Merge pull request #1 from CISOfy/master

Sync with CISOfy/lynis
2025-09-25 18:59:13 +02:00 · 2020-10-10 14:59:03 +02:00 · 2020-10-10 14:59:03 +02:00 · b069d4cda8
commit b069d4cda8
parent 353cf84413 21b5493a1c
86 changed files with 6914 additions and 2682 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -0,0 +1,21 @@
 name: Mark stale issues and pull requests
 on:
  schedule:
  - cron: "0 0 * * *"
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/stale@v1
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'Stale issue message'
        stale-pr-message: 'Stale pull request message'
        stale-issue-label: 'no-issue-activity'
        stale-pr-label: 'no-pr-activity'
        days-before-stale: 14
        days-before-close: 90
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,12 +1,322 @@
 # Lynis Changelog
-## Lynis 2.7.2 (not released yet)
+## Lynis 3.0.1 (2020-10-05)
 ### Added
- Support for end-of-life detection of the operating system
+- Detection of Alpine Linux
 - Detection of CloudLinux
 - Detection of Kali Linux
 - Detection of Linux Mint
 - Detection of macOS Big Sur (11.0)
 - Detection of Pop!_OS
 - Detection of PHP 7.4
 - Malware detection tool: Microsoft Defender ATP
 - New flag: --slow-warning to allow tests more time before showing a warning
 - Test TIME-3185 to check systemd-timesyncd synchronized time
 - rsh host file permissions
 ### Changed
 - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
 - BOOT-5122 - Presence check for grub.d added
 - CRYP-7902 - Added support for certificates in DER format
 - CRYP-7931 - Added data to report
 - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
 - FILE-6430 - Don't grep nonexistant modprobe.d files
 - FIRE-4535 - Set initial firewall state
 - INSE-8312 - Corrected text on screen
 - KRNL-5728 - Handle zipped kernel configuration correctly
 - KRNL-5830 - Improved version detection for non-symlinked kernel
 - MALW-3280 - Extended detection of BitDefender
 - TIME-3104 - Find more time synchronization commands
 - TIME-3182 - Corrected detection of time peers
 - Fix: hostid generation routine would sometimes show too short IDs
 - Fix: language detection
 - Generic improvements for macOS
 - German translation updated
 - End-of-life database updated
 - Several minor code enhancements
 ---------------------------------------------------------------------------------
 ## Lynis 3.0.0 (2020-06-18)
 This is a major release of Lynis and includes several big changes.
 Some of these changes may break your current usage of the tool, so test before
 deployment!
 ### Security issues
 This release resolves two security issues
 * CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova
 * CVE-2019-13033 - Discovered by Sander Bos
 ### Breaking change: Non-interactive by default
 Lynis now runs non-interactive by default, to be more in line with the Unix
 philosophy. So the previously used '--quick' option is now default, and the tool
 will only wait when using the '--wait' option.
 ### Breaking change: Deprecated options
 - Option: -c
 - Option: --check-update/--info
 - Option: --dump-options
 - Option: --license-key
 ### Breaking change: Profile options
 The format of all profile options are converted (from key:value to key=value).
 You may have to update the changes you made in your custom.prf.
 ### Security
 An important focus area for this release is on security. We added several
 measures to further tighten any possible misuse.
 ## New: DevOps, Forensics, and pentesting mode
 This release adds initial support to allow defining a specialized type of audit.
 Using the relevant options, the scan will change base on the intended goal.
 ### Added
 - Security: test PATH and warn or exit on discovery of dangerous location
 - Security: additional safeguard by testing if common system tools are available
 - Security: test parameters and arguments for presence of control characters
 - Security: filtering out unexpected characters from profiles
 - Security: test if setuid bit is set on Lynis binary
 - New function: DisplayException
 - New function: DisplayWarning
 - New function: Equals
 - New function: GetReportData
 - New function: HasCorrectFilePermissions
 - New function: Readonly
 - New function: SafeFile
 - New function: SafeInput
 - New option: --usecwd - run from the current working directory
 - New profile option: disable-plugin - disables a single plugin
 - New profile option: ssl-certificate-paths-to-ignore - ignore a path
 - New test: AUTH-9229 - check used password hashing methods
 - New test: AUTH-9230 - check group password hashing rounds
 - New test: BOOT-5109 - test presence rEFInd boot loader
 - New test: BOOT-5264 - run systemd-analyze security
 - New test: CRYP-7930 - test for LUKS encryption
 - New test: CRYP-7931 - determine if system uses encrypted swap
 - New test: CRYP-8004 - presence of hardware random number generator
 - New test: CRYP-8005 - presence of software random number generator
 - New test: DBS-1828  - PostgreSQL configuration files
 - New test: FILE-6394 - test virtual memory swappiness (Linux)
 - New test: FINT-4316 - presence of AIDE database and size test
 - New test: FINT-4340 - check dm-integrity status (Linux)
 - New test: FINT-4341 - verify status of dm-verity (Linux)
 - New test: INSE-8314 - test for NIS client
 - New test: INSE-8316 - test for NIS server
 - New test: NETW-2400 - test hostname for valid characters and length
 - New test: NETW-2706 - check DNSSEC (systemd)
 - New test: NETW-3200 - determine enabled network protocols
 - New test: PHP-2382 - detect listen option in PHP (FPM)
 - New test: PROC-3802 - check presence of prelink tooling
 - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
 - New test: TIME-3181 - check status of OpenNTPD time synchronisation
 - New test: TIME-3182 - check OpenNTPD has working peers
 - New report key: openssh_daemon_running
 - New command: lynis generate systemd-units
 - Sending USR1 signal to Lynis process will show active status
 - Measure timing of tests and report slow tests (10+ seconds)
 - Initial support for Clear Linux OS
 - Initial support for PureOS
 - Support for X Binary Package (xbps)
 - Added end-of-life data for Arch Linux and Debian
 - Detection and end-of-life data added for Amazon Linux
 - Detection of linux-lts on Arch Linux
 - Translations: Russian added
 ### Changed
 - Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
 - Function: IsRunning supports the --user flag to define a related user
 - Function: PackageIsInstalled extended with pacman support
 - Profiles: unused options removed
 - Profiles: message is displayed when old format "key:value" is used
 - Binaries: skip pacman when it is the game instead of package manager
 - Security: the 'nounset' (set -u) parameter is now activated by default
 - AUTH-9228 - HP-UX support
 - AUTH-9234 - NetBSD support
 - AUTH-9252 - corrected permission check
 - AUTH-9266 - skip .pam-old files in /etc/pam.d
 - AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
 - AUTH-9282 - fix: temporary variable was overwritten
 - AUTH-9408 - added support for pam_tally2 to log failed logins
 - AUTH-9489 - test removedd as it is merged with AUTH-9218
 - BANN-7126 - additional words for login banner are accepted
 - BOOT-5122 - check for defined password in all GRUB configuration files
 - CONT-8106 - support newer 'docker info' output
 - CRYP-7902 - optionally check also certificates provided by packages
 - CRYP-8002 - gather kernel entropy on Linux systems
 - FILE-6310 - support for HP-UX
 - FILE-6330 - corrected description
 - FILE-6374 - changed log and allow root location to be changed
 - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab
 - FILE-6430 - minor code improvements and show suggestion with more details
 - FILE-7524 - optimized file permissions testing
 - FINT-4328 - corrected text in log
 - FINT-4334 - improved process detection for lfd
 - HOME-9304 - improved selection for normal users
 - HOME-9306 - improved selection for normal users
 - INSE-8050 - added com.apple.ftp-proxy and improved text output
 - INSE-8050 - corrected function call for showing suggestion
 - INSE-8116 - added rsync service
 - INSE-8314 - changed text of suggestion
 - INSE-8318 - test for TFTP client tools
 - INSE-8320 - test for TFTP server tools
 - INSE-8342 - renamed to INSE-8304
 - KRNL-5788 - don't complain about missing /vmlinuz for Raspi
 - KRNL-5820 - extended check to include limits.d directory
 - KRNL-5830 - skip test partially when running non-privileged
 - KRNL-5830 - detect required reboots on Raspbian
 - LOGG-2154 - added support for rsyslog configurations
 - LOGG-2190 - skip mysqld related entries
 - MACF-6234 - SELinux tests extended
 - MAIL-8804 - replaced static strings with translation-aware strings
 - MALW-3280 - Kaspersky detection added
 - MALW-3280 - CrowdStrike falcon-sensor detection added
 - NAME-4402 - check if /etc/hosts exists before performing test
 - NAME-4404 - improved screen and log output
 - NAME-4408 - corrected Report function call
 - NETW-3032 - small rewrite of test and extended with addrwatch
 - PHP-2372 - don't look in the cli configuration files
 - PKGS-7388 - only perform check for Debian/Ubuntu/Mint
 - PKGS-7410 - use multiple package managers when available
 - PKGS-7410 - added support for Zypper to test number of kernels
 - PRNT-2308 - check also for Port and SSLListen statements
 - PROC-3602 - allow different root directory
 - PROC-3612 - show 'Not found' instead of 'OK'
 - PROC-3614 - show 'Not found' instead of 'OK'
 - PROC-3802 - limit to Linux only (prelink package check)
 - SCHD-7702 - removed hardening points
 - SINT-7010 - limit test to only macOS systems
 - SSH-7402 - detect other SSH daemons like dropbear
 - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
 - SSH-7408 - changed text in suggestion and report
 - SSH-7408 - added forced-commands-only option
 - SSH-7408 - VerifyReverseMapping removed (deprecated)
 - SSH-7408 - corrected OpenSSH server version check
 - STRG-1840 - renamed to USB-1000
 - STRG-1842 - added default authorized devices and renamed to USB-2000
 - TIME-3104 - use find to discover files in cron directories
 - TOOL-5002 - differentiate between a discovered binary and running process
 - TOOL-5160 - added support for OSSEC agent daemon
 - Perform additional check to ensure pacman package manager is used
 - Use 'pre-release/release' (was: 'dev/final') with 'lynis show release'
 - Use only locations from PATH environment variable, unless it is not defined
 - Show tip to use 'lynis generate hostids' when host IDs are missing
 - The 'show changelog' command works again for newer versions
 - Several code cleanups, simplification of commands, and code standardization
 - Tests using lsof may ignore individual threads (if supported)
 - Corrected end-of-life detection for CentOS 7 and CentOS 8
 - Tests can require detected package manager (--package-manager-required)
 - Do not show tool tips when quiet option is used
 - Improved screen output in several tests
 - Extended output of 'lynis update info'
 - Improved support for NetBSD
 - Test if profiles are readable
 - systemd service file adjusted
 - bash completion script extended
 - Updated man page
 ---------------------------------------------------------------------------------
 ## Lynis 2.7.5 (2019-06-24)
 ### Added
 - Danish translation
 - Slackware end-of-life information
 - Detect BSD-style (rc.d) init in Linux systems
 - Detection of Bro and Suricata (IDS)
 ### Changed
 - Corrected end-of-life entries for CentOS 5 and 6
 - AUTH-9204 - change name to check in /etc/passwd file for QNAP devices
 - AUTH-9268 - AIX enhancement to use correct find statement
 - FILE-6310 - Filter on correct field for AIX
 - NETW-3012 - set ss command as preferred option for Linux and changed output format
 - List of PHP ini file locations has been extended
 - Removed several pieces of the code as part of cleanup and code health
 - Extended help
 ---------------------------------------------------------------------------------
 ## Lynis 2.7.4 (2019-04-21)
 This is a bigger release than usual, including several new tests created by
 Capashenn (GitHub). It is a coincidence that it is released exactly one month
 after the previous version and on Easter. No easter eggs, only improvements!
 ### Added
 - FILE-6324 - Discover XFS mount points
 - INSE-8000 - Installed inetd package
 - INSE-8100 - Installed xinetd package
 - INSE-8102 - Status of xinet daemon
 - INSE-8104 - xinetd configuration file
 - INSE-8106 - xinetd configuration for inactive daemon
 - INSE-8200 - Usage of TCP wrappers
 - INSE-8300 - Presence of rsh client
 - INSE-8302 - Presence of rsh server
 - Detect equery binary detection
 - New 'generate' command
 ### Changed
 - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
 - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
 - PKGS-7420 - Detect toolkit to automatically download and apply upgrades
 - PKGS-7328 - Added global Zypper option --non-interactive
 - PKGS-7330 - Added global Zypper option --non-interactive
 - PKGS-7386 - Only show warning when vulnerable packages were discovered
 - PKGS-7392 - Skip test for Zypper-based systems
 - Minor changes to improve text output, test descriptions, and logging
 - Changed CentOS identifiers in end-of-life database
 - AIX enhancement for IsRunning function
 - Extended PackageIsInstalled function
 - Improve text output on AIX systems
 - Corrected lsvg binary detection
 ---------------------------------------------------------------------------------
 ## Lynis 2.7.3 (2019-03-21)
 ### Added
 - Detection for Lynis being scheduled (e.g. cronjob)
 ### Changed
 - HTTP-6624 - Improved logging for test
 - KRNL-5820 - Changed color for default fs.suid_dumpable value
 - LOGG-2154 - Adjusted test to search in configuration file correctly
 - NETW-3015 - Added support for ip binary
 - SQD-3610  - Description of test changed
 - SQD-3613  - Corrected description in code
 - SSH-7408  - Increased values for MaxAuthRetries
 - Improvements to allow tailored tool tips in future
 - Corrected detection of blkid binary
 - Minor textual changes and cleanups
 ---------------------------------------------------------------------------------
 ## Lynis 2.7.2 (2019-03-07)
 ### Added
 - AUTH-9409 - Support for doas (OpenBSD)
 - AUTH-9410 - Test file permissions of doas configuration
 - BOOT-5117 - Support for systemd-boot boot loader added
 - BOOT-5177 -  Simplify service filter and allow multiple dots in service names
 - BOOT-5262 - Check OpenBSD boot daemons
 - BOOT-5263 - Test permissions for boot files and scripts
 - Support for end-of-life detection of the operating system
 - New 'lynis show eol' command
 - Korean translation
 ### Changed
 - AUTH-9252 - Adds support for files in sudoers.d
 - AUTH-9252 - Test extended to check file and directory ownership
 - BOOT-5122 - Use NONE instead of WARNING if no password is set
 - FIRE-4540 - Modify test to better measure rules
 - KRNL-5788 - Resolve false positive warning on missing /vmlinuz
 - NETW-2704 - Ignore inline comments in /etc/resolv.conf
 - PKGS-7388 - Improve detection for security archive
 - RPi/Raspian path to PAM_FILE_LOCATIONS
 ---------------------------------------------------------------------------------
 ## Lynis 2.7.1 (2019-01-30)
@ -2708,10 +3018,10 @@ Lynis 1.1.7 (2008-06-28)
 - Added dig availability check to DNS test [NETW-2704]
 - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512]
 - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384]
- - Bugfix: Fixed prequisits for grpck test [AUTH-9216]
+ - Bugfix: Fixed prerequisites for grpck test [AUTH-9216]
 - Improved MySQL check [DBS-1804]
 - Changed color at chkconfig boot services test [BOOT-5177]
- - Added missing prequisits output to portaudit test [PKGS-7382]
+ - Added missing prerequisites output to portaudit test [PKGS-7382]
 - Test output for FreeBSD mounts (UFS) improved [FILE-6329]
 - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219]
 - Several tests have their warning reporting improved
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +1,4 @@
 # Contributions
 ## Helping out
@ -6,13 +7,13 @@
 Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error.
 ### Report bugs
-Create an GitHub issue on the issue tracker
+Create a GitHub issue on the issue tracker.
 ### Suggest changes (pull request)
 When you find something that can be improved, fork the project and create a pull request.
 ### Translations
-See the db/languages directory
+See the db/languages directory.
 ## Developer Guidelines
@ -30,13 +31,13 @@ Identation should be 4 spaces (no tab character).
 ### Comments
 Comments: use # sign followed by a space. When needed, create a comment block.
-Blank lines: allowed, one line maximum
+Blank lines: allowed, one line maximum.
 ### Functions
 All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands.
 ### Variables
-Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)
+Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1).
 ## Pull Requests
@ -56,7 +57,7 @@ to this repository, you agree that you:
 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
-If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
+If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com).
 ## Unlimited Rights
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@ -39,12 +39,14 @@ These people made a significant impact to the development of Lynis:
 * C.J. Adams-Collier, US
 * Charlie Heselton, US
 * Dave Vehrs
 * David Marzal Cánovas, Spain
 * Eric Light, New Zealand
 * Kamil Boratyński, Poland
 * Mike Slifcak, US
 * Mikko Lehtisalo, Finland
 * Steve Bosek, France
 * Thomas Siebel, Germany
 * Topi Miettinen, Finland
 * Zach Crownover
--- a/2
+++ b/2
@ -98,4 +98,4 @@
 ================================================================================
- Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+ Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com
--- a/HAPPY_USERS.md
+++ b/HAPPY_USERS.md
@ -0,0 +1,38 @@
 # Happy users of the Lynis project
 ## Community
 Since 2007, the Lynis project helped many system administrators and security
 professionals to scan their systems and perform system hardening. Happy users
 and contributors are the foundation of a healthy project.
