" | awk -F: '{print $1}')
+        for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -Ir | grep -v "^#" | awk -F: '{print $1}')
        do
-            sed -i "/${OPTION}/d" ${CONFFILE}
-            #sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
+			backup_file ${CONFFILE}	
+			sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
        done
    fi
 }
-apply_redhat () {
+apply_centos () {
 	if [ $FNRET = 0 ]; then 
 		ok "The signature of packages option is enable "
 	elif [ $FNRET = 1 ]; then
 		warn "Set to enabled signature of packages option"
+		backup_file $YUM_CONF
 		sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONF
+		
 	else 
 		warn "Add $YUM_OPTION option to $YUM_CONF"
+		backup_file $YUM_CONF
 		add_end_of_file $YUM_CONF "$YUM_OPTION=1"
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        apply_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        apply_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        apply_centos
    else
-        crit "Current OS is not support!"
+        apply_debian
    fi
 }

--- a/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
+++ b/bin/hardening/1.3_enable_verify_sign_of_local_packages.sh
@ -1,11 +1,12 @@
 #!/bin/bash

 #
-# harbian audit Debian 9/CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
 #

 #
 # 1.3 Enable verify the signature of local packages (Scored)
+# Dependance pkg: debsig-verify
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #

@ -29,7 +30,7 @@ audit_debian () {
    fi
 }

-audit_redhat ()
+audit_centos ()
 {
    if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
        if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
@ -48,13 +49,10 @@ audit_redhat ()
 # This function will be called if the script status is on enabled / audit mode
 audit()
 {
-	if [ $OS_RELEASE -eq 1 ]; then
-        audit_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        audit_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        audit_centos
    else
-        crit "Current OS is not support!"
-        FNRET=44
+        audit_debian
    fi
 }

@ -63,18 +61,20 @@ apply_debian () {
        ok "The signature of local packages option is enable "
    else
        warn "Set to enabled signature of local packages option"
-            sed -i "/^${OPTION}/d" ${CONFFILE}
-            #sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
+			backup_file $CONFFILE
+            sed -i "s/^${OPTION}/#&/" ${CONFFILE}
    fi
 }

-apply_redhat () {
+apply_centos () {
    if [ $FNRET = 0 ]; then
        ok "The signature of packages option is enable "
    elif [ $FNRET = 1 ]; then
+		backup_file $YUM_CONFFILE
        warn "Set to enabled signature of packages option"
        sed -i "s/$YUM_OPTION=.*/$YUM_OPTION=1/g" $YUM_CONFFILE
    else
+		backup_file $YUM_CONFFILE
        warn "Add $YUM_OPTION option to $YUM_CONFFILE"
        add_end_of_file $YUM_CONFFILE "$YUM_OPTION=1"
    fi
@ -83,12 +83,10 @@ apply_redhat () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        apply_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        apply_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        apply_centos
    else
-        crit "Current OS is not support!"
+        apply_debian
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
+++ b/bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 9/CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
 #

 #
@ -19,7 +19,7 @@ YUM_OPTION='repo_gpgcheck'
 YUM_CONFFILE='/etc/yum.conf'

 audit_debian () {
-    if [ $(grep -v "^#" /etc/apt/ -r | grep -c "${OPTION}.*true") -gt 0 ]; then
+    if [ $(grep -v "^#" /etc/apt/ -rI | grep -c "${OPTION}.*true") -gt 0 ]; then
        crit "The allow insecure repository when by apt update is enable"
        FNRET=1
    else
@ -28,7 +28,7 @@ audit_debian () {
    fi
 }

-audit_redhat ()
+audit_centos ()
 {
    if [ $(grep -c "^$YUM_OPTION" $YUM_CONFFILE) -gt 0 ]; then
 		if [ $(grep "^$YUM_OPTION" $YUM_CONFFILE | awk -F"=" '{print $2}') -eq 1 ]; then
@ -46,13 +46,10 @@ audit_redhat ()

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        audit_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        audit_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        audit_centos
    else
-        crit "Current OS is not support!"
-        FNRET=44
+        audit_debian
    fi
 }

@ -61,14 +58,14 @@ apply_debian () {
        ok "The allow insecure repository when by apt update is disable"
    else
        warn "Set no allow insecure repository when by apt update"
-        for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -r | grep -v "^#" | awk -F: '{print $1}')
+        for CONFFILE in $(grep -i "${OPTION}" /etc/apt/ -rI | grep -v "^#" | awk -F: '{print $1}')
        do
            sed -i "s/${OPTION}.*true.*/${OPTION} \"false\";/g" ${CONFFILE}
        done
    fi
 }

-apply_redhat () {
+apply_centos () {
 	if [ $FNRET = 0 ]; then
 		ok "The signature of repodata option is enable "
    elif [ $FNRET = 1 ]; then
@ -82,12 +79,10 @@ apply_redhat () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        apply_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        apply_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        apply_centos
    else
-        crit "Current OS is not support!"
+        apply_debian
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh
+++ b/bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux debian 7/8/9 or CentOS 8 Hardening
 #

 #
@ -56,10 +56,10 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
+		ok "$OPTIONS value is correct in $FILE"
    elif [ $FNRET = 1 ]; then
        warn "$PACKAGE is not installed, need install."
-        apt_install $PACKAGE
+        install_package $PACKAGE
    elif [ $FNRET = 2 ]; then
        warn "$FILE is not exist, need manual check."
    elif [ $FNRET = 3 ]; then
@ -73,7 +73,11 @@ apply () {

 # This function will check config parameters required
 check_config() {
-    :
+	if [ $OS_RELEASE -eq 2 ]; then
+		PACKAGE='pam'
+	else
+		:
+	fi
 }

 # Source Root Dir Parameter
--- a/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh
+++ b/bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/10.1.1_set_password_exp_days.sh
+++ b/bin/hardening/10.1.1_set_password_exp_days.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -14,45 +14,31 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=3

-PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS='PASS_MAX_DAYS=60'
 FILE='/etc/login.defs'
 SHA_FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
-        SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-        PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file $FILE "$PATTERN"
-        if [ $FNRET = 0 ]; then
-			ok "$PATTERN is present in $FILE"
-		else
-			crit "$PATTERN is not present in $FILE"
-		fi
+	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	does_pattern_exist_in_file $FILE "$PATTERN"
+	if [ $FNRET = 0 ]; then
+		ok "$PATTERN is present in $FILE"
+	else
+	crit "$PATTERN is not present in $FILE"
+	fi

-		if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$5 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
-			crit "Have least user's maxinum password lifttime is greater than $SSH_VALUE day"
-		else
-			ok "All user's maxinum password lifttime is equal or less than $SSH_VALUE day"
-		fi
-    fi
+	if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$5 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
+		crit "Have least user's maxinum password lifttime is greater than $SSH_VALUE day"
+	else
+		ok "All user's maxinum password lifttime is equal or less than $SSH_VALUE day"
+	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
--- a/bin/hardening/10.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/10.1.2_set_password_min_days_change.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -14,45 +14,31 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=3

-PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS='PASS_MIN_DAYS=1'
 FILE='/etc/login.defs'
 SHA_FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-		SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
-		SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-		PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-		does_pattern_exist_in_file $FILE "$PATTERN"
-		if [ $FNRET = 0 ]; then
-			ok "$PATTERN is present in $FILE"
-		else
-			crit "$PATTERN is not present in $FILE"
-		fi
+	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	does_pattern_exist_in_file $FILE "$PATTERN"
+	if [ $FNRET = 0 ]; then
+		ok "$PATTERN is present in $FILE"
+	else
+		crit "$PATTERN is not present in $FILE"
+	fi
 		
-		if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$4 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
-			crit "Have least user's mininum password lifttime is not equal or less than $SSH_VALUE day"
-		else
-			ok "All user's mininum password lifttime is $SSH_VALUE day"
-		fi
+	if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$4 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
+		crit "Have least user's mininum password lifttime is not equal or less than $SSH_VALUE day"
+	else
+		ok "All user's mininum password lifttime is $SSH_VALUE day"
 	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
--- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -14,18 +14,12 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=3

-PACKAGE='login'
 OPTIONS='PASS_WARN_AGE=7'
 FILE='/etc/login.defs'
 SHA_FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
 		SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 		SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 		PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
@ -40,18 +34,10 @@ audit () {
 		else
 			ok "All user's maxinum password lifttime is equal or less than $SSH_VALUE day"
 		fi
-	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
--- a/bin/hardening/10.1.4_set_password_encrypt_method.sh
+++ b/bin/hardening/10.1.4_set_password_encrypt_method.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -14,40 +14,26 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=3

-PACKAGE='login'
 OPTIONS='ENCRYPT_METHOD=SHA512'
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
+	for SSH_OPTION in $OPTIONS; do
+		SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+		SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+		PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+		does_pattern_exist_in_file $FILE "$PATTERN"
+		if [ $FNRET = 0 ]; then
+			ok "$PATTERN is present in $FILE"
+		else
+			crit "$PATTERN is not present in $FILE"
+		fi
+	done
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
    for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
--- a/bin/hardening/10.1.5_set_password_lock_inactive_user.sh
+++ b/bin/hardening/10.1.5_set_password_lock_inactive_user.sh
@ -1,12 +1,15 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
 #

 #
 # 10.1.5 Ensure inactive password lock is 30 days or less (Scored)
 # Author: Samson-W (sccxboy@gmail.com)
+# STIG for Ubuntu_16-04_LTS_STIG_V1R2_Manual: INACTIVE=35
+# STIG for U_Red_Hat_Enterprise_Linux_7_V2R5: INACTIVE=0
+# 
 #

 set -e # One error, it's over
@ -15,19 +18,17 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3