 ## Your contribution
 Are you also using Lynis? Contribute to the project by let others know:
 1) What you like about the tool
 2) How you use it
 Your addition to the guestbook below will help existing and new users learn more
 about how Lynis can help them.
 ### How to
 Create a pull request and add your name above the first entry. Thanks!
 ## Our guestbook
 * YOUR NAME AND STORY
 * Michael Boelen - September 2019
 The development of Lynis learned me a lot about Linux and Unix security. It is
 installed on all my systems to uncover unexpected configuration issues. The
 valuable feedback and contributions give me the energy to continue to work on
 its development, even after 12+ years!
 * Catalyst.net IT - January 2020
 Lynis gave us great insight in to the security state of our systems, as well as where we can improve.
--- a/4
+++ b/4
@ -6,7 +6,7 @@
 ================================================================================
  Author:                   2007-2013, Michael Boelen (michael.boelen@cisofy.com)
-                            2013-2016, CISOfy development team
+                            2013-now, CISOfy development team
  Description:              Security and system auditing tool
  Web site:                 https://cisofy.com
  Support:                  See 'Support' and https://cisofy.com/support/
@ -48,4 +48,4 @@
 ================================================================================
- Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+ Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/)
 [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96)
@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/
 > Lynis - Security auditing and hardening tool, for UNIX-based systems.
-Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit.
+Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit.
 We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
@ -55,18 +56,21 @@ Typical users of the software:
 If you want to run the software as `root`, we suggest changing the ownership of the files. Use `chown -R 0:0` to recursively alter the owner and group and set it to user ID `0` (`root`).
-### Package
+### Software Package
-Stable releases of Lynis are packaged and made available as RPM or DEB package. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running :
+For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running:
 `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others.
-### Enterprise version
+Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions)
 If they don't provide an up-to-date version, consider the CISOfy repository, tarball (website), or GitHub release.
 ### Enterprise Version
 This software component is also part of an enterprise solution. Same quality, yet with more functionality.
 Focus areas include compliance (`PCI DSS`, `HIPAA`, `ISO27001`, and others). The Enterprise version comes with:
-* a web interface and features a dashboard ;
+* a web interface and features a dashboard;
-* hardening snippets ;
+* hardening snippets;
 * and an improvement plan.
 ## Documentation
@ -100,7 +104,7 @@ Lynis is collecting some awards and we are proud of that.
 > We love contributors.
-Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
+Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
 More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,27 @@
 # Security Policy
 ## Supported Versions
 | Version | Supported          |
 | ------- | ------------------ |
 | 3.x.x   | :white_check_mark: |
 | 2.x.x   | :white_check_mark: |
 | < 2.x   | :x:                |
 ## Reporting a Vulnerability
 To report a vulnerability, use security@cisofy.com
 See our [security page](https://cisofy.com/security/) for more details.
 ## Preferred language
 English
 ## Acknowledgments
 https://cisofy.com/security/#thanks
 ## Other
 See the latest 'security.txt' at https://cisofy.com/.well-known/security.txt
--- a/db/languages/da
+++ b/db/languages/da
@ -0,0 +1,41 @@
 ERROR_NO_LICENSE="Ingen licensnøgle konfigureret"
 ERROR_NO_UPLOAD_SERVER="Ingen upload server konfigureret"
 GEN_CHECKING="Tjekker"
 GEN_CURRENT_VERSION="Nuværende version"
 GEN_DEBUG_MODE="Fejlfindingstilstand"
 GEN_INITIALIZE_PROGRAM="Initialiserer program"
 GEN_LATEST_VERSION="Seneste version"
 GEN_PHASE="Fase"
 GEN_PLUGINS_ENABLED="Plugins aktiverede"
 GEN_UPDATE_AVAILABLE="opdatering tilgængelig"
 GEN_VERBOSE_MODE="Detaljeret tilstand"
 GEN_WHAT_TO_DO="At gøre"
 NOTE_EXCEPTIONS_FOUND="Undtagelser fundet"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Nogle usædvanlige hændelser eller information var fundet"
 NOTE_PLUGINS_TAKE_TIME="Bemærk: plugins har mere omfattende tests og kan tage flere minutter at fuldføre"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Sprang over tests på grund af ikke-privilegeret tilstand"
 SECTION_CUSTOM_TESTS="Brugerdefinerede Tests"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Hukommelse og Processer"
 STATUS_DISABLED="DEAKTIVERET"
 STATUS_DONE="FÆRDIG"
 STATUS_ENABLED="AKTIVERET"
 STATUS_NOT_ENABLED="IKKE AKTIVERET"
 STATUS_ERROR="FEJL"
 STATUS_FOUND="FUNDET"
 STATUS_YES="JA"
 STATUS_NO="NEJ"
 STATUS_OFF="FRA"
 STATUS_OK="OK"
 STATUS_ON="TIL"
 STATUS_NONE="INGEN"
 STATUS_NOT_FOUND="IKKE FUNDET"
 STATUS_NOT_RUNNING="KØRER IKKE"
 STATUS_RUNNING="KØRER"
 STATUS_SKIPPED="SPRUNGET OVER"
 STATUS_SUGGESTION="FORSLAG"
 STATUS_UNKNOWN="UKENDT"
 STATUS_WARNING="ADVARSEL"
 STATUS_WEAK="SVAG"
 TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
 TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
--- a/db/languages/de
+++ b/db/languages/de
@ -1,38 +1,45 @@
-GEN_PHASE="Phase"
+ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
 ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
 GEN_CHECKING="Überprüfung"
 GEN_CURRENT_VERSION="Aktuelle Version"
 GEN_DEBUG_MODE="Debug-Modus"
-GEN_INITIALIZE_PROGRAM="Initiiere Programm"
+GEN_INITIALIZE_PROGRAM="Initialisiere Programm"
 GEN_LATEST_VERSION="Aktuellste Version"
 GEN_PHASE="Phase"
 GEN_PLUGINS_ENABLED="Plugins aktiviert"
 GEN_VERBOSE_MODE="Ausführlicher Modus"
 GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar"
 GEN_VERBOSE_MODE="Ausführlicher Modus"
 GEN_WHAT_TO_DO="Was zu tun ist"
 NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden"
 NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
 SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests"
 SECTION_DATA_UPLOAD="Daten hochladen"
 SECTION_INITIALIZING_PROGRAM="Initialisiere Programm"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse"
 SECTION_SYSTEM_TOOLS="Systemwerkzeuge"
 STATUS_DISABLED="DEAKTIVIERT"
 STATUS_DONE="FERTIG"
 STATUS_ENABLED="AKTIVIERT"
 STATUS_ERROR="FEHLER"
 STATUS_FAILED="FEHLERHAFT"
 STATUS_FOUND="GEFUNDEN"
 STATUS_YES="JA"
 STATUS_NO="NEIN"
 STATUS_NONE="NICHTS"
 STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
 STATUS_NOT_FOUND="NICHT GEFUNDEN"
 STATUS_NOT_RUNNING="LÄUFT NICHT"
 STATUS_OFF="AUS"
 STATUS_OK="OK"
 STATUS_ON="AN"
 STATUS_NONE="NICHTS"
 STATUS_NOT_FOUND="NICHT GEFUNDEN"
 STATUS_NOT_RUNNING="LÄUFT NICHT"
 STATUS_RUNNING="LÄUFT"
 STATUS_SKIPPED="ÜBERSPRUNGEN"
 STATUS_SUGGESTION="VORSCHLAG"
 STATUS_UNKNOWN="UNBEKANNT"
 STATUS_WARNING="WARNUNG"
-TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
+STATUS_WEAK="SCHWACH"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
+TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
 STATUS_DISABLED="DEAKTIVIERT"
 STATUS_ENABLED="AKTIVIERT"
 STATUS_ERROR="FEHLER"
 ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
 ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
--- a/db/languages/de-AT
+++ b/db/languages/de-AT
@ -0,0 +1 @@
 de
--- a/db/languages/en
+++ b/db/languages/en
@ -14,27 +14,32 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
 NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
-SECTION_CUSTOM_TESTS="Custom Tests"
+SECTION_CUSTOM_TESTS="Custom tests"
 SECTION_DATA_UPLOAD="Data upload"
 SECTION_INITIALIZING_PROGRAM="Initializing program"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
 SECTION_SYSTEM_TOOLS="System tools"
 STATUS_DISABLED="DISABLED"
 STATUS_DONE="DONE"
 STATUS_ENABLED="ENABLED"
 STATUS_ERROR="ERROR"
 STATUS_FAILED="FAILED"
 STATUS_FOUND="FOUND"
 STATUS_YES="YES"
 STATUS_NO="NO"
 STATUS_NONE="NONE"
 STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 STATUS_NOT_FOUND="NOT FOUND"
 STATUS_NOT_RUNNING="NOT RUNNING"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
 STATUS_NONE="NONE"
 STATUS_NOT_FOUND="NOT FOUND"
 STATUS_NOT_RUNNING="NOT RUNNING"
 STATUS_RUNNING="RUNNING"
 STATUS_SKIPPED="SKIPPED"
 STATUS_SUGGESTION="SUGGESTION"
 STATUS_UNKNOWN="UNKNOWN"
 STATUS_WARNING="WARNING"
 STATUS_WEAK="WEAK"
-TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+STATUS_YES="YES"
 TEXT_UPDATE_AVAILABLE="update available"
 TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
--- a/db/languages/ko
+++ b/db/languages/ko
@ -0,0 +1,40 @@
 ERROR_NO_LICENSE="라이선스 키가 없습니다"
 ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다"
 GEN_CHECKING="확인중입니다"
 GEN_CURRENT_VERSION="현재 버전"
 GEN_DEBUG_MODE="디버그 모드"
 GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다"
 GEN_LATEST_VERSION="최신 버전"
 GEN_PHASE="phase"
 GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다"
 GEN_UPDATE_AVAILABLE="업데이트 가능"
 GEN_VERBOSE_MODE="상세 모드"
 GEN_WHAT_TO_DO="할 일"
 NOTE_EXCEPTIONS_FOUND="예외 발견"
 NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다"
 NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다"
 SECTION_CUSTOM_TESTS="사용자정의 테스트"
 SECTION_MALWARE="악성코드"
 SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스"
 STATUS_DISABLED="비활성화됨"
 STATUS_DONE="완료"
 STATUS_ENABLED="활성화됨"
 STATUS_ERROR="에러"
 STATUS_FOUND="발견"
 STATUS_YES="예"
 STATUS_NO="아니오"
 STATUS_OFF="끔"
 STATUS_OK="OK"
 STATUS_ON="켬"
 STATUS_NONE="없음"
 STATUS_NOT_FOUND="발견되지않음"
 STATUS_NOT_RUNNING="동작하지않음"
 STATUS_RUNNING="동작중"
 STATUS_SKIPPED="생략"
 STATUS_SUGGESTION="추천"
 STATUS_UNKNOWN="알수없음"
 STATUS_WARNING="경고"
 STATUS_WEAK="취약"
 TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
 TEXT_UPDATE_AVAILABLE="업데이트 가능"
--- a/db/languages/nl
+++ b/db/languages/nl
@ -1,38 +1,45 @@
 ERROR_NO_LICENSE="Geen licentiecode geconfigureerd"
 ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd"
 GEN_CHECKING="Zoeken naar"
 GEN_CURRENT_VERSION="Huidige versie"
 GEN_DEBUG_MODE="Debug modus"
 GEN_INITIALIZE_PROGRAM="Programma initialiseren"
 GEN_LATEST_VERSION="Laatste versie"
 GEN_PHASE="fase"
-GEN_INITIALIZE_PROGRAM="Initialiseren van programma"
+GEN_PLUGINS_ENABLED="Plugins geactiveerd"
-NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren"
+GEN_VERBOSE_MODE="Verbose modus"
-NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden"
+GEN_UPDATE_AVAILABLE="Update beschikbaar"
-SECTION_CUSTOM_TESTS="Eigen Testen"
+GEN_WHAT_TO_DO="Wat te doen"
 NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden"
 NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
 SECTION_CUSTOM_TESTS="Eigen testen"
 SECTION_DATA_UPLOAD="Data upload"
 SECTION_INITIALIZING_PROGRAM="Programma initialiseren"
 SECTION_MALWARE="Kwaadaardige software (malware)"
 SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen"
-STATUS_DONE="KLAAR"
+SECTION_SYSTEM_TOOLS="Systeem gereedschap"
 STATUS_DISABLED="UITGESCHAKELD"
 STATUS_DONE="KLAAR"
 STATUS_ENABLED="INGESCHAKELD"
 STATUS_ERROR="FOUT"
 STATUS_FAILED="MISLUKT"
 STATUS_FOUND="GEVONDEN"
-STATUS_NO="NEE"
+STATUS_OFF="UIT"
 STATUS_NONE="GEEN"
 STATUS_NOT_FOUND="NIET GEVONDEN"
 STATUS_NOT_RUNNING="NIET ACTIEF"
 STATUS_OK="OK"
 STATUS_ON="AAN"
-STATUS_OFF="UIT"
+STATUS_NO="NEE"
-STATUS_YES="JA"
+STATUS_NONE="GEEN"
 STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
 STATUS_NOT_FOUND="NIET GEVONDEN"
 STATUS_NOT_RUNNING="NIET ACTIEF"
 STATUS_RUNNING="ACTIEF"
 STATUS_SKIPPED="OVERGESLAGEN"
 STATUS_SUGGESTION="SUGGESTIE"
 STATUS_UNKNOWN="ONBEKEND"
 STATUS_WARNING="WAARSCHUWING"
-GEN_CURRENT_VERSION="Huidige versie"
+STATUS_WEAK="ZWAK"
-GEN_DEBUG_MODE="Debug mode"
+STATUS_YES="JA"
 GEN_PLUGINS_ENABLED="Plugins geactiveerd"
 GEN_VERBOSE_MODE="Verbose mode"
 GEN_UPDATE_AVAILABLE="update beschikbaar"
 GEN_WHAT_TO_DO="Wat te doen"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
 TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
 TEXT_UPDATE_AVAILABLE="update beschikbaar"
 STATUS_ERROR="FOUT"
 ERROR_NO_LICENSE="geen licentiecode configureerd"
 ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads"
--- a/db/languages/ru
+++ b/db/languages/ru
@ -1,38 +1,38 @@
-GEN_CHECKING="Checking"
+GEN_CHECKING="Проверка"
-GEN_CURRENT_VERSION="Current version"
+GEN_CURRENT_VERSION="Текущая версия"
-GEN_DEBUG_MODE="Debug mode"
+GEN_DEBUG_MODE="Режим отладки"
-GEN_INITIALIZE_PROGRAM="Initializing program"
+GEN_INITIALIZE_PROGRAM="Инициализация программы"
-GEN_PHASE="phase"
+GEN_PHASE="Стадия"
-GEN_PLUGINS_ENABLED="Plugins enabled"
+GEN_PLUGINS_ENABLED="Плагины включены"
-GEN_VERBOSE_MODE="Verbose mode"
+GEN_VERBOSE_MODE="Подробный режим"
-GEN_UPDATE_AVAILABLE="update available"
+GEN_UPDATE_AVAILABLE="доступно обновление"
-GEN_WHAT_TO_DO="What to do"
+GEN_WHAT_TO_DO="Что сделать"
-NOTE_EXCEPTIONS_FOUND="Exceptions found"
+NOTE_EXCEPTIONS_FOUND="Найдены исключения"
-NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация"
-NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
+NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
-SECTION_CUSTOM_TESTS="Custom Tests"
+SECTION_CUSTOM_TESTS="Пользовательские тесты"
-SECTION_MALWARE="Malware"
+SECTION_MALWARE="Вредоносное ПО"
-SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
+SECTION_MEMORY_AND_PROCESSES="Память и процессы"
-STATUS_DONE="DONE"
+STATUS_DONE="Завершено"
-STATUS_FOUND="FOUND"
+STATUS_FOUND="Найдено"
-STATUS_YES="YES"
+STATUS_YES="ДА"
-STATUS_NO="NO"
+STATUS_NO="НЕТ"
-STATUS_OFF="OFF"
+STATUS_OFF="Выключено"
-STATUS_OK="OK"
+STATUS_OK="ОК"
-STATUS_ON="ON"
+STATUS_ON="Включено"
-STATUS_NONE="NONE"
+STATUS_NONE="Отсутствует"
-STATUS_NOT_FOUND="NOT FOUND"
+STATUS_NOT_FOUND="НЕ НАЙДЕНО"
-STATUS_NOT_RUNNING="NOT RUNNING"
+STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
-STATUS_RUNNING="RUNNING"
+STATUS_RUNNING="ЗАПУЩЕНО"
-STATUS_SKIPPED="SKIPPED"
+STATUS_SKIPPED="ПРОПУЩЕНО"
-STATUS_SUGGESTION="SUGGESTION"
+STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ"
-STATUS_UNKNOWN="UNKNOWN"
+STATUS_UNKNOWN="НЕИЗВЕСТНО"
-STATUS_WARNING="WARNING"
+STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
-TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл"
-TEXT_UPDATE_AVAILABLE="update available"
+TEXT_UPDATE_AVAILABLE="доступно обновление"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
-STATUS_DISABLED="DISABLED"
+STATUS_DISABLED="ОТКЛЮЧЕНО"
-STATUS_ENABLED="ENABLED"
+STATUS_ENABLED="ВКЛЮЧЕНО"
-STATUS_ERROR="ERROR"
+STATUS_ERROR="ОШИБКА"
-ERROR_NO_LICENSE="No license key configured"
+ERROR_NO_LICENSE="Лицензионный ключ не настроен"
-ERROR_NO_UPLOAD_SERVER="No upload server configured"
+ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен"
--- a/db/software-eol.db
+++ b/db/software-eol.db
@ -1,22 +1,176 @@
 #
 # End-of-life for operating systems and software
-# FreeBSD - https://www.freebsd.org/releases/
+#
-os:FreeBSD 9.3:2014-07-01:
+# This file has 4 fields:
-os:FreeBSD 10.0:2014-01-01:
+# 1) category
-os:FreeBSD 10.1:2014-11-01:
+# 2) name
-os:FreeBSD 10.2:2015-08-01:
+# 3) date (human-readable) or empty
-os:FreeBSD 10.3:2016-04-01:
+# 4) converted date (seconds since epoch) or -1
-os:FreeBSD 10.4:2017-10-01:
+#
-os:FreeBSD 11.0:2016-10-01:
+# Date can be converted on Linux using: date "+%s" --date=2020-01-01
-os:FreeBSD 11.1:2017-07-01:
+# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d'
-# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack
+#
-os:Ubuntu 14.04:2019-05-01:
+# Notes:
-os:Ubuntu 14.10:2015-07-01:
+# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
-os:Ubuntu 15.04:2016-01-01:
+# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
-os:Ubuntu 15.10:2016-07-01:
+#
-os:Ubuntu 16.04:2021-05-01:
+# Amazon Linux
-os:Ubuntu 16.10:2017-07-01:
+#
-os:Ubuntu 17.04:2018-01-01:
+# Note: shortest entry is listed at end due to regular expression matching being used
-os:Ubuntu 17.10:2018-07-01:
+os:Amazon Linux 2:2023-06-26:1687730400:
-os:Ubuntu 18.04:2023-05-01:
+os:Amazon Linux:2020-06-30:1593468000:
-os:Ubuntu 18.10:2019-07-01:
+#
-os:Ubuntu 19.04:2020-01-01:
+# Arch Linux
 #
 os:Arch Linux::-1:
 #
 # CentOS
 #
 os:CentOS release 5:2017-03-31:1490911200:
 os:CentOS release 6:2020-11-30:1606690800:
 os:CentOS Linux 7:2024-06-30:1719698400:
 os:CentOS Linux 8:2029-05-31:1874872800:
 #
 # Debian - https://wiki.debian.org/DebianReleases#Production_Releases
 #
 os:Debian 5.0:2012-02-06:1328482800:
 os:Debian 6.0:2016-02-29:1456700400:
 os:Debian 7:2018-05-31:1527717600:
 os:Debian 8:2020-06-30:1593468000:
 os:Debian 9:2022-01-01:1640991600:
 os:Debian 10:2022-01-01:1640991600:
 #
 # Fedora - https://fedoraproject.org/wiki/End_of_life
 #
 os:Fedora release 25:2017-12-12:1513033200:
 os:Fedora release 26:2018-05-29:1527544800:
 os:Fedora release 27:2018-11-30:1543532400:
 os:Fedora release 28:2019-05-28:1558994400:
 os:Fedora release 29:2019-11-26:1574722800:
 os:Fedora release 30:2020-05-26:1590444000:
 #
 # FreeBSD - https://www.freebsd.org/security/unsupported.html
 #
 os:FreeBSD 9.3:2014-12-31:1419980400:
 os:FreeBSD 10.0:2015-02-28:1425078000:
 os:FreeBSD 10.1:2016-12-31:1483138800:
 os:FreeBSD 10.2:2016-12-31:1483138800:
 os:FreeBSD 10.3:2018-04-30:1525039200:
 os:FreeBSD 10.4:2018-10-31:1540940400:
 os:FreeBSD 11.0:2017-11-30:1511996400:
 os:FreeBSD 11.1:2018-09-30:1538258400:
 os:FreeBSD 11.2:2019-10-31:1572476400:
 os:FreeBSD 12.0:2020-02-29:1582930800:
 #
 # Linux Mint
 #
 os:Linux Mint 18:2021-04-01:1617228000:
 os:Linux Mint 19:2023-04-01:1680300000:
 os:Linux Mint 20:2025-04-01:1743458400:
 #
 # NetBSD - https://www.netbsd.org/support/security/release.html and
 #          https://www.netbsd.org/releases/formal.html
 #
 os:NetBSD 2.0:2008-01-19:1200697200:
 os:NetBSD 2.0.1:2008-01-19:1200697200:
 os:NetBSD 2.0.2:2008-01-19:1200697200:
 os:NetBSD 2.0.3:2008-01-19:1200697200:
 os:NetBSD 2.1:2008-01-19:1200697200:
 os:NetBSD 3.0:2009-09-29:1254175200:
 os:NetBSD 3.0.1:2009-09-29:1254175200:
 os:NetBSD 3.0.2:2009-09-29:1254175200:
 os:NetBSD 3.1:2009-09-29:1254175200:
 os:NetBSD 4.0:2012-11-17:1353106800:
 os:NetBSD 4.0.1:2012-11-17:1353106800:
 os:NetBSD 5.0:2015-11-17:1447714800:
 os:NetBSD 5.0.1:2015-10-17:1445032800:
 os:NetBSD 5.0.2:2015-10-17:1445032800:
 os:NetBSD 5.1:2015-10-17:1445032800:
 os:NetBSD 5.1.1:2015-10-17:1445032800:
 os:NetBSD 5.1.2:2015-10-17:1445032800:
 os:NetBSD 5.1.3:2015-10-17:1445032800:
 os:NetBSD 5.1.4:2015-10-17:1445032800:
 os:NetBSD 5.1.5:2015-10-17:1445032800:
 os:NetBSD 5.2.1:2015-10-17:1445032800:
 os:NetBSD 5.2.2:2015-10-17:1445032800:
 os:NetBSD 5.2.3:2015-10-17:1445032800:
 os:NetBSD 6.0:2017-09-17:1505599200:
 os:NetBSD 6.0.1:2017-09-17:1505599200:
 os:NetBSD 6.0.2:2017-09-17:1505599200:
 os:NetBSD 6.0.3:2017-09-17:1505599200:
 os:NetBSD 6.0.4:2017-09-17:1505599200:
 os:NetBSD 6.0.5:2017-09-17:1505599200:
 os:NetBSD 6.1:2017-09-17:1505599200:
 os:NetBSD 6.1.1:2017-09-17:1505599200:
 os:NetBSD 6.1.2:2017-09-17:1505599200:
 os:NetBSD 6.1.3:2017-09-17:1505599200:
 os:NetBSD 6.1.4:2017-09-17:1505599200:
 os:NetBSD 6.1.5:2017-09-17:1505599200:
 os:NetBSD 7.0:2020-03-14:1584162000:
 os:NetBSD 7.0.1:2020-03-14:1584162000:
 os:NetBSD 7.0.2:2020-03-14:1584162000:
 os:NetBSD 7.1:2020-03-14:1584162000:
 os:NetBSD 7.1.1:2020-03-14:1584162000:
 os:NetBSD 7.1.1:2020-03-14:1584162000:
 os:NetBSD 7.2:2020-03-14:1584162000:
 os:NetBSD 8.0::-1:
 os:NetBSD 8.1::-1:
 os:NetBSD 9.0::-1:
 #
 # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history
 #
 os:OpenBSD 5.8:2016-09-01:1472680800:
 os:OpenBSD 5.9:2017-04-11:1491861600:
 os:OpenBSD 6.0:2017-09-10:1505001600:
 os:OpenBSD 6.1:2018-04-15:1523750400:
 os:OpenBSD 6.2:2018-10-18:1539820800:
 os:OpenBSD 6.3:2019-05-03:1556841600:
 os:OpenBSD 6.4:2019-10-17:1571270400:
 os:OpenBSD 6.5:2020-05-19:1589846400:
 os:OpenBSD 6.6:2020-10-01:1601510400:
 os:OpenBSD 6.7:2021-05-01:1619827200:
 #
 # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
 #
 os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800:
 os:Red Hat Enterprise Linux 7:2024-06-30:1719698400:
 os:Red Hat Enterprise Linux 8:2029-05-07:1872799200:
 #
 # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases
 #
 os:Slackware Linux 8.1:2012-08-01:1343768400:
 os:Slackware Linux 9.0:2012-08-01:1343768400:
 os:Slackware Linux 9.1:2012-08-01:1343768400:
 os:Slackware Linux 10.0:2012-08-01:1343768400:
 os:Slackware Linux 10.1:2012-08-01:1343768400:
 os:Slackware Linux 10.2:2012-08-01:1343768400:
 os:Slackware Linux 11.0:2012-08-01:1343768400:
 os:Slackware Linux 12.0:2012-08-01:1343768400:
 os:Slackware Linux 12.1:2013-12-09:1386540000:
 os:Slackware Linux 12.2:2013-12-09:1386540000:
 os:Slackware Linux 13.0:2018-07-05:1530738000:
 os:Slackware Linux 13.1:2018-07-05:1530738000:
 os:Slackware Linux 13.37:2018-07-05:1530738000:
 #
 # SuSE - https://www.suse.com/lifecycle/
 #
 os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200:
 os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200:
 #
 # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and
 #          https://wiki.ubuntu.com/Releases
 #
 os:Ubuntu 14.04:2019-05-01:1556661600:
 os:Ubuntu 14.10:2015-07-01:1435701600:
 os:Ubuntu 15.04:2016-01-01:1451602800:
 os:Ubuntu 15.10:2016-07-01:1467324000:
 os:Ubuntu 16.04:2021-05-01:1619820000:
 os:Ubuntu 16.10:2017-07-01:1498860000:
 os:Ubuntu 17.04:2018-01-01:1514761200:
 os:Ubuntu 17.10:2018-07-01:1530396000:
 os:Ubuntu 18.04:2023-05-01:1682892000:
 os:Ubuntu 18.10:2019-07-18:1563400800:
 os:Ubuntu 19.04:2020-01-01:1577833200:
 os:Ubuntu 20.04:2025-04-01:1743458400:
 #
 # EOF
--- a/db/tests.db
+++ b/db/tests.db
@ -22,6 +22,8 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells:
 AUTH-9222:test:security:authentication::Check for non unique groups:
 AUTH-9226:test:security:authentication::Check non unique group names:
 AUTH-9228:test:security:authentication::Check password file consistency with pwck:
 AUTH-9229:test:security:authentication::Check password hashing methods:
 AUTH-9230:test:security:authentication::Check group password hashing rounds:
 AUTH-9234:test:security:authentication::Query user accounts:
 AUTH-9240:test:security:authentication::Query NIS+ authentication support:
 AUTH-9242:test:security:authentication::Query NIS authentication support:
@ -45,7 +47,8 @@ AUTH-9340:test:security:authentication:Solaris:Solaris account locking:
 AUTH-9402:test:security:authentication::Query LDAP authentication support:
 AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
 AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
-AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts:
+AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
 AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
 BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
 BANN-7124:test:security:banners::Check issue banner file:
 BANN-7126:test:security:banners::Check issue banner file contents:
@ -55,7 +58,9 @@ BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device:
 BOOT-5104:test:security:boot_services::Determine service manager:
 BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS:
 BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader:
 BOOT-5109:test:security:boot_services:Linux:Test rEFInd boot loader:
 BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode:
 BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader:
 BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence:
 BOOT-5122:test:security:boot_services::Check for GRUB boot password:
 BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence:
@ -71,6 +76,9 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
 BOOT-5202:test:security:boot_services::Check uptime of system:
 BOOT-5260:test:security:boot_services::Check single user mode for systemd:
 BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence:
 BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons:
 BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts:
 BOOT-5264:test:security:boot_services:Linux:Run systemd-analyze security:
 CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
 CONT-8102:test:security:containers::Checking Docker status and information:
 CONT-8104:test:security:containers::Checking Docker info for any warnings:
@ -79,12 +87,18 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
 CONT-8108:test:security:containers::Check file permissions for Docker files:
 CORE-1000:test:performance:system_integrity::Check all system binaries:
 CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
 CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption:
 CRYP-7931:test:security:crypto:Linux:Determine if system uses encrypted swap:
 CRYP-8002:test:security:crypto:Linux:Gather kernel entropy:
 CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators:
 CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators:
 DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
 DBS-1804:test:security:databases::Checking active MySQL process:
 DBS-1816:test:security:databases::Checking MySQL root password:
 DBS-1818:test:security:databases::MongoDB status:
 DBS-1820:test:security:databases::Check MongoDB authentication:
 DBS-1826:test:security:databases::Checking active PostgreSQL processes:
 DBS-1828:test:security:databases::PostgreSQL configuration files:
 DBS-1840:test:security:databases::Checking active Oracle processes:
 DBS-1860:test:security:databases::Checking active DB2 instances:
 DBS-1880:test:security:databases::Checking active Redis processes:
@ -106,8 +120,9 @@ FILE-6362:test:security:filesystems::Checking /tmp sticky bit:
 FILE-6363:test:security:filesystems::Checking /var/tmp sticky bit:
 FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file system:
 FILE-6372:test:security:filesystems:Linux:Checking / mount options:
-FILE-6374:test:security:filesystems:Linux:Checking /boot mount options:
+FILE-6374:test:security:filesystems:Linux:Linux mount options:
 FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp:
 FILE-6394:test:performance:filesystems:Linux:Test swappiness of virtual memory:
 FILE-6410:test:security:filesystems::Checking Locate database:
 FILE-6430:test:security:filesystems::Disable mounting of some filesystems:
 FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts:
@ -115,6 +130,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
 FINT-4310:test:security:file_integrity::AFICK availability:
 FINT-4314:test:security:file_integrity::AIDE availability:
 FINT-4315:test:security:file_integrity::Check AIDE configuration file:
 FINT-4316:test:security:file_integirty::Presence of AIDE database and size check:
 FINT-4318:test:security:file_integrity::Osiris availability:
 FINT-4322:test:security:file_integrity::Samhain availability:
 FINT-4326:test:security:file_integrity::Tripwire availability:
@ -123,6 +139,9 @@ FINT-4330:test:security:file_integrity::mtree availability:
 FINT-4334:test:security:file_integrity::Check lfd daemon status:
 FINT-4336:test:security:file_integrity::Check lfd configuration status:
 FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
 FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
 FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
 FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
 FINT-4350:test:security:file_integrity::File integrity software installed:
 FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
 FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@ -143,6 +162,8 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
 FIRE-4590:test:security:firewalls::Check firewall status:
 FIRE-4594:test:security:firewalls::Check for APF presence:
 HOME-9302:test:security:homedirs::Create list with home directories:
 HOME-9304:test:security:homedirs::Test permissions of user home directories:
 HOME-9306:test:security:homedirs::Test ownership of user home directories:
 HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
 HOME-9350:test:security:homedirs::Collecting information from home directories:
 HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
@ -164,11 +185,23 @@ HTTP-6712:test:security:webservers::Check nginx access logging:
 HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
 HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
 HTTP-6720:test:security:webservers::Check Nginx log files:
-INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
+INSE-8000:test:security:insecure_services::Installed inetd package:
-INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
+INSE-8002:test:security:insecure_services::Status of inet daemon:
-INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled:
+INSE-8004:test:security:insecure_services::Presence of inetd configuration file:
 INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled:
 INSE-8016:test:security:insecure_services::Check for telnet via inetd:
 INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems:
 INSE-8100:test:security:insecure_services::Installed xinetd package:
 INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd:
 INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
 INSE-8300:test:security:insecure_services::Presence of rsh client:
 INSE-8302:test:security:insecure_services::Presence of rsh server:
 INSE-8310:test:security:insecure_services::Presence of telnet client:
 INSE-8312:test:security:insecure_services::Presence of telnet server:
 INSE-8314:test:security:insecure_services::Presence of NIS client:
 INSE-8316:test:security:insecure_services::Presence of NIS server:
 INSE-8318:test:security:insecure_services::Presence of TFTP client:
 INSE-8320:test:security:insecure_services::Presence of TFTP server:
 KRNL-5622:test:security:kernel:Linux:Determine Linux default run level:
 KRNL-5677:test:security:kernel:Linux:Check CPU options and support:
 KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number:
@ -255,9 +288,11 @@ NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts:
 NAME-4404:test:security:nameservices::Check /etc/hosts contains an entry for this server name:
 NAME-4406:test:security:nameservices::Check server hostname mapping:
 NAME-4408:test:security:nameservices::Check localhost to IP mapping:
 NETW-2400:test:basics:networking::Test hostname for valid characters and length:
 NETW-2600:test:security:networking:Linux:Checking IPv6 configuration:
 NETW-2704:test:security:networking::Basic nameserver configuration tests:
 NETW-2705:test:security:networking::Check availability two nameservers:
 NETW-2706:test:security:networking::Check DNSSEC status:
 NETW-3001:test:security:networking::Find default gateway (route):
 NETW-3004:test:security:networking::Search available network interfaces:
 NETW-3006:test:security:networking::Get network MAC addresses:
@ -268,6 +303,7 @@ NETW-3015:test:security:networking:Linux:Checking promiscuous interfaces (Linux)
 NETW-3028:test:security:networking::Checking connections in WAIT state:
 NETW-3030:test:security:networking::Checking DHCP client status:
 NETW-3032:test:security:networking:Linux:Checking for ARP monitoring software:
 NETW-3200:test:security:networking::Determine available network protocols:
 PHP-2211:test:security:php::Check php.ini presence:
 PHP-2320:test:security:php::Check PHP disabled functions:
 PHP-2368:test:security:php::Check PHP register_globals option:
@ -276,6 +312,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option:
 PHP-2376:test:security:php::Check PHP allow_url_fopen option:
 PHP-2378:test:security:php::Check PHP allow_url_include option:
 PHP-2379:test:security:php::Check PHP suhosin extension status:
 PHP-2382:test:security:php::Check PHP listen option:
 PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
 PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
 PKGS-7303:test:security:ports_packages::Query brew package manager:
@ -314,6 +351,7 @@ PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages:
 PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
 PKGS-7398:test:security:ports_packages::Check for package audit tool:
 PKGS-7410:test:security:ports_packages::Count installed kernel packages:
 PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades:
 PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency:
 PRNT-2304:test:security:printers_spools::Check cupsd status:
 PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
@ -327,6 +365,7 @@ PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for memory
 PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory details:
 PROC-3612:test:security:memory_processes::Check dead or zombie processes:
 PROC-3614:test:security:memory_processes::Check heavy IO waiting based processes:
 PROC-3802:test:security:memory_processes::Check presence of prelink tooling:
 RBAC-6272:test:security:mac_frameworks::Check grsecurity presence:
 SCHD-7702:test:security:scheduling::Check status of cron daemon:
 SCHD-7704:test:security:scheduling::Check crontab/cronjobs:
@ -337,7 +376,7 @@ SHLL-6202:test:security:shells:FreeBSD:Check console TTYs:
 SHLL-6211:test:security:shells::Checking available and valid shells:
 SHLL-6220:test:security:shells::Checking available and valid shells:
 SHLL-6230:test:security:shells::Perform umask check for shell configurations:
-SINT-7010:test:security:system_integrity::System Integrity Status:
+SINT-7010:test:security:system_integrity:MacOS:System Integrity Status:
 SNMP-3302:test:security:snmp::Check for running SNMP daemon:
 SNMP-3304:test:security:snmp::Check SNMP daemon file location:
 SNMP-3306:test:security:snmp::Check SNMP communities:
@ -357,8 +396,6 @@ SSH-7404:test:security:ssh::Check SSH daemon file location:
 SSH-7406:test:security:ssh::Detection of OpenSSH server version:
 SSH-7408:test:security:ssh::Check SSH specific defined options:
 SSH-7440:test:security:ssh::AllowUsers and AllowGroups:
 STRG-1840:test:security:storage:Linux:Check if USB storage is disabled:
 STRG-1842:test:security:storage:Linux:Check USB authorizations:
 STRG-1846:test:security:storage:Linux:Check if firewire storage is disabled:
 STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
 STRG-1904:test:security:storage_nfs::Check nfs rpc:
@ -379,12 +416,18 @@ TIME-3136:test:security:time:Linux:Check NTP protocol version:
 TIME-3148:test:performance:time:Linux:Check TZ variable:
 TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
 TIME-3170:test:security:time::Check configuration files:
 TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD:
 TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation
 TIME-3182:test:security:time::Check OpenNTPD has working peers
 TIME-3185:test:security:time::Check systemd-timesyncd synchronized time
 TOOL-5002:test:security:tooling::Checking for automation tools:
 TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
 TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
 TOOL-5120:test:security:tooling::Presence of Snort IDS:
 TOOL-5122:test:security:tooling::Snort IDS configuration file:
-TOOL-5160:test:security:tooling::Check for active OSSEC analysis daemon:
+TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
 TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
 USB-1000:test:security:storage:Linux:Check if USB storage is disabled:
 USB-2000:test:security:storage:Linux:Check USB authorizations:
 USB-3000:test:security:storage:Linux:Check for presence of USBGuard:
 # EOF
--- a/default.prf
+++ b/default.prf
@ -1,30 +1,33 @@
 #################################################################################
 #
 #
-# Lynis - Scan Profile (default)