 OPTIONS='INACTIVE=30'
+OPTIONS_CENTOS='INACTIVE=0'
 SHA_FILE='/etc/shadow'
 DISABLE_V='-1'
 FILE='/etc/default/useradd'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
 		SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 		SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 		INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
 		if [ $INACTIVE_V -eq $DISABLE_V ]; then
 			crit "INACTIVE feature has disabled."
-		elif [ $INACTIVE_V -eq 0 ]; then
-			crit "INACTIVE value has disabled."
 		elif [ $INACTIVE_V -gt $SSH_VALUE ]; then
 			crit "INACTIVE value is greater than $SSH_VALUE day"
 		else
@ -45,8 +46,29 @@ audit () {
 		fi
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_centos () {
+	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
+	INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
+	if [ $INACTIVE_V -eq $DISABLE_V ]; then
+		crit "INACTIVE feature has disabled."
+	elif [ $INACTIVE_V -eq $SSH_VALUE ]; then
+		ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
+	else
+		crit "All user's INACTIVE value is not set $SSH_VALUE: disables the account as soon as the password has expired"
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    if [ $OS_RELEASE -eq 2 ]; then
+		audit_centos
+	else
+		audit_debian
+	fi
+}
+
+apply_debian () {
 	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
 	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
 	PATTERN="^$SSH_PARAM=$SSH_VALUE"
@ -82,9 +104,58 @@ apply () {
 	fi
 }

+apply_centos () {
+	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM=$SSH_VALUE"
+	does_pattern_exist_in_file $FILE "$PATTERN"
+	if [ $FNRET = 0 ]; then
+		ok "$PATTERN is present in $FILE"
+	else
+		warn "$PATTERN is not present in $FILE, adding it"
+		does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+		if [ $FNRET != 0 ]; then
+			add_end_of_file $FILE "$SSH_PARAM=$SSH_VALUE"
+		else
+			info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+			replace_in_file $FILE "^$SSH_PARAM.*" "$SSH_PARAM=$SSH_VALUE"
+		fi
+	fi
+	if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then
+		warn "Have least user's INACTIVE password lifttime is not set. Fixing"
+		for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $1}'); 
+		do 
+			chage --inactive $SSH_VALUE $USERNAME			
+		done
+	else
+		if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
+			warn "All user's INACTIVE value is not set $SSH_VALUE, fixing it."
+			for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}'); 
+			do 
+				chage --inactive $SSH_VALUE $USERNAME
+			done
+		else
+			ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
+		fi
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $OS_RELEASE -eq 2 ]; then
+		apply_centos
+	else
+		apply_debian
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
-    :
+    if [ $OS_RELEASE -eq 2 ]; then
+		OPTIONS=$OPTIONS_CENTOS
+	else
+		:
+	fi
 }

 # Source Root Dir Parameter
--- a/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh
+++ b/bin/hardening/10.1.6_remove_nopasswd_sudoers.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -33,13 +33,15 @@ audit ()
        	FNRET=1
    	else
        	ok "$NOPASSWD is not set on $FILE, it's ok"
-        	if [ $(grep $NOPASSWD $INCLUDFILE | wc -l) -gt 0 ]; then 
-            	crit "$NOPASSWD is set on $INCLUDFILE, it's error conf"
-            	FNRET=1
-        	else
-            	ok "$NOPASSWD is not set on $INCLUDFILE, it's ok"
-            	FNRET=0
-        	fi
+			if [ $(ls $(dirname $INCLUDFILE) | wc -l) -gt 0 ]; then
+        		if [ $(grep $NOPASSWD $INCLUDFILE | wc -l) -gt 0 ]; then 
+            		crit "$NOPASSWD is set on $INCLUDFILE, it's error conf"
+            		FNRET=1
+        		else
+            		ok "$NOPASSWD is not set on $INCLUDFILE, it's ok"
+            		FNRET=0
+        		fi
+			fi
    	fi
 	fi
 }
@ -50,8 +52,12 @@ apply () {
        ok "APPLY: $NOPASSWD is not set on $FILE, it's ok"
    elif [ $FNRET = 1 ]; then
        info "$NOPASSWD is set on the $FILE or $INCLUDFILE, need remove"
-        backup_file $FILE $INCLUDFILE
-        chmod 640 $FILE $INCLUDFILE &&  sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
+        backup_file $FILE
+        chmod 640 $FILE &&  sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE && chmod 440 $FILE 
+		if [ $(ls $(dirname $INCLUDFILE) | wc -l) -gt 0 ]; then
+			backup_file $INCLUDFILE
+			chmod 640 $INCLUDFILE &&  sed -i -e "s/$NOPASSWD/$PASSWD/g" $INCLUDFILE && chmod 440 $INCLUDFILE
+		fi
    elif [ $FNRET = 2 ]; then
 		warn "$FILE is not exist! Maybe sudo package not installed."
    fi
--- a/bin/hardening/10.1.7_remove_noauthenticate_sudoers.sh
+++ b/bin/hardening/10.1.7_remove_noauthenticate_sudoers.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 NOAUTH='!authenticate'
 AUTHENTICATE='authenticate'
 FILE='/etc/sudoers'
-INCLUDFILE='/etc/sudoers.d/*'
+INCLUDFILE='/etc/sudoers.d/'

 # This function will be called if the script status is on enabled / audit mode
 audit () 
@ -33,12 +33,12 @@ audit ()
        	FNRET=1
    	else
        	ok "$NOAUTH is not set on $FILE, it's ok"
-        	if [ $(grep $NOAUTH $INCLUDFILE | wc -l) -gt 0 ]; then 
-            	crit "$NOAUTH is set on $INCLUDFILE, it's error conf"
-            	FNRET=1
+        	if [ $(grep $NOAUTH $INCLUDFILE -rh | wc -l) -gt 0 ]; then 
+            		crit "$NOAUTH is set on $INCLUDFILE, it's error conf"
+            		FNRET=1
        	else
-            	ok "$NOAUTH is not set on $INCLUDFILE, it's ok"
-            	FNRET=0
+            		ok "$NOAUTH is not set on $INCLUDFILE, it's ok"
+            		FNRET=0
        	fi
    	fi
 	fi
@ -50,8 +50,8 @@ apply () {
        ok "APPLY: $NOAUTH is not set on $FILE, it's ok"
    elif [ $FNRET = 1 ]; then
        info "$NOAUTH is set on the $FILE or $INCLUDFILE, need remove"
-        backup_file $FILE $INCLUDFILE
-        chmod 640 $FILE $INCLUDFILE &&  sed -i -e "s/$NOAUTH/$AUTHENTICATE/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
+        backup_file $FILE ${INCLUDFILE}/*
+		chmod 640 $FILE ${INCLUDFILE}/* &&  sed -i -e "s/$NOAUTH/$AUTHENTICATE/g" $FILE ${INCLUDFILE}/* && chmod 440 $FILE ${INCLUDFILE}/*
    elif [ $FNRET = 1 ]; then
 		warn "$FILE is not exist! Maybe sudo package not installed."
    fi
--- a/bin/hardening/10.1.8_set_fail_delay_seconds.sh
+++ b/bin/hardening/10.1.8_set_fail_delay_seconds.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9  Hardening
+# harbian-audit for Debian GNU/Linux debian 9 or CentOS 8 Hardening
 #

 #
@ -14,19 +14,7 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

-
-PACKAGE='libpam-modules'
-PAMLIBNAME='pam_faildelay.so'
-PATTERN='^auth.*pam_faildelay.so'
-FILE='/etc/pam.d/login'
-
-OPTIONNAME='delay'
-
-# condition (microseconds)
-CONDT_VAL=4000000
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -49,13 +37,41 @@ audit () {
    fi
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_centos () {
+	SSH_PARAM=$(echo $OPTION | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTION | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM[[:space:]]*[[:digit:]]*"
+	does_pattern_exist_in_file $FILE "$PATTERN"
+	if [ $FNRET = 0 ]; then
+		ok "$SSH_PARAM is present in $FILE"
+		if [ $(grep $PATTERN $FILE | awk '{print $2}') -ge 4 ]; then
+			ok "$SSH_PARAM is set least four seconds between logon prompts following a failed console logon attempt"
+			FNRET=0
+		else
+			crit "$SSH_PARAM is not set least four seconds between logon prompts following a failed console logon attempt"
+			FNRET=2
+		fi
+	else
+		crit "$PATTERN is not present in $FILE"
+		FNRET=1
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		audit_centos
+	else
+		audit_debian
+	fi
+}
+
+apply_debian () {
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    elif [ $FNRET = 1 ]; then
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
+        install_package $PACKAGE
    elif [ $FNRET = 2 ]; then
        crit "$PATTERN is not present in $FILE, add default config to $FILE"
        add_line_file_before_pattern $FILE "auth       optional   pam_faildelay.so  delay=4000000" "# Outputs an issue file prior to each login prompt (Replaces the"
@ -70,9 +86,45 @@ apply () {
    fi 
 }

+apply_centos () {
+	if [ $FNRET = 0 ]; then
+		ok "$SSH_PARAM is set least four seconds between logon prompts following a failed console logon attempt"
+	elif [ $FNRET = 1 ]; then
+		warn "$PATTERN is not present in $FILE, adding it"
+		add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+	elif [ $FNRET = 2 ]; then
+		warn "Parameter $SSH_PARAM is present but less than $SSH_VALUE -- Fixing"		
+		replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+	else
+		:
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		apply_centos
+	else
+		apply_debian
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
-    :
+	# CentOS
+	if [ $OS_RELEASE -eq 2 ]; then
+		OPTION='FAIL_DELAY=4'
+		FILE='/etc/login.defs'
+	# Debian
+	else
+		PACKAGE='libpam-modules'
+		PAMLIBNAME='pam_faildelay.so'
+		PATTERN='^auth.*pam_faildelay.so'
+		FILE='/etc/pam.d/login'
+		OPTIONNAME='delay'
+		# condition (microseconds)
+		CONDT_VAL=4000000
+	fi
 }