+# Lynis - Default scan profile
 #
 # This is the default profile and contains default values.
 #
 #
 #################################################################################
 #
 #
-# SUGGESTION
+# This profile provides Lynis with most of its initial values to perform a
 # system audit.
 #
 #
 # WARNINGS
 # ----------
 #
-# Do NOT make changes to this file, instead copy your preferred settings to
+# Do NOT make changes to this file. Instead, copy only your changes into
-# custom.prf and put it in the same directory as default.prf
+# the file custom.prf and put it in the same directory as default.prf
 #
 # To discover where your profiles are located: lynis show profiles
 #
 #
 # Lynis performs a strict check on profiles to avoid the inclusion of
 # possibly harmful injections. See include/profiles for details.
 #
 #
 #################################################################################
 #
 # All empty lines or with the # prefix will be skipped
 #
 # More information about this plugin can be found in the documentation:
 # https://cisofy.com/documentation/lynis/
 #
 #################################################################################
 # Use colored output
@ -33,6 +36,9 @@ colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes
 # Amount of connections in WAIT state before reporting it as a suggestion
 #connections-max-wait-state=5000
 # Debug mode (for debugging purposes, extra data logged to screen)
 #debug=yes
@ -42,20 +48,27 @@ error-on-warnings=no
 # Use Lynis in your own language (by default auto-detected)
 language=
-# Lynis Enterprise license key
+# Log tests from another guest operating system (default: yes)
-license-key=
+#log-tests-incorrect-os=yes
 # Define if available NTP daemon is configured as a server or client on the network
 # values: server or client (default: client)
 #ntpd-role=client
 # Defines the role of the system (personal, workstation or server)
 machine-role=server
 # Ignore some stratum 16 hosts (for example when running as time source itself)
 #ntp-ignore-stratum-16-peer=127.0.0.1
 # Profile name, will be used as title/description
 profile-name=Default Audit Template
 # Number of seconds to pause between every test (0 is no pause)
 pause-between-tests=0
-# Enable quick mode (no waiting for keypresses, same as --quick option)
+# Quick mode (do not wait for keypresses)
-quick=no
+quick=yes
 # Refresh software repositories to help detecting vulnerable packages
 refresh-repositories=yes
@ -76,39 +89,21 @@ skip-plugins=no
 #skip-test=SSH-7408:loglevel
 #skip-test=SSH-7408:permitrootlogin
 # Skip Lynis upgrade availability test (default: no)
 #skip-upgrade-test=yes
 # Locations where to search for SSL certificates (separate paths with a colon)
 ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
 ssl-certificate-include-packages=no
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
 # Upload data to central server
 upload=no
 # The hostname/IP address to receive the data
 upload-server=
 # Provide options to cURL (or other upload tool) when uploading data.
 # upload-options=--insecure   --> use HTTPS, but skip certificate check (e.g. self-signed)
 upload-options=
 # Verbose output
 verbose=no
 #################################################################################
 #
 # Upgrade and updating
 # --------------------
 #
 # The old settings to do automatic updating are deprecated. It is suggested to
 # use a package or deploy your the tarball via a custom script.
 #
 # The latest packages can be found at: https://packages.cisofy.com
 #
 #################################################################################
 # Skip Lynis upgrade availability test (default: no)
 #skip-upgrade-test=yes
 #################################################################################
 #
 # Plugins
@ -119,10 +114,11 @@ verbose=no
 # - Nothing happens if plugin isn't available
 # - There is no order in execution of plugins
 # - See documentation about how to use plugins and phases
 # - Some are for Lynis Enterprise users only
 #
 #################################################################################
-# Lynis Plugins (some are for Lynis Enterprise users only)
+# Lynis plugins to enable
 plugin=authentication
 plugin=compliance
 plugin=configuration
@ -149,17 +145,22 @@ plugin=system-integrity
 plugin=systemd
 plugin=users
 # Disable a particular plugin (will overrule an enabled plugin)
 #disable-plugin=authentication
 #################################################################################
 #
 # Kernel options
 # ---------------
-# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
+# config-data=, followed by:
 #
-# Sysctl key       = name
+# - Type                     = Set to 'sysctl'
-# Expected value   = value of sysctl key
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
-# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
+# - Expected value           = Preferred value for key (e.g. 0)
-# Description      = Text description of key
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
 # - Description              = Textual description about the sysctl key(Disable magic SysRQ)
 # - Related file or command  = For example, sysctl -a to retrieve more details
 # - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
 #
 #################################################################################
@ -269,86 +270,66 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar
 config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
 #################################################################################
 #
 # Apache options
 # columns: (1)apache : (2)option : (3)value
 #
 #################################################################################
 apache:ServerTokens:Prod:
 #################################################################################
 #
 # OpenLDAP options
 # columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
 #
 #################################################################################
 openldap:slapd.conf:permissions:640-600:
 openldap:slapd.conf:owner:ldap-root:
 #################################################################################
 #
 # NTP options
 #
 #################################################################################
 # Ignore some stratum 16 hosts (for example when running as time source itself)
 #ntp-ignore-stratum-16-peer=127.0.0.1
 #################################################################################
 #
 # File/directories permissions (currently not used yet)
 #
 #################################################################################
 # Scan for exact file name match
 #[scanfiles]
 #scanfile:/etc/rc.conf:FreeBSD configuration:
 # Scan for exact directory name match
 #[scandirs]
 #scandir:/etc:/etc directory:
 #################################################################################
 #
 # permfile
 # ---------------
-# permfile:file name:file permissions:owner:group:action:
+# permfile=file name:file permissions:owner:group:action:
 # Action = NOTICE or WARN
 # Examples:
-# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
-# permfile:/etc/test1.dat:640:root:-:WARN:
+# permfile=/etc/test1.dat:640:root:-:WARN:
 #
 #################################################################################
-#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
-#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
-permfile:/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
 permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
 permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
 permfile=/etc/at.allow:rw-------:root:-:WARN:
 permfile=/etc/at.deny:rw-------:root:-:WARN:
 permfile=/etc/cron.allow:rw-------:root:-:WARN:
 permfile=/etc/cron.deny:rw-------:root:-:WARN:
 permfile=/etc/crontab:rw-------:root:-:WARN:
 permfile=/etc/group:rw-r--r--:root:-:WARN:
 permfile=/etc/group-:rw-r--r--:root:-:WARN:
 permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
 permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
 permfile=/etc/issue:rw-r--r--:root:root:WARN:
 permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
 permfile=/etc/lilo.conf:rw-------:root:-:WARN:
 permfile=/etc/motd:rw-r--r--:root:root:WARN:
 permfile=/etc/passwd:rw-r--r--:root:-:WARN:
 permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
 permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
 permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
 permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
 permfile=/root/.rhosts:rw-------:root:root:WARN:
 permfile=/root/.rlogin:rw-------:root:root:WARN:
 permfile=/root/.shosts:rw-------:root:root:WARN:
 # These permissions differ by OS
 #permfile=/etc/gshadow:---------:root:-:WARN:
 #permfile=/etc/gshadow-:---------:root:-:WARN:
 #permfile=/etc/shadow:---------:root:-:WARN:
 #permfile=/etc/shadow-:---------:root:-:WARN:
 #################################################################################
 #
 # permdir
 # ---------------
-# permdir:directory name:file permissions:owner:group:action when permissions are different:
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
 #
 #################################################################################
-permdir:/root/.ssh:rwx------:root:-:WARN:
+permdir=/root/.ssh:rwx------:root:-:WARN:
-
+permdir=/etc/cron.d:rwx------:root:root:WARN:
-# Scan for a program/binary in BINPATHs
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
-#scanbinary:Rootkit Hunter:rkhunter:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
-
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
-# Amount of connections in WAIT state before reporting it as a suggestion
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
 #connections-max-wait-state=5000
 # Ignore some specific home directories
@ -356,12 +337,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 # checks, like file permissions, SSH and other configuration files
 #ignore-home-dir=/home/user
 # Do not log tests with another guest operating system (default: yes)
 #log-tests-incorrect-os=no
 # Define if available NTP daemon is configured as a server or client on the network
 # values: server or client (default: client)
 #ntpd-role=client
 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
@ -395,21 +370,10 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 #################################################################################
 #
 # SSL certificates
 #
 #################################################################################
 # Locations where to search for SSL certificates
 ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
 #################################################################################
 #
 # Lynis Enterprise options
-# -----------------
+# ------------------------
 #
 #################################################################################
@ -423,6 +387,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
 #hostid=40-char-hash
 #hostid2=64-char-hash
 # Lynis Enterprise license key
 license-key=
 # Proxy settings
 # Protocol (http, https, socks5)
 #proxy-protocol=https
@ -443,9 +410,18 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
 # Provide the name of the customer/client
 #system-customer-name=mycustomer
 # Upload data to central server
 upload=no
 # The hostname/IP address to receive the data
 upload-server=
 # Provide options to cURL (or other upload tool) when uploading data.
 # upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
 upload-options=
 # Link one or more tags to a system
 #tags=db,production,ssn-1304
 #EOF
--- a/developer.prf
+++ b/developer.prf
@ -3,6 +3,5 @@
 debug=yes
 developer-mode=yes
 quick=yes
 strict=yes
 verbose=yes
--- a/extras/bash_completion.d/lynis
+++ b/extras/bash_completion.d/lynis
@ -1,6 +1,6 @@
 # bash completion for lynis
-# version 1.0.0 (22 September 2014)
+# version 1.0.1 (2019-07-13)
 # Michael Boelen <michael.boelen@cisofy.com>
 # lynis(8) completion
@ -10,7 +10,7 @@ _lynis()
    # opts nodig nosig
    COMPREPLY=()
-    _get_comp_words_by_ref cur prev
+    _get_comp_words_by_ref cur prev words
    if [ $COMP_CWORD -eq 1 ]; then
        # first parameter on line
@ -19,24 +19,134 @@ _lynis()
                COMPREPLY=( $( compgen -W '--help --info --version' -- "$cur" ) )
                ;;
            *)
-                COMPREPLY=( $( compgen -W 'audit --help --info --version' -- "$cur" ) )
+                COMPREPLY=( $( compgen -W 'audit generate show' -- "$cur" ) )
                ;;
        esac
-
+        return 0
-    return 0
+    elif [ $COMP_CWORD -eq 4 ]; then
        # Stop after some specifics
        if [ "${COMP_WORDS[1]}" = "show" -a "${COMP_WORDS[2]}" = "details" ]; then
            return 0
        fi
    fi
    # Check previous argument to share the available options
    case $prev in
        audit)
            COMPREPLY=( $( compgen -W 'dockerfile system ' -- "$cur" ) )
            ;;
        show)
-            COMPREPLY=( $( compgen -W 'help version ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W 'categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests  version workdir ' -- "$cur" ) )
            ;;
        # Related items to show (lynis show XYZ)
        categories)
            return 0
            ;;
        changelog)
            return 0
            ;;
        commands)
            return 0
            ;;
        dbdir)
            return 0
            ;;
        details)
            local dbfile=""
            local dirs="/data/development/lynis /usr/local/lynis /usr/share/lynis"
            for d in ${dirs}; do
                if [ -f "${d}/db/tests.db" ]; then
                    local dbfile="/data/development/lynis/db/tests.db"
                fi
            done
            if [ -f "${dbfile}" ]; then
                local suggestions=($(compgen -W "$(awk -F: '$1 ~ /^[A-Z]/ {print $1}' ${dbfile})" -- "${cur}"))
                COMPREPLY=("${suggestions[@]}")
            else
                COMPREPLY=($(compgen -W "TEST-1234" -- "$cur"))
            fi
            ;;
        environment)
            return 0
            ;;
        eol)
            return 0
            ;;
        groups)
            return 0
            ;;
        help)
            return 0
            ;;
        hostids)
            if [ "${COMP_WORDS[1]}" = "generate" -a "${COMP_WORDS[2]}" = "hostids" ]; then
                COMPREPLY=($(compgen -W "save" -- "$cur"))
            else
                return 0
            fi
            ;;
        includedir)
            return 0
            ;;
        language)
            return 0
            ;;
        license)
            return 0
            ;;
        logfile)
            return 0
            ;;
        man)
            return 0
            ;;
        options)
            return 0
            ;;
        os)
            return 0
            ;;
        pidfile)
            return 0
            ;;
        plugindir)
            return 0
            ;;
        profiles)
            return 0
            ;;
        release)
            return 0
            ;;
        releasedate)
            return 0
            ;;
        report)
            return 0
            ;;
        settiings)
            return 0
            ;;
        tests)
            return 0
            ;;
        version)
            return 0
            ;;
        workdir)
            return 0
            ;;
        generate)
            COMPREPLY=( $( compgen -W 'hostids ' -- "$cur" ) )
            ;;
        # Options
        --auditor)
            COMPREPLY=( '"Mr. Auditor"' )
-            return 0
+            #return 0
            ;;
        --check-update|--help|--info|--version)
            # all other options are noop with this command
@ -69,7 +179,7 @@ _lynis()
        *)
            COMPREPLY=( $( compgen -W ' \
                --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \
-                --tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) )
+                --tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) )
            ;;
    esac
--- a/extras/build-lynis.sh
+++ b/extras/build-lynis.sh
@ -55,23 +55,20 @@
 # Functions:
    # Clean temporary files up
-    CleanUp()
+    CleanUp() {
      {
        if [ ! "${TMPDIR}" = "" -a -d "${TMPDIR}" ]; then
            rm -rf ${TMPDIR}
        fi
-      }
+    }
-    Exit()
+    Exit() {
      {
        CleanUp
        exit 0
-      }
+    }
-    ExitFatal()
+    ExitFatal() {
      {
        CleanUp
        exit 1
-      }
+    }
 #
 #########################################################################
 #
@ -95,7 +92,7 @@
    if [ ! -d ${MYWORKDIR} ]; then
        echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)"
        ExitFatal
-      else
+    else
        echo "[=] workdir: ${MYWORKDIR}"
    fi
@ -105,7 +102,7 @@
        echo "[X] ${MYBUILDDIR} not found"
        echo "    Hint: create it with mkdir ${MYBUILDDIR}"
        ExitFatal
-      else
+    else
        echo "[=] builddir: ${MYBUILDDIR}"
    fi
@ -129,7 +126,7 @@
    GITBUILDPACKAGEBINARY=$(which git-buildpackage)
    if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
        echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
-      else
+    else
        echo "[X] Can not find git-buildpackage binary"
        echo "    Hint: install git-buildpackage"
        ExitFatal
@ -138,7 +135,7 @@
    RPMBUILDBINARY=$(which rpmbuild)
    if [ ! "${RPMBUILDBINARY}" = "" ]; then
        echo "[=] rpmbuild = ${RPMBUILDBINARY}"
-      else
+    else
        echo "[X] Can not find rpmbuild binary"
        echo "    Hint: install rpmbuild"
        ExitFatal
@ -149,7 +146,7 @@
    umask ${OPTION_UMASK}
    if [ $? -eq 0 ]; then
        echo "[V] Setting umask to ${OPTION_UMASK}"
-      else
+    else
        echo "[X] Could not set umask"
        ExitFatal
    fi
@ -157,7 +154,7 @@
    # Check if we are in dev directory
    if [ -f ../lynis -a -f ./build-lynis.sh ]; then
        echo "[V] Active in proper directory"
-      else
+    else
        echo "[X] This script should be executed from dev directory itself"
        ExitFatal
    fi
@ -172,7 +169,7 @@
    if [ $? -eq 0 ]; then
        echo "[V] Creating temporary build directory"
        #echo "    BUILDROOT: ${TMPDIR}"
-      else
+    else
        echo "[X] Could not create temporary build directory"
        ExitFatal
    fi
@ -192,11 +189,11 @@
    if [ -f ${TARBALL} ]; then
        echo "Tarball already exists for this version, not overwriting it"
-      else
+    else
        tar -C ${MYWORKDIR} --exclude=debian --exclude=README.md --exclude=.bzr* --exclude=.git* -c -z -f ${TARBALL} lynis 2> /dev/null
        if [ -f ${TARBALL} ]; then
            echo "[V] Tarball created"
-          else
+        else
            echo "[X] Tarball ${TARBALL} could not be created"
            ExitFatal
        fi
@ -220,7 +217,7 @@
            fi
            echo "[*] Start RPM building"
            #${RPMBUILDBINARY} --quiet -ba -bl lynis.spec 2> /dev/null
-          else
+        else
            echo "[X] lynis.spec not found"
            ExitFatal
        fi
@ -228,12 +225,12 @@
        RPMFILE="${RPMWORKDIR}/RPMS/noarch/lynis-${LYNIS_VERSION}-1.noarch.rpm"
        if [ -f ${RPMFILE} ]; then
            echo "[V] Building RPM successful!"
-          else
+        else
            echo "[X] Could not find RPM file, most likely failed"
            echo "    Expected: ${RPMFILE}"
            ExitFatal
        fi
-      else
+    else
        echo "[X] Could not find source file (${SOURCEFILE_RPM})"
        echo "    Hint: cp <lynis.tar.gz> ${SOURCEFILE_RPM}"
        #ExitFatal
@ -246,7 +243,7 @@
        DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
        if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
            echo "[V] Debian/changelog up-to-date"
-          else
+        else
            echo "[X] Debian/changelog outdated"
            ExitFatal
        fi
@ -260,17 +257,17 @@
 #        echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"
 #        if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
 #            echo "[V] Debian/changelog up-to-date"
-#          else
+#        else
 #            echo "[X] Debian/changelog outdated"
 ##            ExitFatal
 #        fi
 #        # execute command
 #        # bzr builddeb . --build-dir ${DEBWORKDIR}/build-area/ --result-dir ${DEBWORKDIR}
-#      elif [ "${BZRSTATUS}" = "3" ]; then
+#    elif [ "${BZRSTATUS}" = "3" ]; then
 #        echo "[X] Tree is not initialized for BZR"
 #        echo "    Hint: run bzr init while being in lynis directory (or bzr init ..)"
 #        ExitFatal
-#      else
+#    else
 #        echo "[X] Unknown error"
 #        echo "Output: ${BZRSTATUS}"
 #    fi
@ -284,6 +281,7 @@
        rm -rf ${MYBUILDDIR}/git/Lynis
        #git checkout tags/${LYNIS_VERSION}
    fi
    git clone https://github.com/CISOfy/Lynis.git ${MYBUILDDIR}/git/Lynis
    if [ -d ${MYBUILDDIR}/git/Lynis/debian/ ]; then
@ -292,7 +290,7 @@
        cd ${MYBUILDDIR}/git/Lynis/debian/
        git add .
        git commit -m "Building process for Lynis release version ${LYNIS_VERSION}"
-      else
+    else
        echo "[X] Could not copy debian directory and commit changes"
    fi
    #git tag -l ${MYBUILDDIR}/git/Lynis
@ -346,7 +344,7 @@ Exit
    FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?)
    if [ $FIND -eq 0 ]; then
        echo "OK"
-      else
+    else
        echo "BAD"
    fi
--- a/extras/systemd/lynis.service
+++ b/extras/systemd/lynis.service
@ -5,19 +5,26 @@
 #################################################################################
 #
 # - Adjust path to link to location where Lynis binary is installed
-# - Place this file together with the timer file in systemd directory
+#
-# - Run: systemctl enable lynis.service
+# - Place this file together with the lynis.timer file in the related
 #   systemd directory (e.g. /etc/systemd/system/)
 #
 # - See details in lynis.timer file
 #
 #################################################################################
 [Unit]
-Description=Lynis security audit and vulnerability scan
+Description=Security audit and vulnerability scanner
 Documentation=https://cisofy.com/docs/
 [Service]
 Nice=19
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 Type=simple
-ExecStart=/path/to/lynis -c --cronjob
+ExecStart=/path/to/lynis audit system --cronjob
 [Install]
 WantedBy=multi-user.target
 #EOF
--- a/extras/systemd/lynis.timer
+++ b/extras/systemd/lynis.timer
@ -4,17 +4,23 @@
 #
 #################################################################################
 #
-# - Place this file together with the service file in systemd directory
+# - Place this file together with the lynis.service file in the related
-# - Run: systemctl enable lynis.timer
+#   systemd directory (e.g. /etc/systemd/system)
-#        systemctl start lynis.service
+#
 # - Tell systemd you made changes
 #   systemctl daemon-reload
 #
 # - Enable and start the timer (so no reboot is needed):
 #   systemctl enable --now lynis.timer
 #
 #################################################################################
 [Unit]
-Description=Daily run for Lynis security audit and vulnerability scan
+Description=Daily timer for the Lynis security audit and vulnerability scanner
 [Timer]
 OnCalendar=daily
 RandomizedDelaySec=1800
 Persistent=false
 [Install]
--- a/include/binaries
+++ b/include/binaries
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -42,28 +42,54 @@
        Display --indent 2 --text "- Checking system binaries..."
        LogText "Status: Starting binary scan..."
-        # Test if our PATH variable provides a set of paths
+        # Notes:
-        # If so, reverse the order. If we discover the same binary multiple times, the one first in PATH
+        # - If PATH is empty, we use the predefined list in include/consts
-        # should be used.
+        # - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives.
-        # If PATH is empty, we use the predefined list in include/consts. Common paths first, then followed
+        # - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary)
-        # by more specific paths. This helps on the slightly ancient UNIX derivatives.
+
-        if [ ! -z "${PATH}" ]; then
+        # Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
-            PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
+        # multiple times, the one first in PATH should be used.
-            BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ')
+        if [ -n "${PATH}" ]; then
            PATH_REVERSED=$(echo "${PATH}" | sed 's/ /!!space!!/g' | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
            BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
        fi
-        # Avoid sorting, as this might result in incorrect order of finding binaries (e.g. awk binary)
+        # First test available locations that may be suspicious or dangerous
        #SORTED_BIN_PATHS=$(echo ${BIN_PATHS} | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
        for SCANDIR in ${BIN_PATHS}; do
            FOUND=0
            if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH"
            elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH"
            elif echo "${SCANDIR}" | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH"
            elif echo "${SCANDIR}" | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH"
            fi
            if [ ${FOUND} -eq 1 ]; then
                # Stop execution if privileged, otherwise continue but warn user
                if [ ${PRIVILEGED} -eq 1 ]; then
                    ExitFatal "Suspicious location (${SCANDIR}) in PATH discovered. Quitting..."
                else
                    Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH"
                    ReportWarning "${TEST_NO}" "Suspicious location in PATH discovered" "text:${MSG}"
                    sleep 1
                fi
            fi
        done
        NSUID_BINARIES=0
        NSGID_BINARIES=0
        SUID_BINARIES=
        SGID_BINARIES=
        # Now perform binary detection
        for SCANDIR in ${BIN_PATHS}; do
            SCANDIR=$(echo "${SCANDIR}" | sed 's/!!space!!/ /g')
            LogText "Test: Checking binaries in directory ${SCANDIR}"
            ORGPATH=""
-            if [ -d ${SCANDIR} ]; then
+            if [ -d "${SCANDIR}" ]; then
                SKIPDIR=0
-                if [ -L ${SCANDIR} ]; then
+                if [ -L "${SCANDIR}" ]; then
                    LogText "Result: directory exists, but is actually a symlink"
                    ShowSymlinkPath ${SCANDIR}
                    if [ ${FOUNDPATH} -eq 1 ]; then
-                        if [ ! -z "${SYMLINK}" -a -d ${SYMLINK} ]; then
+                        if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then
                            # Set path to new location
                            LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
                            ORGPATH="${SCANDIR}"
@ -79,7 +105,7 @@
                # Add a space to make sure we discover a related directory if it was already scanned
                # The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
                FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
                fi
@ -88,33 +114,46 @@
                    LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
                    # Show the contents of the directory with binaries, ignore directories
-                    FIND=$(ls -p ${SCANDIR} | grep -v '/$')
+                    FIND=$(ls -p "${SCANDIR}" | grep -v '/$')
                    for FILENAME in ${FIND}; do
                        COUNT=$((COUNT + 1))
                        BINARY="${SCANDIR}/${FILENAME}"
                        DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
                        if [ -u ${BINARY} ]; then
                            NSUID_BINARIES=$((NSUID_BINARIES + 1))
                            SUID_BINARIES="${SUID_BINARIES}${BINARY} "
                        fi
                        if [ -g ${BINARY} ]; then
                            NSGID_BINARIES=$((NSGID_BINARIES + 1))
                            SGID_BINARIES="${SGID_BINARIES}${BINARY} "
                        fi
                        # Optimized, much quicker (limited file access needed)
                        case ${FILENAME} in
                            aa-status)              AASTATUSBINARY=${BINARY};          LogText "  Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
                            afick.pl)               AFICKBINARY=${BINARY};             LogText "  Found known binary: afick (file integrity checker) - ${BINARY}" ;;
                            aide)                   AIDEBINARY=${BINARY};              LogText "  Found known binary: aide (file integrity checker) - ${BINARY}" ;;
                            apache2)                HTTPDBINARY=${BINARY};             LogText "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                            apt)                    APTBINARY=${BINARY};               LogText "  Found known binary: apt (package manager) - ${BINARY}" ;;
                            arch-audit)             ARCH_AUDIT_BINARY="${BINARY}";     LogText "  Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
                            auditd)                 AUDITDBINARY=${BINARY};            LogText "  Found known binary: auditd (audit framework) - ${BINARY}" ;;
                            awk)                    AWKBINARY=${BINARY};               LogText "  Found known binary: awk (string tool) - ${BINARY}" ;;
                            dig)                    DIGBINARY=${BINARY};               LogText "  Found known binary: dig (nameservice tool) - ${BINARY}" ;;
                            as)                     ASBINARY="${BINARY}";              COMPILER_INSTALLED=1;                  LogText "  Found known binary: as (compiler) - ${BINARY}" ;;
                            auditctl)               AUDITCTLBINARY="${BINARY}";        LogText "  Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
                            autolog)                AUTOLOGBINARY="${BINARY}";         IDLE_SESSION_KILLER_INSTALLED=1;       LogText "  Found known binary: autolog (idle session killer) - ${BINARY}" ;;
                            base64)                 BASE64BINARY="${BINARY}";          LogText "  Found known binary: base64 (encoding tool) - ${BINARY}" ;;
-                            blkid)                  BLKDBINARY="${BINARY}";            LogText "  Found known binary: blkid (information about block devices) - ${BINARY}" ;;
+                            blkid)                  BLKIDBINARY="${BINARY}";           LogText "  Found known binary: blkid (information about block devices) - ${BINARY}" ;;
                            bootctl)                BOOTCTLBINARY="${BINARY}";         LogText "  Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;;
                            bro)                    BROBINARY="${BINARY}";             LogText "  Found known binary: bro (IDS) - ${BINARY}" ;;
                            cat)                    CAT_BINARY="${BINARY}";            LogText "  Found known binary: cat (generic file handling) - ${BINARY}" ;;
                            cc)                     CCBINARY="${BINARY}";              COMPILER_INSTALLED=1;  LogText "  Found known binary: cc (compiler) - ${BINARY}" ;;
                            chkconfig)              CHKCONFIGBINARY=${BINARY};         LogText "  Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
                            clamconf)               CLAMCONF_BINARY=${BINARY};         LogText "  Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;;
                            clamscan)               CLAMSCANBINARY=${BINARY};          LogText "  Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
                            clang)                  CLANGBINARY=${BINARY};             COMPILER_INSTALLED=1;  LogText "  Found known binary: clang (compiler) - ${BINARY}" ;;
                            cfagent)                CFAGENTBINARY="${BINARY}";         FILE_INT_TOOL_FOUND=1;                 LogText "  Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
                            chkrootkit)             CHKROOTKITBINARY="${BINARY}";      MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
                            comm)                   COMMBINARY="${BINARY}";            LogText "  Found known binary: comm (file compare) - ${BINARY}" ;;
                            cryptsetup)             CRYPTSETUPBINARY="${BINARY}";      LogText "  Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;;
                            csum)                   CSUMBINARY="${BINARY}";            LogText "  Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
                            curl)                   CURLBINARY="${BINARY}";            CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText "  Found known binary: curl (browser, download utility) - ${BINARY}" ;;
                            cut)                    CUTBINARY="${BINARY}";             LogText "  Found known binary: cut (text stream editor) - ${BINARY}" ;;
@ -127,8 +166,11 @@
                            docker)                 DOCKERBINARY="${BINARY}";          LogText "  Found known binary: docker (container technology) - ${BINARY}" ;;
                            domainname)             DOMAINNAMEBINARY="${BINARY}";      LogText "  Found known binary: domainname (NIS domain) - ${BINARY}" ;;
                            dpkg)                   DPKGBINARY="${BINARY}";            LogText "  Found known binary: dpkg (package management) - ${BINARY}" ;;
                            xbps-query)             XBPSBINARY="${BINARY}";            LogText "  Found known binary: xbps (package management) - ${BINARY}" ;;
                            egrep)                  EGREPBINARY=${BINARY};             LogText "  Found known binary: egrep (text search) - ${BINARY}" ;;
-                            exim)                   EXIMBINARY="${BINARY}";            EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
+                            equery)                 EQUERYBINARY="${BINARY}";          LogText "  Found known binary: query (package manager) - ${BINARY}" ;;
                            evmctl)                 EVMCTLBINARY=${BINARY};            LogText "  Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
                            exim)                   EXIMBINARY="${BINARY}";            EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "  Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
                            fail2ban-server)        FAIL2BANBINARY="${BINARY}";        LogText "  Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
                            file)                   FILEBINARY="${BINARY}";            LogText "  Found known binary: file (file type detection) - ${BINARY}" ;;
                            find)                   FINDBINARY="${BINARY}";            LogText "  Found known binary: find (search tool) - ${BINARY}" ;;
@ -146,6 +188,7 @@
                            httpd2-prefork)         HTTPDBINARY=${BINARY};             LogText "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                            initctl)                INITCTLBINARY=${BINARY};           SERVICE_MANAGER="upstart";  LogText "  Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
                            ifconfig)               IFCONFIGBINARY="${BINARY}";        LogText "  Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
                            integritysetup)         INTEGRITYSETUPBINARY="${BINARY}";  LogText "  Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;;
                            ip)                     IPBINARY="${BINARY}";              LogText "  Found known binary: ip (IP configuration) - ${BINARY}" ;;
                            ipf)                    IPFBINARY="${BINARY}";             LogText "  Found known binary: ipf (firewall) - ${BINARY}" ;;
                            iptables)               IPTABLESBINARY="${BINARY}";        LogText "  Found known binary: iptables (firewall) - ${BINARY}" ;;
@ -159,14 +202,24 @@
                            logrotate)              LOGROTATEBINARY="${BINARY}";       LogText "  Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
                            ls)                     LSBINARY="${BINARY}";              LogText "  Found known binary: ls (file listing) - ${BINARY}" ;;
                            lsattr)                 LSATTRBINARY="${BINARY}";          LogText "  Found known binary: lsattr (file attributes) - ${BINARY}" ;;
                            lsblk)		            LSBLKBINARY="${BINARY}";	       LogText "  Found known binary: lsblk (block devices) - ${BINARY}" ;;
                            lsmod)                  LSMODBINARY="${BINARY}";           LogText "  Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
-                            lsof)                   LSOFBINARY="${BINARY}";            LogText "  Found known binary: lsof (open files) - ${BINARY}" ;;
+                            lsof)
-                            lsvg)                   LVSGBINARY=${BINARY};              LogText "  Found known binary: lsvg (volume manager) - ${BINARY}" ;;
+                                LSOFBINARY="${BINARY}"
                                LogText "  Found known binary: lsof (open files) - ${BINARY}"
                                DATA=$(${LSOFBINARY} -h 2>&1 | grep "\-K \[i\] list\|\(i\)gn tasKs")
                                if [ $? -eq 0 ]; then
                                    LogText "Note: added -K i to ignore tasks on Linux"
                                    LSOF_EXTRA_OPTIONS=" -K i"
                                fi
                            ;;
                            lsvg)                   LSVGBINARY=${BINARY};              LogText "  Found known binary: lsvg (volume manager) - ${BINARY}" ;;
                            lvdisplay)              LVDISPLAYBINARY="${BINARY}";       LogText "  Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
                            lynx)                   LYNXBINARY="${BINARY}";            LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
                            maldet)                 LMDBINARY="${BINARY}";             MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
                            md5)                    MD5BINARY="${BINARY}";             LogText "  Found known binary: md5 (hash tool) - ${BINARY}" ;;