 # Source Root Dir Parameter
--- a/bin/hardening/10.1.9_set_create_home_bool.sh
+++ b/bin/hardening/10.1.9_set_create_home_bool.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux debian 7/8/9 or CentOS 8 Hardening
 #

 #
@ -14,17 +14,11 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=3

-PACKAGE='login'
 OPTIONS='CREATE_HOME=yes'
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
@ -36,18 +30,10 @@ audit () {
                crit "$PATTERN is not present in $FILE"
            fi
        done
-    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-    fi
    for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
--- a/bin/hardening/10.2_disable_system_accounts.sh
+++ b/bin/hardening/10.2_disable_system_accounts.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -20,7 +20,7 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false" && $7!="/sbin/nologin") {print}')
    IFS=$'\n'
    for LINE in $RESULT; do
        debug "line : $LINE"
--- a/bin/hardening/10.3_default_root_group.sh
+++ b/bin/hardening/10.3_default_root_group.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/10.4_default_umask.sh
+++ b/bin/hardening/10.4_default_umask.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/10.5_set_timeout_tty.sh
+++ b/bin/hardening/10.5_set_timeout_tty.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/11.1_warning_banners.sh
+++ b/bin/hardening/11.1_warning_banners.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -21,6 +21,11 @@ FILES='/etc/motd /etc/issue /etc/issue.net'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    for FILE in $FILES; do
+		does_file_exist $FILE
+		if [ $FNRET != 0 ]; then
+			warn "$FILE does not exist"
+			continue
+		fi
        has_file_correct_ownership $FILE $USER $GROUP
        if [ $FNRET = 0 ]; then
            ok "$FILE has correct ownership"
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3

 FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s|Debian)'
+PATTERN='(\\v|\\r|\\m|\\s|Debian|CentOS)'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -28,14 +28,20 @@ audit () {
        crit "Some suid files are present"
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
+		FNRET=1
    else
        ok "No unknown suid files found"
+		FNRET=0
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-	warn "Removing suid on valid binary may seriously harm your system, report only here, need a manual fix."
+	if [ $FNRET = 1 ]; then
+		warn "Removing suid on valid binary may seriously harm your system, report only here, need a manual fix."
+	else
+        ok "No unknown suid files found"
+	fi
 }

 # This function will create the config file for this check with default values
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -29,14 +29,20 @@ audit () {
        crit "Some sgid files are present"
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
+		FNRET=1
    else
        ok "No unknown sgid files found"
+		FNRET=0
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    info "Removing sgid on valid binary may seriously harm your system, report only here"
+	if [ $FNRET = 1 ]; then
+    	warn "Removing sgid on valid binary may seriously harm your system, report only here"
+	else
+        ok "No unknown sgid files found"
+	fi
 }

 # This function will create the config file for this check with default values
--- a/bin/hardening/12.12_etc_group_backup_permissions.sh
+++ b/bin/hardening/12.12_etc_group_backup_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1

 FILE='/etc/group-'
-PERMISSIONS='600'
+PERMISSIONS='644'
 USER='root'
 GROUP='root'

--- a/bin/hardening/12.13_etc_gshadow_backup_permissions.sh
+++ b/bin/hardening/12.13_etc_gshadow_backup_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
@ -15,12 +15,20 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1

 FILE='/etc/gshadow-'
-PERMISSIONS='600'
+PERMISSIONS='640'
+PERMISSIONS_CENTOS='0'
 USER='root'
 GROUP='shadow'
+GROUP_CENTOS='root'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@ -37,6 +45,12 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
--- a/bin/hardening/12.1_etc_passwd_permissions.sh
+++ b/bin/hardening/12.1_etc_passwd_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
--- a/bin/hardening/12.2_etc_shadow_permissions.sh
+++ b/bin/hardening/12.2_etc_shadow_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -16,11 +16,19 @@ HARDENING_LEVEL=1

 FILE='/etc/shadow'
 PERMISSIONS='640'
+PERMISSIONS_CENTOS='0'
 USER='root'
 GROUP='shadow'
+GROUP_CENTOS='root'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@ -37,6 +45,12 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
--- a/bin/hardening/12.3_etc_group_permissions.sh
+++ b/bin/hardening/12.3_etc_group_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
--- a/bin/hardening/12.4_etc_gshadow_permissions.sh
+++ b/bin/hardening/12.4_etc_gshadow_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -16,11 +16,19 @@ HARDENING_LEVEL=1

 FILE='/etc/gshadow'
 PERMISSIONS='640'
+PERMISSIONS_CENTOS='0'
 USER='root'
 GROUP='shadow'
+GROUP_CENTOS='root'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@ -37,6 +45,12 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
--- a/bin/hardening/12.5_etc_passwd_backup_permissions.sh
+++ b/bin/hardening/12.5_etc_passwd_backup_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1

 FILE='/etc/passwd-'
-PERMISSIONS='600'
+PERMISSIONS='644'
 USER='root'
 GROUP='root'

--- a/bin/hardening/12.6_etc_shadow_backup_permissions.sh
+++ b/bin/hardening/12.6_etc_shadow_backup_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
 #

 #
@ -15,12 +15,20 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1

 FILE='/etc/shadow-'
-PERMISSIONS='600'
+PERMISSIONS='640'
+PERMISSIONS_CENTOS='0'
 USER='root'
 GROUP='shadow'
+GROUP_CENTOS='root'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@ -37,6 +45,12 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_CENTOS
+		GROUP=$GROUP_CENTOS
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
--- a/bin/hardening/12.7_find_world_writable_file.sh
+++ b/bin/hardening/12.7_find_world_writable_file.sh
@ -1,14 +1,13 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
 # 12.7 Find World Writable Files (Not Scored)
 #

-set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=3
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -1,14 +1,13 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
 # 12.8 Find Un-owned Files and Directories (Scored)
 #

-set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=2
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -1,14 +1,13 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
 #

 #
 # 12.9 Find Un-grouped Files and Directories (Scored)
 #

-set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=2
--- a/bin/hardening/13.10_find_user_rhosts_files.sh
+++ b/bin/hardening/13.10_find_user_rhosts_files.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh
+++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.12_users_valid_homedir.sh
+++ b/bin/hardening/13.12_users_valid_homedir.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.13_check_user_homedir_ownership.sh
+++ b/bin/hardening/13.13_check_user_homedir_ownership.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -23,7 +23,7 @@ audit () {
        USER=$(awk -F: {'print $1'} <<< $LINE)
        USERID=$(awk -F: {'print $2'} <<< $LINE)
        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
            OWNER=$(stat -L -c "%U" "$DIR")
            if [ "$OWNER" != "$USER" ]; then
                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
@ -40,7 +40,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
            OWNER=$(stat -L -c "%U" "$DIR")
            if [ "$OWNER" != "$USER" ]; then
                warn "The home directory ($DIR) of user $USER is owned by $OWNER."
--- a/bin/hardening/13.14_check_duplicate_uid.sh
+++ b/bin/hardening/13.14_check_duplicate_uid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.15_check_duplicate_gid.sh
+++ b/bin/hardening/13.15_check_duplicate_gid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.16_check_duplicate_username.sh
+++ b/bin/hardening/13.16_check_duplicate_username.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.17_check_duplicate_groupname.sh
+++ b/bin/hardening/13.17_check_duplicate_groupname.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.18_find_user_netrc_files.sh
+++ b/bin/hardening/13.18_find_user_netrc_files.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.19_find_user_forward_files.sh
+++ b/bin/hardening/13.19_find_user_forward_files.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.1_remove_empty_password_field.sh
+++ b/bin/hardening/13.1_remove_empty_password_field.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.20_shadow_group_empty.sh
+++ b/bin/hardening/13.20_shadow_group_empty.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -19,33 +19,49 @@ PATTERN='^shadow:x:[[:digit:]]+:'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    does_pattern_exist_in_file $FILEGROUP $PATTERN
-    if [ $FNRET = 0 ]; then
-        info "shadow group exists"
-        RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
-        GROUPID=$(getent group shadow | cut -d: -f3)
-        debug "$RESULT $GROUPID"
-        if [ ! -z "$RESULT" ]; then
-            crit "Some users belong to shadow group: $RESULT"
-        else
-            ok "No user belongs to shadow group"
-        fi
+	if [ $OS_RELEASE -eq 1 ]; then
+    	does_pattern_exist_in_file $FILEGROUP $PATTERN
+    	if [ $FNRET = 0 ]; then
+        	info "shadow group exists"
+        	RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
+        	GROUPID=$(getent group shadow | cut -d: -f3)
+        	debug "$RESULT $GROUPID"
+        	if [ ! -z "$RESULT" ]; then
+            	crit "Some users belong to shadow group: $RESULT"
+				FNRET=1
+        	else
+            	ok "No user belongs to shadow group"
+				FNRET=0
+        	fi

-        info "Checking if a user has $GROUPID as primary group"
-        RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
-        if [ ! -z "$RESULT" ]; then
-            crit "Some users have shadow id as their primary group: $RESULT"
-        else
-            ok "No user has shadow id as their primary group"
-        fi
-    else
-        crit "shadow group doesn't exist"
-    fi
+        	info "Checking if a user has $GROUPID as primary group"
+        	RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
+        	if [ ! -z "$RESULT" ]; then
+            	crit "Some users have shadow id as their primary group: $RESULT"
+				FNRET=2
+        	else
+            	ok "No user has shadow id as their primary group"
+				FNRET=0
+        	fi
+    	else
+        	crit "shadow group doesn't exist"
+			FNRET=3
+    	fi
+	elif [ $OS_RELEASE -eq 2 ]; then
+		ok "shadow group doesn't exist in CentOS 8"
+		FNRET=0
+	else
+		:
+	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    info "Editing automatically users/groups may seriously harm your system, report only here"
+	if [ $FNRET = 0 ]; then
+		ok "Pass."
+	else 
+    	warn "Editing automatically users/groups may seriously harm your system, report only here"
+	fi
 }