                            md5sum)                 MD5BINARY="${BINARY}";             LogText "  Found known binary: md5sum (hash tool) - ${BINARY}" ;;
                            mdatp)                  MDATPBINARY="${BINARY}";           MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;;
                            modprobe)               MODPROBEBINARY="${BINARY}";        LogText "  Found known binary: modprobe (kernel modules) - ${BINARY}" ;;
                            mount)                  MOUNTBINARY="${BINARY}";           LogText "  Found known binary: mount (disk utility) - ${BINARY}" ;;
                            mtree)                  MTREEBINARY="${BINARY}";           LogText "  Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
@ -175,15 +228,22 @@
                            netstat)                NETSTATBINARY="${BINARY}";         LogText "  Found known binary: netstat (network statistics) - ${BINARY}" ;;
                            nft)                    NFTBINARY="${BINARY}";             LogText "  Found known binary: nft (nftables client) - ${BINARY}" ;;
                            nmap)                   NMAPBINARY="${BINARY}";            NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
                            ntpctl)                 NTPCTLBINARY="${BINARY}";                LogText "  Found known binary: ntpctl (openntpd client) - ${BINARY}" ;;
                            ntpq)                   NTPQBINARY="${BINARY}";            LogText "  Found known binary ntpq (time daemon client) - ${BINARY}" ;;
                            osiris)                 OSIRISBINARY="${BINARY}";          LogText "  Found known binary: osiris - ${BINARY}" ;;
                            openssl)                OPENSSLBINARY="${BINARY}";         OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
-                            pacman)                 PACMANBINARY="${BINARY}";          LogText "  Found known binary: pacman (package manager) - ${BINARY}" ;;
+                            pacman)
                                if [ -z "$(echo "${BINARY}" | grep -E "/usr(/local)?/games")" ]; then
                                    PACMANBINARY="${BINARY}"
                                    LogText "  Found known binary: pacman (package manager) - ${BINARY}"
                                fi
                            ;;
                            perl)                   PERLBINARY="${BINARY}";            PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
                            pgrep)                  PGREPBINARY="${BINARY}";           LogText "  Found known binary: pgrep (search in process list) - ${BINARY}" ;;
                            php)                    PHPBINARY="${BINARY}";             PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
                            pkg)                    PKG_BINARY="${BINARY}";            LogText "  Found known binary: pkg (software package administration) - ${BINARY}" ;;
                            pkg_admin)              PKGADMINBINARY="${BINARY}";        LogText "  Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
                            pkg_info)               PKGINFOBINARY="${BINARY}";         LogText "  Found known binary: pkg_info (software package information) - ${BINARY}" ;;
                            postconf)               POSTCONFBINARY="${BINARY}";        LogText "  Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
                            postfix)                POSTFIXBINARY="${BINARY}";         LogText "  Found known binary: postfix (postfix binary) - ${BINARY}" ;;
                            prelink)                PRELINKBINARY="${BINARY}";         LogText "  Found known binary: prelink (system optimizer) - ${BINARY}" ;;
@ -194,7 +254,9 @@
                            python)                 PYTHONBINARY="${BINARY}";          PYTHONVERSION=$(${BINARY}  --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
                            python2)                PYTHON2BINARY="${BINARY}";         PYTHON2VERSION=$(${BINARY}  --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
                            python3)                PYTHON3BINARY="${BINARY}";         PYTHON3VERSION=$(${BINARY}  --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
                            rcctl)                  RCCTLBINARY="${BINARY}";           LogText "  Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;;
                            readlink)               READLINKBINARY="${BINARY}";        LogText "  Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
                            resolvectl)             RESOLVECTLBINARY="${BINARY}";      LogText "  Found known binary: resolvectl (systemd-resolved DNS resolver manager) - ${BINARY}" ;;
                            rkhunter)               RKHUNTERBINARY="${BINARY}";        MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
                            rootsh)                 ROOTSHBINARY="${BINARY}";          LogText "  Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
                            rpcinfo)                RPCINFOBINARY="${BINARY}";         LogText "  Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
@ -205,7 +267,8 @@
                            samhain)                SAMHAINBINARY="${BINARY}";         LogText "  Found known binary: samhain (integrity tool) - ${BINARY}" ;;
                            service)                SERVICEBINARY="${BINARY}";         LogText "  Found known binary: service (system services) - ${BINARY}" ;;
                            sed)                    SEDBINARY="${BINARY}";             LogText "  Found known binary: sed (text stream editor) - ${BINARY}" ;;
-                            sestatus)               SESTATUSBINARY="${BINARY}";        LogText "  Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
+                            semanage)               SEMANAGEBINARY="${BINARY}";        LogText "  Found known binary: semanage (SELinux policy management tool) - ${BINARY}" ;;
                            sestatus)               SESTATUSBINARY="${BINARY}";        LogText "  Found known binary: sestatus (SELinux status tool) - ${BINARY}" ;;
                            slocate)                LOCATEBINARY="${BINARY}";          LogText "  Found known binary: slocate (file database) - ${BINARY}" ;;
                            smbd)                   SMBDBINARY="${BINARY}";            if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
                            smtpctl)                SMTPCTLBINARY="${BINARY}";         LogText "  Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
@ -221,17 +284,24 @@
                            sha1|sha1sum|shasum)    SHA1SUMBINARY="${BINARY}";         LogText "  Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
                            sha256|sha256sum)       SHA256SUMBINARY="${BINARY}";       LogText "  Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
                            ssh-keyscan)            SSHKEYSCANBINARY="${BINARY}";      LogText "  Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
                            suricata)               SURICATABINARY="${BINARY}";        LogText "  Found known binary: suricata (IDS) - ${BINARY}" ;;
                            swapon)                 SWAPONBINARY="${BINARY}";          LogText "  Found known binary: swapon (swap device tool) - ${BINARY}" ;;
                            swupd)                  SWUPDBINARY="${BINARY}";           LogText "  Found known binary: swupd (package manager) - ${BINARY}" ;;
                            sysctl)                 SYSCTLBINARY="${BINARY}";          LogText "  Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
                            syslog-ng)              SYSLOGNGBINARY="${BINARY}";        SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
                            systemctl)              SYSTEMCTLBINARY="${BINARY}";       LogText "  Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
                            systemd-analyze)        SYSTEMDANALYZEBINARY="${BINARY}";  LogText "  Found known binary: systemd-analyze (systemd service analysis tool) - ${BINARY}" ;;
                            tail)                   TAILBINARY="${BINARY}";            LogText "  Found known binary: tail (text filter) - ${BINARY}" ;;
                            timedatectl)            TIMEDATECTL="${BINARY}";           LogText "  Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
                            tomoyo-init)            TOMOYOINITBINARY=${BINARY};        LogText "  Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;;
                            tomoyo-pstree)          TOMOYOPSTREEBINARY=${BINARY};      LogText "  Found known binary: tomoyo-pstree (tomoyo process tree) - ${BINARY}" ;;
                            tr)                     TRBINARY="${BINARY}";              LogText "  Found known binary: tr (text transformation) - ${BINARY}" ;;
                            tripwire)               TRIPWIREBINARY="${BINARY}";        LogText "  Found known binary: tripwire (file integrity) - ${BINARY}" ;;
                            tune2fs)                TUNE2FSBINARY="${BINARY}";         LogText "  Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
                            uname)                  UNAMEBINARY="${BINARY}";           LogText "  Found known binary: uname (operating system details) - ${BINARY}" ;;
                            uniq)                   UNIQBINARY="${BINARY}";            LogText "  Found known binary: uniq (text manipulation utility) - ${BINARY}";;
                            usbguard)               USBGUARDBINARY="${BINARY}";        LogText "  Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
                            veritysetup)            VERITYSETUPBINARY="${BINARY}";     LogText "  Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
                            vgdisplay)              VGDISPLAYBINARY="${BINARY}";       LogText "  Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
                            vmtoolsd)               VMWARETOOLSDBINARY="${BINARY}";    LogText "  Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
                            wc)                     WCBINARY="${BINARY}";              LogText "  Found known binary: wc (word count) - ${BINARY}" ;;
@ -244,23 +314,54 @@
                    done
                else
                    LogText "Result: Directory ${SCANDIR} skipped"
-                    if [ ! -z "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
+                    if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
                fi
            else
                LogText "Result: Directory ${SCANDIR} does NOT exist"
            fi
        done
        # unset SORTED_BIN_PATHS
        BINARY_SCAN_FINISHED=1
-        BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
+        BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/, /,/g')
        LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
-        LogText "Result: found ${COUNT} binaries"
+        LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid"
        LogText "Result: set-uid binaries: ${SUID_BINARIES}"
        LogText "Result: set-gid binaries: ${SGID_BINARIES}"
        Report "binaries_count=${COUNT}"
        Report "binaries_suid_count=${SUID_BINARIES}"
        Report "binaries_sgid_count=${SGID_BINARIES}"
        Report "binary_paths=${BINARY_PATHS_FOUND}"
        # Test if the basic system tools are defined. These will be used during the audit.
        [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
        [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
        [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
        [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
        [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
        [ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
        [ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
        [ "${TAILBINARY:-}" ] || ExitFatal "tail binary not found"
        [ "${LSBINARY:-}" ] || ExitFatal "ls binary not found"
        [ "${PSBINARY:-}" ] || ExitFatal "ps binary not found"
        [ "${SEDBINARY:-}" ] || ExitFatal "sed binary not found"
        [ "${SORTBINARY:-}" ] || ExitFatal "sort binary not found"
        [ "${TRBINARY:-}" ] || ExitFatal "tr binary not found"
        [ "${UNIQBINARY:-}" ] || ExitFatal "uniq binary not found"
        [ "${WCBINARY:-}" ] || ExitFatal "wc binary not found"
        # Test a few other tools that we did not specifically define (yet)
        #TOOLS="xxd"
        #for T in ${TOOLS}; do
        #    DATA=$(type ${T})
        #    if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi
        #done
    else
        LogText "Result: checking of binaries skipped in this mode"
    fi
 #
 #================================================================================
 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
--- a/include/consts
+++ b/include/consts
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
 ETC_PATHS="/etc /usr/local/etc"
 # Do not use specific language, fall back to default
 # Some tools with translated strings are very hard to parse
 unset LANG
 #
 #################################################################################
 #
@ -46,6 +42,7 @@ unset LANG
 #
 # == Variable initializing ==
 #
    APTBINARY=""
    ARCH_AUDIT_BINARY=""
    AUDITORNAME=""
    AUDITCTLBINARY=""
@ -70,6 +67,7 @@ unset LANG
    CHKCONFIGBINARY=""
    CLAMCONF_BINARY=""
    CLAMSCANBINARY=""
    CLANGBINARY=""
    COLORS=1
    COMPLIANCE_ENABLE_CIS=0
    COMPLIANCE_ENABLE_HIPAA=0
@ -84,6 +82,7 @@ unset LANG
    CONTAINER_TYPE=""
    CREATE_REPORT_FILE=1
    CSUMBINARY=""
    CURRENT_TS=0
    CUSTOM_URL_APPEND=""
    CUSTOM_URL_PREPEND=""
    CUSTOM_URL_PROTOCOL=""
@ -94,19 +93,26 @@ unset LANG
    DEBSECANBINARY=""
    DEBSUMSBINARY=""
    DEVELOPER_MODE=0
    DEVOPS_MODE=0
    DIGBINARY=""
    DISABLED_PLUGINS=""
    DISCOVERED_BINARIES=""
    DMIDECODEBINARY=""
    DNFBINARY=""
    DOCKERBINARY=""
    DOCKER_DAEMON_RUNNING=0
    DPKGBINARY=""
    ECHOCMD=""
    ERROR_ON_WARNINGS=0
    EQUERYBINARY=""
    EXIMBINARY=""
    FAIL2BANBINARY=""
    FILEBINARY=""
    FILEVALUE=""
    FIND=""
    FIREWALL_ACTIVE=0
    FOUNDPATH=0
    FORENSICS_MODE=0
    GETENT_BINARY=""
    GRADMBINARY=""
    GREPBINARY="grep"
@ -115,6 +121,7 @@ unset LANG
    GRSEC_FOUND=0
    GRUBCONFFILE=""
    GRUB2INSTALLBINARY=""
    HAS_PACKAGE_MANAGER=0
    HAS_SYSTEMD=0
    HEADBINARY=""
    HELPER=""
@ -122,6 +129,7 @@ unset LANG
    HOSTID2=""
    HTTPDBINARY=""
    IDS_IPS_TOOL_FOUND=0
    IFCONFIGBINARY=""
    IPBINARY=""
    IPFBINARY=""
    IPTABLESBINARY=""
@ -129,16 +137,22 @@ unset LANG
    KLDSTATBINARY=""
    LAUNCHCTL_BINARY=""
    LDAP_CLIENT_CONFIG_FILE=""
    LICENSE_KEY=""
    LICENSE_SERVER=""
    LINUX_VERSION=""
    LINUXCONFIGFILE=""
    LMDBINARY=""
    LMDFOUND=0
    LOCATEBINARY=""
    LOGFILE=""
    LOGDIR=""
    LOGROTATEBINARY=""
    LOGTEXT=1
    LSMODBINARY=""
    LSOFBINARY=""
    LSOF_EXTRA_OPTIONS=""
    LSVGBINARY=""
    LYNIS_CRONJOB=""
    MACHINEID=""
    MACHINE_ROLE=""
    MALWARE_SCANNER_INSTALLED=0
@ -179,6 +193,7 @@ unset LANG
    NGINX_WEAK_SSL_PROTOCOL_FOUND=0
    NTPD_ROLE=""
    NTPQBINARY=""
    OPENSSLBINARY=""
    OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=0
    OPTIONS_CONN_MAX_WAIT_STATE=""
    ORACLE_RUNNING=0
@ -204,12 +219,14 @@ unset LANG
    PGREPBINARY=""
    PIDFILE=""
    PKG_BINARY=""
    PKGINFOBINARY=""
    PKGADMINBINARY=""
    PLUGINDIR=""
    PLUGIN_PHASE=0
    POSTFIXBINARY=""
    POSTGRES_RUNNING=0
-    PRIVILEGED=0
+    PREVIOUS_TEST="No test ID"
    PREVIOUS_TS=0
    PROFILES=""
    PROFILEVALUE=""
    PSBINARY="ps"
@ -234,12 +251,15 @@ unset LANG
    SAMHAINBINARY=""
    SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
    SEARCH_PROFILES=""
    SEARCH_VERSION=""
    SESTATUSBINARY=""
    SERVICE_MANAGER=""
    SETBINARY=""
    SETTINGS=""
    SETTINGS_FILE=""
    SET_STRICT=0
    SHA1SUMBINARY=""
    SHA256SUMBINARY=""
    SHELL_IS_BUSYBOX=0
    SHOWMOUNTBINARY=""
    SHOW_PROGRAM_DETAILS=1
@ -247,16 +267,22 @@ unset LANG
    SHOW_REPORT_SOLUTION=1
    SHOW_TOOL_TIPS=1                    # Show inline tool tips (default true)
    SHOW_WARNINGS_ONLY=0
    SKIP_GETHOSTID=0
    SKIP_PLUGINS=0
    SKIP_TESTS=""
    SKIP_VM_DETECTION=0
    SKIPREASON=""
    SKIPPED_TESTS_ROOTONLY=""
    SLOW_TEST_THRESHOLD=10
    SMTPCTLBINARY=""
    SNORTBINARY=""
    SSHKEYSCANBINARY=""
    SSHKEYSCANFOUND=0
    SSL_CERTIFICATE_INCLUDE_PACKAGES=0
    SSL_CERTIFICATE_PATHS=""
    SSL_CERTIFICATE_PATHS_TO_IGNORE=""
    STUNNELBINARY=""
    SWUPDBINARY=""
    SYSLOGNGBINARY=""
    SYSTEMCTLBINARY=""
    SYSTEM_IS_NOTEBOOK=255
@ -269,6 +295,7 @@ unset LANG
    TESTS_EXECUTED=""
    TESTS_SKIPPED=""
    TMPFILE=""
    TOMOYOINITBINARY=""
    TOOLTIP_SHOWED=0
    TOTAL_SUGGESTIONS=0
    TOTAL_WARNINGS=0
@ -297,8 +324,10 @@ unset LANG
    VULNERABLE_PACKAGES_FOUND=0
    WCBINARY=""
    XARGSBINARY=""
    XBPSBINARY=""
    YUMBINARY=""
    ZYPPERBINARY=""
 #
 #################################################################################
 #
@ -313,7 +342,6 @@ unset LANG
    HPTOTAL=0                   # Maximum number of hardening points
    LOG_INCORRECT_OS=1          # Log tests with incorrect OS
    NEVERBREAK=0                # Don't wait for user input
    PENTESTINGMODE=0            # Try tests without root privileges
    QUICKMODE=1                 # Don't wait for user input
    QUIET=0                     # Show normal messages and warnings as well
    SKIPLOGTEST=0               # Skip logging for one test
@ -339,7 +367,8 @@ unset LANG
 #################################################################################
 #
-    # Normal color names
+    # Normal color names (BG will color background)
    BG_BLUE="$(printf '\033[0;44m')"
    CYAN="$(printf '\033[0;36m')"
    BLUE="$(printf '\033[0;34m')"
    BROWN="$(printf '\033[0;33m')"
@ -353,15 +382,13 @@ unset LANG
    YELLOW="$(printf '\033[1;33m')"
    WHITE="$(printf '\033[1;37m')"
-    # Markup
+    # Special markup
    BOLD="${WHITE}"
-
+    NORMAL="$(printf '\033[0m')"
    # With background
    BG_BLUE="$(printf '\033[0;44m')"
    # Semantic names
    BG_WARNING="$(printf '\033[30;43m')"  # Yellow background with grey text
    HEADER="${WHITE}"
    NORMAL="$(printf '\033[0m')"
    WARNING="${RED}"
    SECTION="${YELLOW}"
    NOTICE="${YELLOW}"
--- a/include/data_upload
+++ b/include/data_upload
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -22,6 +22,8 @@
 #
 #################################################################################
 #
    InsertSection "${SECTION_DATA_UPLOAD}"
    PROGRAM_VERSION="105"
    # Data upload destination
@ -75,6 +77,10 @@
        ExitFatal
    else
        Output "License key = ${LICENSE_KEY}"
        # Create a temporary file to use during upload (prevent license key being displayed in process table)
        CreateTempFile || ExitFatal
        LICENSE_KEY_FILE="${TEMP_FILE}"
        echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE}
    fi
@ -95,7 +101,6 @@
        Output "${WHITE}Report file found.${NORMAL} Starting with connectivity check."
            if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
                LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
                # Port is optional
@ -125,16 +130,18 @@
            #    CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
            #fi
-        # Quit if license is not valid, to reduce load on both client and server.
+
-        LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
+        # License check
-        UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
+
        LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
        UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
        EXITCODE=$?
        LogText "Exit code: ${EXITCODE}"
        if [ ${EXITCODE} -gt 0 ]; then
-            echo ""
+            Display --indent 2 --text "- License check" --result "FAILED" --color RED
-            echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
+
            echo "Suggested command: tail -n 20 ${LOGFILE}"
            echo ""
            case ${EXITCODE} in
@ -142,7 +149,7 @@
                        LogText "Result: could not initialize"
                        LogText "Possible cause: most likely your cURL version is too old and does not support the --data-urlencode option."
                        LogText "Suggestion: copy the data to a different server and use a new cURL version there, or use the Lynis Collector tool."
-                        echo "${RED}Error (2)${NORMAL}: could not initialize cURL. See ${LOGFILE} for details."
+                        echo "${RED}Error (2)${NORMAL}: could not initialize cURL."
                        ;;
                    5)
                        LogText "Result: could not resolve the defined proxy server (${UPLOAD_PROXY_SERVER})."
@ -156,7 +163,7 @@
                        LogText "Result: could not contact license server."
                        LogText "Details: used URL ${LICENSE_SERVER_URL}"
                        LogText "Suggestion: check if the upload host is correctly configured."
-                        echo "${RED}Error (7)${NORMAL}: license server not available. See ${LOGFILE} for details."
+                        echo "${RED}Error (7)${NORMAL}: license server not available."
                        ;;
                    59)
                        echo "${RED}Error (59)${NORMAL}: Could not connect because of used SSL cipher."
@ -181,14 +188,23 @@
                        LogText "Result: cURL exited with code ${EXITCODE}. See man page of cURL for the meaning of this code."
                        ;;
            esac
            echo ""
            echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
            echo "Suggested command: tail -n 20 ${LOGFILE}"
            echo ""
            LogText "Suggestion: run the cURL command manually without the options -s and -S"
            LogText "Result: quitting, can't check license"
            # Quit if license is not valid, to reduce load on both client and server.
            ExitFatal
        fi
        UPLOAD_CODE=$(echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}')
        if [ "${UPLOAD_CODE}" = "100" ]; then
            Output "${WHITE}License is valid${NORMAL}"
            LogText "Result: license is valid"
            Display --indent 2 --text "- License check" --result "${STATUS_DONE}" --color GREEN
        else
            LogText "Result: error while checking license"
            LogText "Output: ${UPLOAD_CODE}"
@ -210,17 +226,19 @@
        fi
        # Check for host IDs
-        if [ ! "${HOSTID}" = "" -a ! "${HOSTID2}" = "" ]; then
+        if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
            Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
            # Try to connect
            Output "Uploading data.."
-            LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
+            LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
-            LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
+            LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
            LogText "Tip: to just retry an upload, use: lynis upload-only"
-            UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
+            UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
            EXITCODE=$?
            LogText "Exit code: ${EXITCODE}"
            if [ ${EXITCODE} -gt 0 ]; then
                Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_FAILED}" --color RED
                echo ""
                echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
                echo "Suggested command: tail -n 20 ${LOGFILE}"
@ -231,24 +249,20 @@
                    7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
                    59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
                    83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
-                    *) echo "Related exit code: ${YELLOW}{EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
+                    *) echo "Related exit code: ${YELLOW}${EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
                esac
                if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
                echo ""
                # Quit
                ExitClean
            else
-                Display --indent 2 --text "Data upload status (${UPLOAD_SERVER})" --result OK --color GREEN
+                Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_DONE}" --color GREEN
            fi
        else
            echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
-            echo "Suggested command: lynis show hostids"
+            echo "Suggested command: lynis generate hostids --save"
            echo ""
-            echo "If hostid2 is the only ID that is missing, use the following step:"
+            echo "Note: do not replicate the values to other systems, as it needs to be unique per system"
            echo "Create hash and add it to custom.prf"
            echo "echo \"hostid2=\$(cat /dev/urandom | tr -dc 'a-f0-9' | fold -w 64 | head -n 1)\" >> /etc/lynis/custom.prf" 
            echo ""
            echo "Note: do not replicate this ID to other systems, as it needs to be unique per system"
            # Quit
            ExitFatal
--- a/include/functions
+++ b/include/functions
--- a/include/helper_audit_dockerfile
+++ b/include/helper_audit_dockerfile
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -19,25 +19,14 @@
 #################################################################################
 if [ $# -eq 0 ]; then
-    Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
+    Display --indent 2 --text "${RED}Error: ${WHITE}Provide a file${NORMAL}"
    Display --text " "; Display --text " "
    ExitFatal
 else
-    FILE=$(echo $1 | egrep "^http|https")
+    FILE=$(echo $1 | grep -E "^http|https")
    if HasData "${FILE}"; then
-        CreateTempFile
+        echo "Provide a file (not a URL)"
-        TMP_FILE="${TEMP_FILE}"
+        ExitFatal
        Display --indent 2 --text "Downloading URL ${FILE} with wget"
        wget -o ${TMP_FILE} ${FILE}
        if [ $? -gt 0 ]; then
            AUDIT_FILE="${TMP_FILE}"
        else
            if [ -f ${TMP_FILE} ]; then
                rm -f ${TMP_FILE}
            fi
            Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
            ExitFatal
        fi
    else
        if [ -f $1 ]; then
            AUDIT_FILE="$1"
@ -70,13 +59,12 @@ fi
        IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
        IS_LATEST=$(echo ${TAG} | grep -i latest)
-        if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
+        if [ -n "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
-        if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
+        if [ -n "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
-        if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
+        if [ -n "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
-        if [ ! "${IS_ALPINE}" = "" ]; then IMAGE="alpine"; fi
+        if [ -n "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
-        
+        if [ -n "${IS_LATEST}" ]; then
-        if [ ! "${IS_LATEST}" = "" ]; then 
+            ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results."
            ReportWarning "dockerfile" "latest TAG used. Specifying the version is better."
        fi
        case ${IMAGE} in
@ -105,29 +93,24 @@ fi
 #
 ##################################################################################################
 #
    InsertSection "Basics"
-InsertSection "Basics"
+    MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
-
+    if [ -z "${MAINTAINER}" ]; then
    #FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
    FIND=$(egrep -i "*MAINTAINER" ${AUDIT_FILE}  |  sed 's/=/ /g' | cut -d'"' -f 2)
    if [ "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
    else
        #MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
        MAINTAINER=$(echo ${FIND})
        Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
    fi
-    
+
-    FIND=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 )
+    ENTRYPOINT=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 )
-    if [ "${FIND}" = "" ]; then
+    if [ -z "${ENTRYPOINT}" ]; then
        ReportWarning "dockerfile" "No ENTRYPOINT defined in Dockerfile."
    else
        ENTRYPOINT=$(echo ${FIND})
        Display --indent 2 --text "ENTRYPOINT" --result "${ENTRYPOINT}"
    fi
    FIND=$(grep "^CMD" ${AUDIT_FILE} | cut -d' ' -f2 )
-    if [ "${FIND}" = "" ]; then
+    if [ -z "${FIND}" ]; then
        ReportWarning "dockerfile" "No CMD defines in Dockerfile."
    else
        CMD=$(echo ${FIND})
@ -135,23 +118,20 @@ InsertSection "Basics"
    fi
    FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 )
-    if [ "${FIND}" = "" ]; then
+    if [ -z "${FIND}" ]; then
        ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root"
    else
        USER=$(echo ${FIND})
        Display --indent 2 --text "User" --result "${USER}"
    fi
 #
 ##################################################################################################
 #
    InsertSection "Software"
    case $PKGMGR in
    "apt")
-        FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
+        FIND=$(grep -E "apt-get(.*) install" ${AUDIT_FILE})
        if [ ! "${FIND}" = "" ]; then
            LogText "Found installation via apt-get"
        else
@ -159,7 +139,7 @@ InsertSection "Basics"
        fi
        ;;
     "apk")
-        FIND=$(egrep "apk(.*) add" ${AUDIT_FILE})
+        FIND=$(grep -E "apk(.*) add" ${AUDIT_FILE})
        if [ ! "${FIND}" = "" ]; then
            LogText "Found installation via apk"
        else
@ -171,7 +151,7 @@ InsertSection "Basics"
    ;;
    esac
-    FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
+    FIND=$(grep -E " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
    if [ ! "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
        LogText "Details: ${FIND}"
@ -214,7 +194,7 @@ InsertSection "Basics"
    if [ ${FILE_DOWNLOAD} -eq 1 ]; then
-        SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
+        SSL_USED_FIND=$(grep -E "(https)" ${AUDIT_FILE})
        if HasData "${SSL_USED_FIND}"; then
            SSL_USED="YES"
@ -225,9 +205,9 @@ InsertSection "Basics"
            ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
        fi
        Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
-        HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
+        HASHING_USED=$(grep -E "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
        Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
-        KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE}| sed 's/RUN apt-key adv//g'| sed 's/--keyserver/Key Server:/g' | sed 's/--recv/Key Value:/g')
+        KEYS_USED=$(grep -E "(apt-key adv)" ${AUDIT_FILE}| sed 's/RUN apt-key adv//g'| sed 's/--keyserver/Key Server:/g' | sed 's/--recv/Key Value:/g')
        Display --indent 2 --text "Signing keys used" --result "${KEYS_USED}"
        Display --indent 2 --text "All downloads properly checked" --result "?"
    else
--- a/include/helper_configure
+++ b/include/helper_configure
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
--- a/include/helper_generate
+++ b/include/helper_generate
@ -0,0 +1,192 @@
 #!/bin/sh
 #################################################################################
 #
 #   Lynis
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
 # Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 # welcome to redistribute it under the terms of the GNU General Public License.
 # See LICENSE file for usage of this software.
 #
 ######################################################################
 #
 # Helper program to generate specific details such as host IDs
 #
 ######################################################################
 #
 # How to use:
 # ------------
 # Run: lynis generate <option>
 #
 ######################################################################
 SAVEFILE=0
 GENERATE_ARGS="hostids systemd-units"
 if [ $# -gt 0 ]; then
    case $1 in
        "hostids")
            if [ $# -gt 1 ]; then
                shift
                if [ $1 = "--save" ]; then
                    SAVEFILE=1
                fi
            fi
            # Generate random host IDs
            case "${OS}" in
                "AIX")
                    # hexdump does not exist on AIX
                    HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
                    HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
                ;;
                *)