 # This function will check config parameters required
--- a/bin/hardening/13.2_remove_legacy_passwd_entries.sh
+++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.3_remove_legacy_shadow_entries.sh
+++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.4_remove_legacy_group_entries.sh
+++ b/bin/hardening/13.4_remove_legacy_group_entries.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.5_find_0_uid_non_root_account.sh
+++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.6_sanitize_root_path.sh
+++ b/bin/hardening/13.6_sanitize_root_path.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -62,7 +62,11 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    warn "Editing items from PATH may seriously harm your system, report only here, need a manual fix."
+    if [ $ERRORS = 0 ]; then
+        ok "root PATH is secure"
+	else
+    	warn "Editing items from PATH may seriously harm your system, report only here, need a manual fix."
+	fi
 }

 # This function will check config parameters required
--- a/bin/hardening/13.7_check_user_dir_perm.sh
+++ b/bin/hardening/13.7_check_user_dir_perm.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
@ -17,7 +17,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@ -56,7 +56,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
--- a/bin/hardening/13.8_check_user_dot_file_perm.sh
+++ b/bin/hardening/13.8_check_user_dot_file_perm.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/13.9_set_perm_on_user_netrc.sh
+++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/14.1_security_related_NAT_slipstreaming.sh
+++ b/bin/hardening/14.1_security_related_NAT_slipstreaming.sh
@ -0,0 +1,124 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 9/10/11/12 Hardening
+# Author: Samson-W (samson@hardenedlinux.org)
+#
+
+#
+# 14.1  Defense for NAT Slipstreaming (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+HARDENING_EXCEPTION=sechardened
+
+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
+BLACKLIST_CONF_ITEMS='nf_nat_sip nf_conntrack_sip'
+SYSCTL_PARAM='net.netfilter.nf_conntrack_helper'
+SYSCTL_EXP_RESULT=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
+	else
+		for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do	
+			check_blacklist_module_set $BLACKLIST_CONF
+    		if [ $FNRET = 0 ]; then
+				ok "$BLACKLIST_CONF was set to blacklist"
+			else
+				crit "$BLACKLIST_CONF is not set to blacklist"
+			fi
+		done
+		if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+    		has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    		if [ $FNRET != 0 ]; then
+				crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+    		elif [ $FNRET = 255 ]; then
+        		warn "$SYSCTL_PARAM does not exist -- Typo?"
+    		else
+        		ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+			fi
+		else
+			crit "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, connection tracking may not be enabled, so please determine the risk yourself."
+    	fi
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
+	else
+		for BLACKLIST_CONF in $BLACKLIST_CONF_ITEMS; do	
+			check_blacklist_module_set $BLACKLIST_CONF
+    		if [ $FNRET = 0 ]; then
+				ok "$BLACKLIST_CONF was set to blacklist"
+			else
+				warn "$BLACKLIST_CONF is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+				if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+					add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $BLACKLIST_CONF /bin/true" 
+					add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
+				else
+					touch $HARBIAN_SEC_CONF_FILE
+					add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $BLACKLIST_CONF /bin/true" 
+					add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $BLACKLIST_CONF"
+				fi
+			fi
+		done
+		if [ -r /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+    		has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+    		if [ $FNRET != 0 ]; then
+				warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+				set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+				sysctl -w $SYSCTL_PARAM=$SYSCTL_EXP_RESULT > /dev/null
+    		elif [ $FNRET = 255 ]; then
+        		warn "$SYSCTL_PARAM does not exist -- Typo?"
+    		else
+        		ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+    		fi
+		else
+			warn "/proc/sys/net/netfilter/nf_conntrack_helper is not exist, just set $SYSCTL_PARAM = $SYSCTL_EXP_RESULT to /etc/sysctl.conf"
+			if [ $(grep "^$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" /etc/sysctl.conf | wc -l) -eq 0 ]; then
+				echo "$SYSCTL_PARAM = $SYSCTL_EXP_RESULT" >> /etc/sysctl.conf
+			else
+				:
+			fi
+		fi
+	fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+cat <<EOF
+status=disabled
+# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
+ISEXCEPTION=0
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/14.2_check_abuse_777_permissions.sh
+++ b/bin/hardening/14.2_check_abuse_777_permissions.sh
@ -1,46 +1,58 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 9/10/11 Hardening
 #

 #
-# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
-# Author : Samson wen, Samson <sccxboy@gmail.com>
+# 14.2 To ensure there are no files permissions are set to 777 (Scored)
+# Author: Samson-W (samson@hardenedlinux.org) author add this
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=3
-
-SERVICE_NAME="rsyslog"
-PACKAGE_NG='syslog-ng'
+HARDENING_EXCEPTION=sechardened

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-	is_pkg_installed $PACKAGE_NG	
-	if [ $FNRET = 0 ]; then
-		ok "$PACKAGE_NG has installed, so pass."
-		FNRET=0
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
 	else
-    	info "Ensure default and local facilities are preserved on the system"
-    	info "No measure here, please review the file by yourself"
+		ABUSECOUNT=$(find / -xdev -type f -perm -777 | wc -l )
+		if [ $ABUSECOUNT -gt 0 ]; then
+			crit "$ABUSECOUNT files abuse the 777 permission."
+			FNRET=1
+		else
+			ok "There are no files that abuse 777 permissions."
+			FNRET=0
+		fi	
 	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-	is_pkg_installed $PACKAGE_NG	
-	if [ $FNRET = 0 ]; then
-		ok "$PACKAGE_NG has installed, so pass."
-		FNRET=0
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
 	else
-    	info "Ensure default and local facilities are preserved on the system"
-    	info "No measure here, please review the file by yourself"
+		if [ $FNRET -eq 0 ]; then
+			ok "There are no files that abuse 777 permissions."
+		else
+			warn "Some files abuse 777 permissions. Please check and correct yourself!"
+		fi
 	fi
 }

+# This function will create the config file for this check with default values
+create_config() {
+cat <<EOF
+status=disabled
+# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
+ISEXCEPTION=0
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/2.10_home_nodev.sh
+++ b/bin/hardening/2.10_home_nodev.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.11_removable_device_nodev.sh
+++ b/bin/hardening/2.11_removable_device_nodev.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

--- a/bin/hardening/2.12_removable_device_noexec.sh
+++ b/bin/hardening/2.12_removable_device_noexec.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

--- a/bin/hardening/2.13_removable_device_nosuid.sh
+++ b/bin/hardening/2.13_removable_device_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

--- a/bin/hardening/2.14_run_shm_nodev.sh
+++ b/bin/hardening/2.14_run_shm_nodev.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.15_run_shm_nosuid.sh
+++ b/bin/hardening/2.15_run_shm_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.16_run_shm_noexec.sh
+++ b/bin/hardening/2.16_run_shm_noexec.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh
@ -1,14 +1,14 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)

 #
 # 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
 #

-set -e # One error, it's over
+#set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=2
--- a/bin/hardening/2.18_disable_cramfs.sh
+++ b/bin/hardening/2.18_disable_cramfs.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,6 +14,7 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_CRAMFS"
 MODULE_NAME="cramfs"

@ -21,22 +23,40 @@ MODULE_NAME="cramfs"
 audit () {
    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.19_disable_freevxfs.sh
+++ b/bin/hardening/2.19_disable_freevxfs.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,6 +14,7 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"

@ -21,22 +23,40 @@ MODULE_NAME="freevxfs"
 audit () {
    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.1_tmp_partition.sh
+++ b/bin/hardening/2.1_tmp_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 7/8/9 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 7/8/9 or CentOS Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

@ -18,7 +18,7 @@ HARDENING_LEVEL=2
 PARTITION="/tmp"
 SERVICENAME="tmp.mount"
 SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
-REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"

 # This function will be called if the script status is on enabled / audit mode
@ -75,12 +75,12 @@ apply () {
 				fi
 			fi
 		elif [ $OS_RELEASE -eq 2 ]; then 
-			if [ -e $REDHAT_SERVICEPATH ]; then
+			if [ -e $CENTOS_SERVICEPATH ]; then
 				$SUDO_CMD systemctl enable "$SERVICENAME"
 				$SUDO_CMD systemctl daemon-reload
 				$SUDO_CMD systemctl start "$SERVICENAME"
 			else
-				crit "System unit file $REDHAT_SERVICEPATH is not exist!"
+				crit "System unit file $CENTOS_SERVICEPATH is not exist!"
 			fi
 		fi
 	fi
--- a/bin/hardening/2.20_disable_jffs2.sh
+++ b/bin/hardening/2.20_disable_jffs2.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,30 +14,48 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"

-
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.21_disable_hfs.sh
+++ b/bin/hardening/2.21_disable_hfs.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,30 +14,48 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_HFS_FS"
-MODULE_FILE="hfs"
-
+MODULE_NAME="hfs"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.22_disable_hfsplus.sh
+++ b/bin/hardening/2.22_disable_hfsplus.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,30 +14,48 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
-MODULE_FILE="hfsplus"
-
+MODULE_NAME="hfsplus"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.23_disable_squashfs.sh
+++ b/bin/hardening/2.23_disable_squashfs.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,30 +14,48 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_SQUASHFS"
-MODULE_FILE="squashfs"
-
+MODULE_NAME="squashfs"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.24_disable_udf.sh
+++ b/bin/hardening/2.24_disable_udf.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12  Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -13,30 +14,48 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=2

+HARBIAN_SEC_CONF_FILE='/etc/modprobe.d/harbian-security-workaround.conf'
 KERNEL_OPTION="CONFIG_UDF_FS"
-MODULE_FILE="udf"
-
+MODULE_NAME="udf"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        crit "$KERNEL_OPTION is enabled!"
+        debug "$MODULE_NAME's kernel option is enabled"
+	check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		crit "$MODULE_NAME is not set to blacklist"
+	fi
    else
-        ok "$KERNEL_OPTION is disabled"
+        ok "$MODULE_NAME's kernel option is disabled"
    fi
-    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_kernel_option_enabled $KERNEL_OPTION
+    is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
-        warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
+        debug "$MODULE_NAME's kernel option is enabled"
+		check_blacklist_module_set $MODULE_NAME
+    	if [ $FNRET = 0 ]; then
+		ok "$MODULE_NAME was set to blacklist"
+	else
+		warn "$MODULE_NAME is not set to blacklist, add to config file $HARBIAN_SEC_CONF_FILE"
+		if [ -w $HARBIAN_SEC_CONF_FILE ]; then
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		else
+			touch $HARBIAN_SEC_CONF_FILE
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "install $MODULE_NAME /bin/true"
+			add_end_of_file "$HARBIAN_SEC_CONF_FILE" "blacklist $MODULE_NAME"
+		fi
+	fi
    else
        ok "$KERNEL_OPTION is disabled, nothing to do"
    fi
-    :
 }

 # This function will check config parameters required
--- a/bin/hardening/2.25_disable_automounting.sh
+++ b/bin/hardening/2.25_disable_automounting.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS  Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

@ -48,10 +48,11 @@ apply () {
            	info "Disabling $SERVICE_NAME"
            	systemctl stop $SERVICE_NAME
            	systemctl disable $SERVICE_NAME
-				if [ $OS_RELEASE -eq 2 ]; then
-					yum -y autoremove $SERVICE_NAME
+				is_pkg_installed $SERVICE_NAME
+				if [ $FNRET = 0 ]; then 
+					uninstall_pkg $SERVICE_NAME
 				else
-            		apt-get -y purge --autoremove $SERVICE_NAME
+					:
 				fi
        	else
            	info "Disabling $SERVICE_NAME"
@ -59,12 +60,14 @@ apply () {
        	fi
    	else
        	ok "$SERVICE_NAME is disabled"
-			if [ $OS_RELEASE -eq 2 ]; then
-				yum -y autoremove $SERVICE_NAME
+			is_pkg_installed $SERVICE_NAME
+			if [ $FNRET = 0 ]; then 
+				uninstall_pkg $SERVICE_NAME
 			else
-           		apt-get -y purge --autoremove $SERVICE_NAME				
+				:
 			fi
    	fi
+		
 	else
        ok "$SERVICE_NAME is not installed"
 	fi
--- a/bin/hardening/2.26_home_nosuid.sh
+++ b/bin/hardening/2.26_home_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9   Hardening
+# harbian-audit for Debian GNU/Linux 9   Hardening
 #

 #
--- a/bin/hardening/2.27_nfs_nosuid.sh
+++ b/bin/hardening/2.27_nfs_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9   Hardening
+# harbian-audit for Debian GNU/Linux 9   Hardening
 #

 #
--- a/bin/hardening/2.28_nfs_noexec.sh
+++ b/bin/hardening/2.28_nfs_noexec.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9   Hardening
+# harbian-audit for Debian GNU/Linux 9   Hardening
 #

 #
--- a/bin/hardening/2.29_nfs_RPCSEC_GSS.sh
+++ b/bin/hardening/2.29_nfs_RPCSEC_GSS.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9   Hardening
+# harbian-audit for Debian GNU/Linux 9   Hardening
 #

 #
--- a/bin/hardening/2.2_tmp_nodev.sh
+++ b/bin/hardening/2.2_tmp_nodev.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 7/8/9 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

@ -19,7 +19,7 @@ PARTITION="/tmp"
 OPTION="nodev"
 SERVICENAME="tmp.mount"
 SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
-REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"

 # This function will be called if the script status is on enabled / audit mode
@ -47,10 +47,10 @@ audit () {
       fi
    else
        warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ $OS_RELEASE -eq 1 ]; then
+		if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$CENTOS_SERVICEPATHa
+		else
 			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-		elif [ $OS_RELEASE -eq 2 ]; then
-			UNITSERVICEPATH=$REDHAT_SERVICEPATH
 		fi
        if [ -e $UNITSERVICEPATH ]; then
 			has_mount_option_systemd $UNITSERVICEPATH $OPTION 
@ -77,10 +77,10 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
+	if [ $OS_RELEASE -eq 2 ]; then
+		UNITSERVICEPATH=$CENTOS_SERVICEPATH
+	else
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
-	elif [ $OS_RELEASE -eq 2 ]; then
-		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
--- a/bin/hardening/2.3_tmp_nosuid.sh
+++ b/bin/hardening/2.3_tmp_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

@ -19,7 +19,7 @@ PARTITION="/tmp"
 OPTION="nosuid"
 SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 SERVICENAME="tmp.mount"
-REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"

 # This function will be called if the script status is on enabled / audit mode
@ -47,10 +47,10 @@ audit () {
       fi
    else
 		warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ $OS_RELEASE -eq 1 ]; then
+		if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$CENTOS_SERVICEPATH
+		else
 			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-		elif [ $OS_RELEASE -eq 2 ]; then
-			UNITSERVICEPATH=$REDHAT_SERVICEPATH
 		fi
 		if [ -e $UNITSERVICEPATH ]; then
 			has_mount_option_systemd $UNITSERVICEPATH $OPTION 
@ -77,10 +77,10 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
+	if [ $OS_RELEASE -eq 2 ]; then
+		UNITSERVICEPATH=$CENTOS_SERVICEPATH
+	else
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
-	elif [ $OS_RELEASE -eq 2 ]; then
-		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
--- a/bin/hardening/2.4_tmp_noexec.sh
+++ b/bin/hardening/2.4_tmp_noexec.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit Debian 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux Debian 7/8/9/10/11/12 or CentOS Hardening
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

@ -19,7 +19,7 @@ PARTITION="/tmp"
 OPTION="noexec"
 SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount"
 SERVICENAME="tmp.mount"
-REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
+CENTOS_SERVICEPATH="/usr/lib/systemd/system/tmp.mount"
 DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount"

 # This function will be called if the script status is on enabled / audit mode
@ -47,10 +47,10 @@ audit () {
       fi
    else
        warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service"
-		if [ $OS_RELEASE -eq 1 ]; then
+		if [ $OS_RELEASE -eq 2 ]; then
+			UNITSERVICEPATH=$CENTOS_SERVICEPATH
+		else
 			UNITSERVICEPATH=$DEBIAN_SERVICEPATH
-		elif [ $OS_RELEASE -eq 2 ]; then
-			UNITSERVICEPATH=$REDHAT_SERVICEPATH
 		fi
 		if [ -e $UNITSERVICEPATH ]; then
 			has_mount_option_systemd $UNITSERVICEPATH $OPTION
@ -77,10 +77,10 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
+	if [ $OS_RELEASE -eq 2 ]; then
+		UNITSERVICEPATH=$CENTOS_SERVICEPATH
+	else
 		UNITSERVICEPATH=$DEBIAN_SERVICEPATH		
-	elif [ $OS_RELEASE -eq 2 ]; then
-		UNITSERVICEPATH=$REDHAT_SERVICEPATH
 	fi
    if [ $FNRET = 0 ]; then
        ok "$PARTITION is correctly set"
--- a/bin/hardening/2.5_var_partition.sh
+++ b/bin/hardening/2.5_var_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.6.1_var_tmp_partition.sh
+++ b/bin/hardening/2.6.1_var_tmp_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.6.2_var_tmp_nodev.sh
+++ b/bin/hardening/2.6.2_var_tmp_nodev.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.6.3_var_tmp_nosuid.sh
+++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.6.4_var_tmp_noexec.sh
+++ b/bin/hardening/2.6.4_var_tmp_noexec.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.7_var_log_partition.sh
+++ b/bin/hardening/2.7_var_log_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.8_var_log_audit_partition.sh
+++ b/bin/hardening/2.8_var_log_audit_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/2.9_home_partition.sh
+++ b/bin/hardening/2.9_home_partition.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/3.1_bootloader_ownership.sh
+++ b/bin/hardening/3.1_bootloader_ownership.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS  Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

--- a/bin/hardening/3.2_bootloader_permissions.sh
+++ b/bin/hardening/3.2_bootloader_permissions.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

--- a/bin/hardening/3.3_bootloader_password.sh
+++ b/bin/hardening/3.3_bootloader_password.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

--- a/bin/hardening/3.4_root_password.sh
+++ b/bin/hardening/3.4_root_password.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/4.1_restrict_core_dumps.sh
+++ b/bin/hardening/4.1_restrict_core_dumps.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS Hardening
 #Modify by: Samson-W (samson@hardenedlinux.org)
 #

@ -37,7 +37,7 @@ audit_debian () {
    fi
 }

-audit_redhat () {
+audit_centos () {
 	is_service_active $SERVICE_NAME
 	if [ $FNRET -eq 0 ]; then
 		crit "$SERVICE_NAME is actived"
@ -50,13 +50,10 @@ audit_redhat () {

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        audit_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        audit_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        audit_centos
    else
-        crit "Current OS is not support!"
-        FNRET=44
+        audit_debian
    fi
 }

@ -80,7 +77,7 @@ apply_debian () {

 }

-apply_redhat () {
+apply_centos () {
 	if [ $FNRET -eq 1 ]; then
 		info "Disabling $SERVICE_NAME"
 		systemctl stop $SERVICE_NAME
@ -92,12 +89,10 @@ apply_redhat () {

 # This function will be called if the script status is on enabled mode
 apply () {
-	if [ $OS_RELEASE -eq 1 ]; then
-        apply_debian
-    elif [ $OS_RELEASE -eq 2 ]; then
-        apply_redhat
+    if [ $OS_RELEASE -eq 2 ]; then
+        apply_centos
    else
-        crit "Current OS is not support!"
+        apply_debian
    fi
 }

--- a/bin/hardening/4.2_enable_nx_support.sh
+++ b/bin/hardening/4.2_enable_nx_support.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/4.3_enable_randomized_vm_placement.sh
+++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9  Hardening
 #

 #
--- a/bin/hardening/4.4_disable_prelink.sh
+++ b/bin/hardening/4.4_disable_prelink.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9/10 or CentOS Hardening
+# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #

@ -33,7 +33,7 @@ apply () {
 		if [ $FNRET = 0 ]; then
        	crit "$PACKAGE is installed, purging it"
 			"$(which $PACKAGE)" -ua
-			yum autoremove $PACKAGE -y
+			uninstall_pkg $PACKAGE
 		else
        	ok "$PACKAGE is absent"
 		fi
@ -41,8 +41,7 @@ apply () {
 		if [ $FNRET = 0 ]; then
        	crit "$PACKAGE is installed, purging it"
        	/usr/sbin/prelink -ua
-        	apt-get purge $PACKAGE -y
-        	apt-get autoremove
+        	uninstall_pkg $PACKAGE
    	else
        	ok "$PACKAGE is absent"
    	fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Samson-W	bb6574e441	Remove AMI images for Ohio and Tokyo regions.	2024-07-08 00:08:59 +08:00
Samson-W	2d83a6a34e	Fix #54 : hardening.sh: line 275: [: missing ]	2023-10-21 15:00:37 +08:00
Samson-W	e00770d5ff	Optimize 9.2.14 audit items, and update README.md README-CN.md	2023-08-25 01:49:11 +08:00
Samson.W	9545137a08	Merge pull request #53 from hardenedlinux/add_dictcheck_pwquality Add 9.2.14 for dictcheck of pwquality	2023-08-24 21:47:24 +08:00
Samson-W	436dea1f6b	Update 9.2.14_pam_dictcheck_pwquality.sh	2023-08-24 21:45:09 +08:00
Samson-W	c3744f83a0	Add 9.2.14_pam_dictcheck_pwquality.sh	2023-08-24 00:45:51 +08:00
Samson.W	b88af0e351	Merge pull request #52 from atastycookie/master-1 Fixing Markdown markup	2023-08-09 20:43:59 +08:00
Roman	67c97fe7fc	Fixing Markdown markup	2023-08-09 14:22:23 +04:00
Samson-W	9822545cc8	Update the description information of 8.7.2	2023-07-15 18:02:28 +08:00
Samson-W	d496c2b320	Update README.md README-CN.md	2023-07-15 02:09:54 +08:00
Samson-W	612a90d844	Fix #50 : Autofix improvement: Ensure journald is configured to write logfiles to persistent disk	2023-07-15 02:03:40 +08:00
Samson-W	d995a65375	Fix #49 : Autofix improvement: Ensure journald is configured to compress large log files	2023-07-15 02:02:58 +08:00
Samson-W	8c0b9da8b3	Add clean: Cleanup of usage traces to ~/.ssh/known_hosts file.	2023-07-15 01:23:40 +08:00
Samson-W	eaa2339336	Fix #51 Autofix improvement: Ensure rsyslog default file permissions are configured. Add method for check FileCreateMode in /etc/rsyslog.d/	2023-07-10 01:11:55 +08:00
Samson-W	8e97a31f98	Fix some bugs: When the find command has permission denied, it will exit due to an error, so remove set -e.	2023-07-05 00:11:51 +08:00
Samson-w	76c9070615	update README-CN.md README.md for Debian12	2023-06-17 16:22:37 +08:00
Samson-w	195ec744e0	Fix #40 : Shadow utils checks are not possible to maintain with current requirements.	2023-06-17 13:57:38 +08:00
Samson-w	ee6cb27946	Del some not Scored check items.	2023-06-17 11:36:10 +08:00
Samson-w	eadba375b6	Fix some bugs about disable kernel module	2023-06-17 11:18:31 +08:00
Samson-w	e109fe76c6	Update 2.2 2.3 2.4 7.6 for Debian12.	2023-06-17 10:21:46 +08:00
Samson-W	ac5c810184	Fix a bug: Debian 12 errors : Current OS is not support!	2023-06-17 00:40:38 +08:00
Samson-W	1eecbc633f	Fix some bugs for Debian12.	2023-06-17 00:14:38 +08:00
Samson-W	754ff95056	Fix #44 : Debian 11 uses ntfables, not iptables. Update 7.7.2 7.7.3 7.7.4.1 7.7.4.3 7.7.4.4 7.7.5.1 7.7.5.2 7.7.5.3 7.7.5.4 for nftables.	2023-06-17 00:12:06 +08:00
Samson-W	1b4337464a	Update 7.7.2 7.7.3 7.7.4.1~7.7.4.4 for nftables.	2023-06-16 02:43:44 +08:00
Samson-W	f0d0f65467	Update 7.7.1 for nftables	2023-06-15 01:47:35 +08:00
Samson-W	14b396769a	Fix #39 : Need extra check on blacklisted Linux kernel modules. Update 2.18 2.19 2.20 2.21 2.22 2.23 2.24 14.1	2023-06-14 01:40:47 +08:00
Samson-W	4699911078	Fix #48 : Debian 12 errors : Current OS is not support!	2023-06-13 01:23:56 +08:00
Samson-W	0ab75f8fa8	Update 9.2.14 for Debian12	2023-06-12 02:28:31 +08:00
Samson-W	2b6949548f	Update 9.2.11 9.2.12 9.2.13 for Debian12	2023-06-12 02:18:30 +08:00
Samson-W	03f583ad94	Fix #43 : Debian 11 uses pwquality, not cracklib. Update 9.2.4 9.2.5 9.2.6 9.2.7 9.2.8 9.2.9 9.2.10 for Debian11/Debian12	2023-06-12 01:59:10 +08:00
Samson-W	13f75e093e	Update 9.2.3 for Debian12	2023-06-12 01:27:48 +08:00
Samson-W	ab55dd82ee	Update 9.2.2 for Debian12	2023-06-12 01:23:48 +08:00
Samson-W	3308bd7aa4	Update 9.2.1 for Debian12	2023-06-12 00:59:29 +08:00
Samson-W	706cc65542	Adapt to the Debian 12 release version	2023-06-12 00:46:56 +08:00
Samson-W	881c51608e	Fix #42 : 14.1 grep returns line format that will never match the regex filter applied	2023-06-04 23:10:05 +08:00
Samson.W	07f7f86612	Merge pull request #47 from dominiquefournier/master Add systemd-timesyncd to tests	2023-03-10 01:37:07 +08:00
root	1b7ee81794	Add systemd-timesyncd server	2023-03-07 13:55:24 +01:00
dominiquefournier	235c85c3d8	Merge pull request #1 from dominiquefournier/dominiquefournier-patch-3 Add Systemd-TimeSyncd to time syncronization packages	2023-03-07 11:46:40 +01:00
dominiquefournier	b36087e840	Update 6.19_configure_ntp.sh Add systemd-timesyncd	2023-03-07 11:43:02 +01:00
Samson-W	1835a45c0e	Fix pam-tally2.so is missing in Ubuntu #38 , Modify 8.1.26 for support to ubuntu.	2022-09-05 14:14:13 +00:00
Samson-W	297b4fa343	Fix pam-tally2.so is missing in Ubuntu #38	2022-09-05 13:45:01 +00:00
Samson-W	d9b24e2e7e	Modify 9.2.11 for support to ubuntu 22.04	2022-09-04 17:52:01 +00:00
Samson-W	e5539baf5b	Fix a bug in 8.1.27: when the system is Ubuntu, set the path of au-remote.conf to /etc/audit/plugins.d/au-remote.conf.	2022-08-25 18:40:14 +00:00
Samson-W	3bb4e50a7c	Fix issues #37 need extra checks on audisp path on Ubuntu.	2022-08-25 18:11:23 +00:00
Samson.W	dbbec7cc98	Merge pull request #36 from Samson-W/master Add 14.2: Check abuse 777 permissions	2022-04-01 01:14:30 +08:00
Samson-W	d894963f71	Add 14.2: Check abuse 777 permissions	2022-04-01 01:12:42 +08:00
Samson.W	666f071399	Merge pull request #35 from aptx4869/fix_log_permission fix(log directory permissions) : Apply chmod only to logfiles	2021-11-15 03:14:31 +08:00
aptx4869	2a9a08bf9c	fix(log directory permissions) : Apply chmod only to logfiles instead of 'log/' Many services like nginx, redis, postgresql put their logs into subdirectory of /var/log chmod -R 0640 /var/log/ will forbid those from entering the directories	2021-11-12 15:00:12 +08:00
Samson.W	aced6e66ac	Merge pull request #34 from Samson-W/master Fix a bug: Replaced pam_tally2 with pam_faillock in debian 11.	2021-08-16 02:16:35 +08:00
Samson-W	79670bde38	Fix bug: Replaced pam_tally2 with pam_faillock in debian 11.	2021-08-16 02:14:00 +08:00
Samson-W	f175cf4639	Update auditd rules of 8.1.26: replaced pam_tally2 with faillock in debian 11.	2021-08-16 00:57:51 +08:00
Samson.W	0d8593986f	Merge pull request #33 from Samson-W/master Update Readme.md: support debian11	2021-08-15 17:30:51 +08:00
Samson-W	6b89d4cb24	Update Readme.md: support debian11	2021-08-15 17:29:46 +08:00
Samson.W	0652ec431f	Merge pull request #32 from Samson-W/master Update the number of the check item .	2021-08-15 17:23:06 +08:00
Samson-W	356124dfdb	Update the number of the check item .	2021-08-15 17:12:07 +08:00
Samson.W	baccad9c3b	Merge pull request #31 from Samson-W/master Modify 4.8: Re-implement the detection items of disabled USB devices.	2021-07-28 00:45:26 +08:00
Samson-W	cfb0a3c22f	Modify 4.8: Re-implement the detection items of disabled USB devices.	2021-07-28 00:42:01 +08:00
Samson.W	7e2bf1c5b5	Merge pull request #30 from Samson-W/master Fix some bugs and apply rsyslog server	2021-07-18 21:55:40 +08:00
Samson-W	b3857a06da	Modify the log prefix of iptables for the log classification collection of rsyslog.	2021-07-18 21:52:39 +08:00
Samson-W	9b7beb1588	Add some auditd rules for log server.	2021-07-17 22:47:39 +08:00
Samson-W	e4743a7588	Fix a bug space_left of auditd.conf	2021-07-17 22:46:18 +08:00
Samson.W	8995b0c9db	Merge pull request #29 from Samson-W/master Fix a bug and update how_to_deploy_audisp_remote_for_audit_log.mkd	2021-07-16 01:02:21 +08:00
Samson-W	8ad11ac333	Fix a bug: If /var/log is a separate partition, check whether /var is a separate partition will be passed.	2021-07-16 00:58:37 +08:00
Samson-W	d262a18d70	Update how_to_deploy_audisp_remote_for_audit_log.mkd	2021-07-09 01:51:32 +08:00
Samson.W	c944bbb498	Merge pull request #28 from Samson-W/master Modify for apply rsyslog.	2021-07-08 01:18:27 +08:00
Samson-W	0349040bb4	Modify for apply rsyslog.	2021-07-08 01:16:15 +08:00
Samson.W	bbd85fa9b6	Merge pull request #27 from Samson-W/master Update README.md	2021-07-07 00:51:54 +08:00
Samson-W	54c2ac38a1	Update README.md	2021-07-07 00:50:08 +08:00
Samson-W	00531deb50	Update README.md	2021-07-06 23:58:29 +08:00
Samson.W	ffc3809e47	Merge pull request #26 from Samson-W/master Fix a bug of 1.2 and add depend pkg info to 1.3	2021-07-04 04:32:54 +08:00
Samson-W	7d0be2a21e	Add dependance pkg info for 1.3	2021-07-04 04:28:24 +08:00
Samson-W	7419bdc333	Fix a bug of 1.2	2021-07-04 03:31:46 +08:00
Samson.W	0124084e0b	Merge pull request #25 from Samson-W/master Delete unimplemented items: 8.2.3 8.3.3 8.6 9.4	2021-06-24 01:43:58 +08:00
Samson.W	23e2fd0e4f	Merge branch 'hardenedlinux:master' into master	2021-06-24 01:41:54 +08:00
Samson-W	0bc369003c	Delete unimplemented items: 8.2.3 8.3.3 8.6 9.4	2021-06-23 01:43:21 +08:00
Samson.W	8a02a3638c	Merge pull request #24 from Samson-W/master Modify auditd related check items to apply -dont-auditd-by-uid and check_audit_path.	2021-06-22 21:51:36 +08:00
Samson-W	e45da09761	Modify some checklists apply check_audit_path	2021-06-22 21:20:30 +08:00
Samson-W	fad9b17d38	Rename 8.1.31 to 8.1.34, rename 8.1.34 to 8.1.31	2021-06-21 22:59:24 +08:00
Samson-W	b84fb622b5	Modify 8.1.34 for apply --dont-auditd-by-uid, and add aide-common pkg for 8.4.1	2021-06-21 22:23:49 +08:00
Samson-W	d825beb240	Fix a bug of check_audit_path function.	2021-06-21 02:17:08 +08:00
Samson-W	f6b1ea8286	Modify function check_audit_path to check whether the pathname of the rule in the from of 'auditctl -w' is valid.	2021-06-21 01:18:16 +08:00
Samson-W	20a266a774	Modify related auditd checklist for --dont-auditd-by-uid	2021-06-21 00:07:36 +08:00
Samson-W	6209e876e1	Fix a bug: when --dont-auditd-by-uid is not set a valid value, it's continues running	2021-06-20 23:53:35 +08:00
Samson.W	2330cea519	Merge pull request #23 from Samson-W/master Add 8.1.32 8.1.33 8.1.34 for auditd rules, and rename 8.1.32 to 8.1.35	2021-06-20 21:46:34 +08:00
Samson-W	a9dc7057ae	Add 8.1.32 8.1.33 8.1.34 for auditd rules, and rename 8.1.32 to 8.1.35. Add global variable DONT_AUDITD_BY_UID for enable/disable use UID in the auditd rules.	2021-06-15 21:38:36 +08:00
Samson-W	88983fe3a9	Call backup_file when modify some conf file in 1.2 and 1.3	2021-06-09 23:08:25 +08:00
Samson-W	d6fca32f10	Fix a bug: when the Debian version is the Codename, an error will occur	2021-02-22 12:08:40 +08:00
Samson-W	64bececd2d	Fix some bugs for Debian11(bullseye).	2021-02-22 03:53:02 +08:00
Samson-W	5e8b093cd5	Add exception method for --allow-service to skip audit and apply.	2020-11-06 14:54:58 +08:00
Samson-W	fad60e595b	Modify 9.3.11 9.3.21 9.3.24 to adapt the check of default parameter values through the runtime state of sshd configuration.	2020-11-06 01:42:22 +08:00
Samson-W	385bd6e8ba	Apply check_sshd_conf_for_one_value_runtime for 9.3.12	2020-11-05 14:20:55 +08:00
Samson-W	7eb3f188f5	Optimize the error message for sshd configuration relate.	2020-11-05 02:47:53 +08:00
Samson-W	822d6ef2c8	Fix some bugs related to sshd configuration.	2020-11-05 02:23:42 +08:00
Samson-W	d9d2609e84	Apply check_sshd_conf_for_one_value_runtime for sshd config relate	2020-11-04 18:35:17 +08:00
Samson-W	cbf85fe443	Add check_sshd_conf_for_one_value_runtime method, and modify 9.3.2	2020-11-03 19:50:50 +08:00
Samson-W	34de8084d7	Modify apply method of 14.1	2020-11-02 21:56:30 +08:00
Samson-W	6bf8a58bef	Add 14.1 for defense NAT slipstreaming and add method to utils	2020-11-02 21:26:48 +08:00
Samson-W	c24e12541e	Fix issues #20	2020-09-22 12:52:12 +08:00
Samson-W	f2e49b69cc	Update README.md README-CN.md	2020-09-19 10:52:58 +08:00
Samson-W	b550c2ddc2	Update some format of how_to_fix_SELinux_access_denied.mkd	2020-09-15 14:59:08 +08:00
Samson-W	a2c498537f	Add how_to_fix_SELinux_access_denied.mkd	2020-09-15 05:47:16 +08:00
Samson-W	56bfb5e495	Update README.md and README-CN.md	2020-08-20 15:53:29 +08:00
Samson-W	cdc65bb494	Add auditd's rules of SELinux to 8.1.7	2020-07-07 17:27:14 +08:00
Samson-W	985ce35353	Modify description of 9.3.13	2020-07-06 23:22:47 +08:00
Samson-W	3fbb8a8452	Eliminate duplicate audit items 9.3.26	2020-07-05 17:36:36 +08:00
Samson-W	0e20dd251a	Added function: Check the default value of the parameter that has not been set.	2020-07-05 17:28:20 +08:00
Samson-W	6598eb4b43	Fix a bug for apply method of 4.7	2020-07-03 00:47:28 +08:00
Samson-W	68f56e4f93	Fix a bug for apply method of 4.6	2020-07-01 02:42:49 +08:00
Samson-W	e72e87e45d	Fix some bugs for 4.6 4.7	2020-06-29 18:27:51 +08:00
Samson-W	bf73f53554	Add check AppArmor status method to utils, and modify 4.6 and 4.7	2020-06-29 17:51:19 +08:00
Samson-W	9c29558fad	Fix a bug for 4.7	2020-06-26 03:33:53 +08:00
Samson-W	3f7cb765d1	Fix some bugs for 4.6	2020-06-25 21:35:50 +08:00
Samson-W	b93743847d	Fix a bug for 6.1	2020-06-21 04:55:34 +08:00
Samson-W	72c0d63343	Add exception config for X11 server to 6.1.	2020-06-21 04:37:32 +08:00
Samson-W	4ebc44d476	Add exception config for X11 server.	2020-06-21 04:29:18 +08:00
Samson-W	b50f38808c	Fix spelling error.	2020-06-05 16:34:54 +08:00
Samson-W	a7ae943c52	Rename 4.7 to 4.8, and add audit and apply methods for 4.7_enable_selinux_policy.sh	2020-06-04 21:00:35 +08:00
Samson-W	303f280bb4	Fix a bug of 4.6	2020-06-04 17:48:55 +08:00
Samson-W	243d6b57af	Add audit and apply methods for CentOS8 to 4.6	2020-06-04 17:43:13 +08:00
Samson-W	9b09558bba	Modify 4.6 for compatible with Debian 9.*	2020-06-04 03:57:37 +08:00
Samson-W	fc24c6bc35	Add a function to detect MAC that has been activated.	2020-06-04 02:52:06 +08:00
Samson-W	2d1e57dca9	Fix spelling errors.	2020-06-02 16:17:39 +08:00
Samson-W	0c5dedf5d5	Rename 4.6_disable_usb_devices.sh to 4.7_disable_usb_devices.sh, and add audit and apply methods for 4.6 Enable selinux.	2020-06-02 04:05:48 +08:00
Samson-W	44dbfbac01	Fix issues #16 8.1.3_audit_bootloader check not accounting entire configs	2020-05-18 18:43:57 +08:00
Samson-W	7e80cdc2aa	Fix a bug for 8.1.31 #15	2020-05-18 16:43:32 +08:00
Samson-W	41b813d795	Merge branch 'master' of github.com:hardenedlinux/harbian-audit	2020-05-17 03:33:38 +08:00
Samson-W	33c9611cc5	Fix issues #15 auditd check has duplicates.	2020-05-17 03:32:12 +08:00
Samson-W	175486964e	Fix issues #14 auditd check has duplicates.	2020-05-17 03:31:07 +08:00
Samson-W	654813d8b4	According to the latest STIG, modify minlen to 15.	2020-05-17 01:39:21 +08:00
Samson-W	1570943606	Add a method to determine the system version for compatibility.	2020-05-14 18:14:43 +08:00
Samson-W	2e0435363c	Fix issues #14 Check 4.5_enable_apparmor too narrow	2020-05-14 18:05:56 +08:00
Samson-W	7bee47fbf1	Update some docs.	2020-04-26 01:02:36 +08:00
Samson-W	d54fa4f75c	Remove the sudo command from docs.	2020-04-26 00:50:30 +08:00
Samson-W	2678bb54b4	Optimize the method of uninstallation.	2020-04-17 14:20:04 +08:00
Samson-W	0333022739	Fix spelling error	2020-04-16 17:24:48 +08:00
Samson-W	da61977969	Modify the check_audit_path method to pass check when audited record path does not exist in OS.	2020-04-16 17:21:08 +08:00
Samson-W	93031e98fe	Update harbianaudit.sh	2020-04-15 15:49:18 +08:00
Samson-W	76bf0a6809	Update how-to-build-deb-package.md	2020-04-15 00:08:26 +08:00
Samson-W	b52bca5270	Update simple cdd profiles.	2020-04-15 00:04:28 +08:00
Samson-W	869d015f85	Fix spelling errors.	2020-04-14 17:49:41 +08:00
Samson-W	e82fac2699	Add sign method to how to build deb package doc.	2020-04-14 03:01:15 +08:00
Samson-W	2e66b441c3	Add how-to-build-deb-package.md, adjust directory location.	2020-04-14 02:31:29 +08:00
Samson-W	9d46f0acd1	Add build-simple-cdd configurations.	2020-04-13 17:23:30 +08:00
Samson-W	5ae5c84416	Add save iptables rules commands to harbianaudit.sh	2020-04-13 17:02:57 +08:00
Samson-W	ffe2df12fe	Add deb package configurations.	2020-04-13 01:12:32 +08:00
Samson-W	3d2bae1173	Rename bin/harbianaudit to bin/harbianaudit.sh	2020-04-12 18:02:18 +08:00
Samson-W	d4d97c6288	Add bash script for deb package.	2020-04-12 16:58:27 +08:00
Samson-W	399271f926	Fix pathname in etc/default.cfg	2020-04-11 22:11:46 +08:00
Samson-W	8c035b0e84	Modify etc/default.cfg for make deb package.	2020-04-11 18:55:02 +08:00
Samson-W	21f2307c28	Remove debian/default to etc/default.cfg.	2020-04-11 18:45:52 +08:00
Samson-W	28ea22e13e	Remove debian dir and move debian/default to etc/default.cfg, modify the associated file.	2020-04-11 18:41:12 +08:00
Samson-W	fbecebbae7	Update README* docs.	2020-03-09 05:17:43 +08:00
Samson-W	0989b9f4e3	Modify variable name: REDHAT to CENTOS.	2020-03-06 16:02:11 +08:00
Samson-W	3b61a0e406	Modify methods name: _redhat to _centos.	2020-03-06 03:57:46 +08:00
Samson-W	4bb01e5c2e	Modify audit and apply methods for CentOS 8 to 10.1.5	2020-03-04 14:50:07 +08:00
Samson-W	e8b70e9bf7	Modify the values in 10.1.1 and 10.1.2 check items according to U_Red_Hat_Enterprise_Linux_7_V2R5.	2020-03-04 14:47:00 +08:00
Samson-W	38c4df36fb	Update comment: CentOS8->CentOS 8.	2020-02-28 15:02:13 +08:00
Samson-W	6e1c9b36bb	Update comment for Description of which operating systems are implemented.	2020-02-28 00:56:28 +08:00
Samson-W	20b68e21b5	Fix some bugs for 12.2 12.4 12.6 12.13, and test others(12.*) and add comments.	2020-02-24 05:09:17 +08:00
Samson-W	ba36181d3a	Modify audit method for 11.1	2020-02-20 01:55:32 +08:00
Samson-W	24fd4aacc2	Fix some bugs for 6.18 and lib	2020-01-17 04:04:54 +08:00
Samson-W	8e0c2dc6e2	Fix some bug for tmp.mount apply method.	2020-01-16 18:17:18 +08:00
Samson-W	3cc483526b	Modify 10.1.8 for CentOS8.	2020-01-16 05:00:39 +08:00
Samson-W	665e54898a	Modify audit and apply methods for redhat/CentOS to 10.1.8	2020-01-16 04:27:58 +08:00
Samson-W	cd82d799fc	Modify audit and apply methods for redhat/CentOS to 10.1.9 10.1.10	2020-01-15 20:13:54 +08:00
Samson-W	0cf45160f4	Modify audit and apply methods for redhat/CentOS to 10.1.2 10.1.3 10.1.4	2020-01-15 03:45:17 +08:00
Samson-W	490ee96c94	Fix some bug for 10.1.1	2020-01-15 03:34:31 +08:00
Samson-W	13ae52fb76	Rename 9.2.13 and 9.2.17	2020-01-15 03:03:34 +08:00
Samson-W	623cfa4812	Fix a bug for 9.2.16	2020-01-15 02:59:42 +08:00
Samson-W	39dc43adb2	Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function.	2020-01-15 02:54:00 +08:00
Samson-W	1700f375a4	Fix a bug for 9.2.14	2020-01-15 00:06:57 +08:00
Samson-W	74a6bb379f	Fix some bug for 9.2.14	2020-01-14 15:40:32 +08:00
Samson-W	9254968cea	Modify audit and apply methods for redhat/CentOS to 9.2.14	2020-01-14 15:25:08 +08:00
Samson-W	dc2a8d3a51	Modify audit and apply methods for redhat/CentOS to 9.2.14	2020-01-14 15:24:15 +08:00
Samson-W	88d444950a	Modify audit and apply methods for redhat/CentOS to 9.2.12.	2020-01-14 12:06:47 +08:00
n3o4po11o	6f09fd4c00	fix signature url and command	2020-01-13 21:40:48 +08:00
Samson-W	42b057347c	Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11.	2020-01-13 16:08:51 +08:00
Samson-W	e777a839e3	Modify 5.3 for CentOS8.	2020-01-08 17:27:47 +08:00
Samson-W	3f8aa47a3f	Update README.md	2020-01-07 23:49:45 +08:00
Samson-W	f5b0d991c4	Fix a bug for 8.1.3	2020-01-07 13:39:10 +08:00
Samson-W	ae142b1cf9	Modify 8.1.27 for CentOS.	2020-01-06 17:20:52 +08:00
Samson-W	8b3cecb3fa	Fix a bug of check_audit_path function.	2020-01-06 16:41:15 +08:00
Samson-W	5a9c6c83bf	Fix a bug: check if the package is installed.	2020-01-02 16:44:38 +08:00
Samson-W	b4a598ad18	Fix a bug for 2.25, and add uninstall_pkg methods.	2019-12-29 16:54:24 +08:00
Samson-W	c2417d89ee	Fix a bug for 10.1.6	2019-12-29 15:12:23 +08:00
Samson-W	b7794be540	Fix a bug for 13.7	2019-12-28 17:02:19 +08:00
Samson-W	ffa8e2b01f	Fix a bug for 9.5	2019-12-28 16:53:15 +08:00
Samson-W	60daf8a4f6	Fix some bugs for CentOS8.	2019-12-28 16:38:34 +08:00
Samson-W	fa9d907985	Fix some bugs for CentOS8.	2019-12-28 04:28:09 +08:00
Samson-W	912ba677ff	Fix some bugs for CentOS8.	2019-12-28 03:51:09 +08:00
Samson-W	816c101241	Fix some bugs for CentOS8	2019-12-28 02:32:49 +08:00
Samson-W	d98f6f1ca8	Fix a bug for 7.7.1	2019-12-28 00:43:53 +08:00
Samson-W	8c591a1ef0	Add audit and apply methods for redhat/CentOS to 7.4.2 7.7.1	2019-12-27 18:05:10 +08:00
Samson-W	7c85266947	Fix some bugs: tcp wrapper not be avaliable in CentOS8.	2019-12-27 14:29:32 +08:00
Samson-W	9a1ccdbcbf	Fix 6.8 and 7.4.1, and add is_centos_8 method.	2019-12-23 02:13:49 +08:00
Samson-W	837125d368	Fix a bug for 6.17: install clamav in CentOS8.	2019-12-20 15:14:09 +08:00
Samson-W	33588912b3	Fix a bug for 6.2	2019-12-19 15:35:29 +08:00
Samson-W	cce1204ad5	Rename 5.8 to 5.5	2019-12-18 14:56:33 +08:00
Samson-W	bdf62c2270	Update README doc for CentOS	2019-12-18 11:57:36 +08:00
Samson-W	ad6ecae6ac	Fix a bug: when audit-all in CentOS, 10.1.7 have a error.	2019-12-17 15:29:49 +08:00
Samson-W	f33baefb90	Add reference links to README.	2019-12-14 19:35:22 +08:00
Samson-W	19229c8947	Merge branch 'master' of github.com:hardenedlinux/harbian-audit	2019-11-29 17:22:03 +08:00
Samson-W	caef9911e3	1. Add doc: how to creating a QEMU img for CentOS; 2. Rename how_to_creating_and_making_a_QEMU_img.mkd.	2019-11-29 17:21:47 +08:00
Samson.W	b222744006	Merge pull request #13 from hardenedlinux/harbian-audit-deepin Merge pull request #12 from hardenedlinux/master	2019-11-15 01:16:44 +08:00