                    # xxd does not exist on FreeBSD
                    # Note: hexdump may omit leading or trailing zeroes.
                    # Take 100 characters as input, turn to hex, then take first 40/64.
                    HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40)
                    HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64)
                ;;
            esac
            ${ECHOCMD} "Generated host identifiers"
            ${ECHOCMD} "- hostid: ${HOSTID}"
            ${ECHOCMD} "- hostid2: ${HOSTID2}"
            if [ ${SAVEFILE} -eq 1 ]; then
                FILE="${ROOTDIR}etc/lynis/hostids"
                if [ -f ${FILE} ]; then
                    ${ECHOCMD} "Error: hostids file already exists (${FILE})"
                    ${ECHOCMD} "Remove the file first and rerun command"
                    ExitFatal
                else
                    OUTPUT=$(touch ${FILE} 2> /dev/null)
                    if [ $? -eq 0 ]; then
                        ${ECHOCMD} "Created hostids file (${FILE})"
                        echo "# generated using 'lynis generate hostids --save'" > ${FILE}
                        echo "hostid=${HOSTID}" >> ${FILE}
                        echo "hostid2=${HOSTID2}" >> ${FILE}
                    else
                        ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
                    fi
                fi
            fi
            ExitClean
            ;;
        "cronjob")
            ${ECHOCMD} "Not implemented yet"
            ;;
        "systemd-units")
            ${ECHOCMD} ""
            ${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "#"
            ${ECHOCMD} "# Lynis service file for systemd"
            ${ECHOCMD} "#"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
            ${ECHOCMD} "# Generator=lynis"
            ${ECHOCMD} "# Version=1"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Unit]"
            ${ECHOCMD} "Description=Security audit and vulnerability scanner"
            ${ECHOCMD} "Documentation=https://cisofy.com/docs/"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Service]"
            ${ECHOCMD} "Nice=19"
            ${ECHOCMD} "IOSchedulingClass=best-effort"
            ${ECHOCMD} "IOSchedulingPriority=7"
            ${ECHOCMD} "Type=simple"
            MYBINARY=$(which lynis 2>/dev/null)
            MOREOPTIONS=""
            if [ -n "${LICENSE_KEY}" ]; then
                MOREOPTIONS=" --upload"
            fi
            ${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Install]"
            ${ECHOCMD} "WantedBy=multi-user.target"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} ""
            ${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "#"
            ${ECHOCMD} "# Lynis timer file for systemd"
            ${ECHOCMD} "#"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
            ${ECHOCMD} "# Generator=lynis"
            ${ECHOCMD} "# Version=1"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Unit]"
            ${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Timer]"
            ${ECHOCMD} "OnCalendar=daily"
            ${ECHOCMD} "RandomizedDelaySec=1800"
            ${ECHOCMD} "Persistent=false"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Install]"
            ${ECHOCMD} "WantedBy=timers.target"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} ""
            ${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}"
            ${ECHOCMD} ""
            ${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload"
            ${ECHOCMD} ""
            ${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer"
            ${ECHOCMD} ""
            ${ECHOCMD} ""
            ${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}"
            ${ECHOCMD} ""
            ${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer"
            ${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Timer]"
            ${ECHOCMD} "OnCalendar="
            ${ECHOCMD} "OnCalendar=*-*-* 03:00:00"
            ${ECHOCMD} ""
            ;;
        *)                      ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
    esac
 else
    ${ECHOCMD} "\n  ${WHITE}Provide an additional argument${NORMAL}\n\n"
    for ITEM in ${GENERATE_ARGS}; do
        ${ECHOCMD} "    lynis generate ${BROWN}${ITEM}${NORMAL}"
    done
    ${ECHOCMD} "\n"
    ${ECHOCMD} ""
    ${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
 fi
 ExitClean
 # The End
--- a/include/helper_show
+++ b/include/helper_show
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -28,17 +28,18 @@
 #
 ######################################################################
-COMMANDS="audit configure show update upload-only"
+COMMANDS="audit configure generate show update upload-only"
 HELPERS="audit configure show update"
-OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
+OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--no-plugins\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
-SHOW_ARGS="categories changelog commands dbdir details environment groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir"
+SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir"
 SHOW_HELP="lynis show ${BROWN}categories${NORMAL}              (display test categories)
 lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL}     (release details)
 lynis show ${BROWN}commands${NORMAL}                (all available commands)
 lynis show ${BROWN}dbdir${NORMAL}                   (database directory)
 lynis show ${BROWN}details${NORMAL}                 (display test details from log file)
 lynis show ${BROWN}environment${NORMAL}             (hardware, virtual machine, or container type)
 lynis show ${BROWN}eol${NORMAL}                     (OS end-of-life status)
 lynis show ${BROWN}groups${NORMAL}                  (test groups)
 lynis show ${BROWN}help${NORMAL}                    (detailed information about arguments)
 lynis show ${BROWN}hostids${NORMAL}                 (unique IDs for this system)
@ -93,11 +94,29 @@ AUDIT_HELP="
 "
-UPDATE_ARGS="check info"
+GENERATE_ARGS="( --save )"
 GENERATE_HELP="
  Generate random value for hostid and hostid2
  ${WHITE}lynis generate hostids${NORMAL}
  Generate and save values
  ${WHITE}lynis generate hostids --save${NORMAL}
  Generate systemd units to run Lynis on a schedule (e.g. daily)
  ${WHITE}lynis generate systemd-units${NORMAL}
 "
 UPDATE_ARGS="check | info"
 UPDATE_HELP="
  ${CYAN}update info${NORMAL}
-  Check version information
+  Check and show version information
  ${CYAN}update check${NORMAL}
  Just check if version is up-to-date
 "
@ -135,7 +154,7 @@ if [ $# -gt 0 ]; then
                # Check also for gzipped changelog
                elif [ -f ${FILEPATH}/changelog.gz ]; then
                    ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ")
-                    if [ ! -z "${ZCAT}" ]; then
+                    if [ -n "${ZCAT}" ]; then
                        CreateTempFile
                        CHANGELOG="${TEMP_FILE}"
                        LogText "Result: found gzipped changelog in ${FILEPATH}"
@ -145,18 +164,18 @@ if [ $# -gt 0 ]; then
                        DisplayError "Could not find zcat utility to use on gzipped changelog"
                    fi
                fi
-                if [ ! -z "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
+                if [ -n "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
            done
-            if [ ! -z "${CHANGELOG}" ]; then
+            if [ -n "${CHANGELOG}" ]; then
-                SEARCH=$(egrep "^${PROGRAM_NAME} ${SEARCH_VERSION}" ${CHANGELOG})
+                SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
                if [ $? -eq 0 ]; then
                    while read -r LINE; do
                        if [ ${STARTED} -eq 0 ]; then
-                            SEARCH=$(echo ${LINE} | egrep "^${PROGRAM_NAME} ${SEARCH_VERSION}")
+                            SEARCH=$(echo ${LINE} | sed 's/^## //' | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
                            if [ $? -eq 0 ]; then STARTED=1; ${ECHOCMD} "${BOLD}${LINE}${NORMAL}"; fi
                        else
                            # Stop if we find the next Lynis version
-                            SEARCH=$(echo ${LINE} | egrep "^${PROGRAM_NAME} [0-9]\.[0-9]\.[0-9]")
+                            SEARCH=$(echo ${LINE} | sed 's/^## //' | grep -E "^${PROGRAM_NAME} [0-9]\.[0-9]\.[0-9]")
                            if [ $? -eq 0 ]; then
                                break
                            else
@ -171,7 +190,7 @@ if [ $# -gt 0 ]; then
                    ${ECHOCMD} "$0 lynis show changelog [version]"
                    ${ECHOCMD} ""
                    ${ECHOCMD} "${HEADER}${PROGRAM_NAME} versions:${NORMAL}"
-                    SEARCH=$(egrep "^Lynis [0-9]\.[0-9]\.[0-9] " ${CHANGELOG} | awk '{print $2}' | sort -n)
+                    SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^Lynis [0-9]\.[0-9]\.[0-9] " | awk '{print $2}' | sort -n)
                    ${ECHOCMD} ${SEARCH}
                    ExitFatal
                fi
@ -192,8 +211,11 @@ if [ $# -gt 0 ]; then
                if [ $# -eq 1 ]; then
                    case $1 in
                        "audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
                        "configure") ${ECHOCMD} "No help available yet" ;;
                        "generate") ${ECHOCMD} "${GENERATE_HELP}" ;;
                        "show") ${ECHOCMD} "${SHOW_HELP}" ;;
-                        "update") ${ECHOCMD} "No help available yet" ;;
+                        "update")  ${ECHOCMD} "${UPDATE_HELP}" ;;
                        "upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;;
                        *) DisplayError "Unknown argument for 'commands'"
                    esac
                else
@ -223,7 +245,7 @@ if [ $# -gt 0 ]; then
                shift
                if [ $# -eq 1 ]; then
                    TESTID="$1"
-                    awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/===---/{p=0}' ${LOGFILE}
+                    awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/====/{p=0}' ${LOGFILE}
                fi
            fi
            ;;
@ -242,6 +264,18 @@ if [ $# -gt 0 ]; then
                ${ECHOCMD} "virtual-machine=0"
            fi
            ;;
        "eol")
            ${ECHOCMD} "Operating-system=${OS_FULLNAME}"
            if [ ${EOL} -eq 0 ]; then
                ${ECHOCMD} "End-of-life=No"
            elif [ ${EOL} -eq 1 ]; then
                ${ECHOCMD} "End-of-life=Yes"
            elif [ ${EOL} -eq 255 ]; then
                ${ECHOCMD} "End-of-life=Not tested"
            else
                ${ECHOCMD} "End-of-life=Unknown"
            fi
            ;;
        "groups")
            ViewGroups
            ;;
@ -262,6 +296,8 @@ if [ $# -gt 0 ]; then
                shift
                case $1 in
                   "audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
                   "configure") ${ECHOCMD} "No help available yet" ;;
                   "generate") ${ECHOCMD} "${GENERATE_HELP}" ;;
                   "show") ${ECHOCMD} "${SHOW_HELP}" ;;
                   "update") ${ECHOCMD} "${UPDATE_HELP}" ;;
                   "upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;;
@ -323,7 +359,7 @@ if [ $# -gt 0 ]; then
                VALUE=$(echo ${LINE} | awk -F';' '{print $2}')
                DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g')
                if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi
-                if [ ! -z "${VALUE}" ]; then
+                if [ -n "${VALUE}" ]; then
                    if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi
                    ${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}"
                    if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi
@ -388,7 +424,7 @@ if [ $# -gt 0 ]; then
                                    if [ -z "${SKIP_TESTS}" ]; then
                                        ${ECHOCMD} "  Profile:             ${GREEN}Yes${NORMAL} (not configured)"
                                    else
-                                        FIND=$(echo ${SKIP_TESTS} | egrep "${TEST}")
+                                        FIND=$(echo ${SKIP_TESTS} | grep -E "${TEST}")
                                        if [ -z "${FIND}" ]; then
                                            ${ECHOCMD} "  Profile:             ${GREEN}Yes${NORMAL} (test not marked to be skipped)"
                                        else
--- a/include/helper_system_remote_scan
+++ b/include/helper_system_remote_scan
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
--- a/include/helper_update
+++ b/include/helper_update
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -77,7 +77,9 @@ elif [ "$1" = "info" ]; then
            echo "${GREEN}Up-to-date${NORMAL}"
        fi
        echo "  Release date       : ${PROGRAM_RELEASE_DATE}"
-        echo "  Update location    : ${PROGRAM_WEBSITE}"
+        echo "  Project page       : ${PROGRAM_WEBSITE}"
        echo "  Source code        : ${PROGRAM_SOURCE}"
        echo "  Latest package     : ${PROGRAM_PACKAGE}"
        echo ""; echo ""
        echo "${PROGRAM_COPYRIGHT}"
        echo ""
--- a/include/osdetection
+++ b/include/osdetection
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -61,6 +61,8 @@
                    10.12 | 10.12.[0-9]*) OS_FULLNAME="macOS Sierra (${OS_VERSION})" ;;
                    10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;;
                    10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;;
                    10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
                    11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
                    *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
                esac
            else
@ -138,55 +140,153 @@
            # Generic
            if [ -e /etc/os-release ]; then
                OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release)
                OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
-                if [ ! -z "${OS_ID}" ]; then
+                if [ -n "${OS_ID}" ]; then
                    case ${OS_ID} in
                        "alpine")
                            LINUX_VERSION="Alpine Linux"
                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "amzn")
                            LINUX_VERSION="Amazon Linux"
                            OS_NAME="Amazon Linux"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "arch")
                            LINUX_VERSION="Arch Linux"
                            OS_FULLNAME="Arch Linux"
                            OS_VERSION="Rolling release"
                        ;;
-                        "coreos")
+                        "centos")
-                            LINUX_VERSION="CoreOS"
+                            LINUX_VERSION="CentOS"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="CentOS Linux"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="CoreOS Linux"
                        ;;
-                        "manjaro")
+                        "clear-linux-os")
-                            LINUX_VERSION="Manjaro Linux"
+                            LINUX_VERSION="Clear Linux OS"
-                            OS_FULLNAME="Manjaro Linux"
+                            OS_NAME="Clear Linux OS"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION="Rolling release"
                        ;;
-                        "ubuntu")
+                        "cloudlinux")
-                            LINUX_VERSION="Ubuntu"
+                            LINUX_VERSION="CloudLinux"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="CloudLinux"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "coreos")
                            LINUX_VERSION="CoreOS"
                            OS_NAME="CoreOS Linux"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "debian")
                            LINUX_VERSION="Debian"
                            OS_NAME="Debian"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "fedora")
                            LINUX_VERSION="Fedora"
                            OS_NAME="Fedora Linux"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "gentoo")
                            LINUX_VERSION="Gentoo"
                            OS_NAME="Gentoo Linux"
                            OS_VERSION="Rolling release"
                        ;;
                        "kali")
                            LINUX_VERSION="Kali"
                            OS_NAME="Kali Linux"
                            OS_VERSION="Rolling release"
                        ;;
                        "linuxmint")
                            LINUX_VERSION="Linux Mint"
                            OS_NAME="Linux Mint"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "manjaro")
                            LINUX_VERSION="Manjaro"
                            OS_FULLNAME="Manjaro Linux"
                            OS_NAME="Manjaro"
                            OS_VERSION="Rolling release"
                        ;;
                        "ol")
                            LINUX_VERSION="Oracle Linux"
                            OS_NAME="Oracle Linux"
                            OS_REDHAT_OR_CLONE=1
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="Ubuntu Linux"
                        ;;
                        "opensuse-tumbleweed")
                            LINUX_VERSION="openSUSE Tumbleweed"
                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            # It's rolling release but has a snapshot version (the date of the snapshot)
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="openSUSE"
                        ;;
                        "opensuse-leap")
                            LINUX_VERSION="openSUSE Leap"
                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="openSUSE"
                        ;;
                        "pop")
                            LINUX_VERSION="Pop!_OS"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="Pop!_OS"
                        ;;
                        "pureos")
                            LINUX_VERSION="PureOS"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="PureOS"
                        ;;
                        "raspbian")
                            LINUX_VERSION="Raspbian"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="Raspbian"
                        ;;
                        "rhel")
                            LINUX_VERSION="RHEL"
                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
                            OS_REDHAT_OR_CLONE=1
                        ;;
                        "slackware")
                            LINUX_VERSION="Slackware"
                            OS_NAME="Slackware Linux"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                        ;;
                        "ubuntu")
                            LINUX_VERSION="Ubuntu"
                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                            OS_NAME="Ubuntu"
                        ;;
                        *)
-                            Debug "Unknown OS found in /etc/os-release. Do you know what it is? Create an issue at ${PROGRAM_SOURCE}"
+                            ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
                        ;;
                    esac
                fi
            fi
            # Alpine
            if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi
            # Amazon
-            if [ -e "/etc/system-release" ]; then
+            if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then
-                FIND=$(grep "Amazon" /etc/system-release)
+                FIND=$(grep "^Amazon" /etc/system-release)
-                if [ ! "${FIND}" = "" ]; then
+                if [ -n "${FIND}" ]; then
                    OS_REDHAT_OR_CLONE=1
                    OS_FULLNAME=$(grep "^Amazon" /etc/system-release)
                    OS_VERSION=$(grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }')
@ -210,6 +310,7 @@
            # Cobalt
            if [ -e "/etc/cobalt-release" ]; then OS_FULLNAME=$(cat /etc/cobalt-release); fi
            # CPUBuilders Linux
            if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi
@ -257,12 +358,11 @@
            if [ -e "/etc/gentoo-release" ]; then LINUX_VERSION="Gentoo"; OS_FULLNAME=$(cat /etc/gentoo-release); fi
            # Red Hat and others
-            if [ -e "/etc/redhat-release" ]; then
+            if [ -z "${LINUX_VERSION}" -a -e "/etc/redhat-release" ]; then
                OS_REDHAT_OR_CLONE=1
                # CentOS
-                FIND=$(grep "CentOS" /etc/redhat-release)
+                if grep "CentOS" /etc/redhat-release; then
                if [ ! "${FIND}" = "" ]; then
                    OS_FULLNAME=$(grep "CentOS" /etc/redhat-release)
                    LINUX_VERSION="CentOS"
                    OS_VERSION="${OS_FULLNAME}"
@ -477,7 +577,7 @@
    ECHONB=""
    case ${OS} in
-        "AIX")                           ECHOCMD="echo" ;;
+        "AIX")                           ECHOCMD="echo"; ECHONB="printf" ;;
        "DragonFly"|"FreeBSD"|"NetBSD")  ECHOCMD="echo -e"; ECHONB="echo -n" ;;
        "macOS" | "Mac OS X")                         ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
        "Solaris")                       ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
@ -512,19 +612,24 @@
    # Check if this OS is end-of-life
    EOL=255
    EOL_DATE=""
-    if [ ! -z "${OS_VERSION}" ]; then
+    EOL_TIMESTAMP=0
    if [ -n "${OS_VERSION}" ]; then
        if [ -f "${DBDIR}/software-eol.db" ]; then
            FIND="${OS_FULLNAME}"
-            EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && $2 ~ value){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
+            EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
-            if [ ! -z "${EOL_DATE}" ]; then
+            if [ -n "${EOL_TIMESTAMP}" ]; then
-                NOW=$(date "+%s")
+                EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
-                FIND=$(date "+%s" --date=${EOL_DATE})
+                if [ -n "${EOL_DATE}" ]; then
-                if [ ! -z "${FIND}" ]; then
+                    NOW=$(date "+%s")
-                    if [ ${NOW} -gt ${FIND} ]; then
+                    if [ -n "${NOW}" ]; then
-                        EOL=1
+                        if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
-                    else
+                            EOL=1
-                        EOL=0
+                        else
                            EOL=0
                        fi
                    fi
                else
                    EOL=0
                fi
            fi
        fi
--- a/include/parameters
+++ b/include/parameters
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -22,8 +22,21 @@
 #
 #################################################################################
 #
    # Check number of parameters submitted (at least one is needed)
    PARAMCOUNT=$#
    # Input validation on provided parameters and their arguments
    COUNT=0
    for I in "$@"; do
        COUNT=$((COUNT + 1))
        if ! SafeInput "${I}"; then
            echo "Execution of ${PROGRAM_NAME} stopped as we found unexpected input or invalid characters in argument ${COUNT}"
            echo "Do you believe this is in error? Let us know: ${PROGRAM_AUTHOR_CONTACT}"
            ExitFatal "Program execution stopped due to security measure"
        fi
    done
    # Parse arguments
    while [ $# -ge 1 ]; do
        case $1 in
            # Helpers first
@ -36,12 +49,13 @@
                if [ $# -gt 1 ]; then
                    case $2 in
                        "dockerfile")
-                            if [ "$3" = "" ]; then
+                            if [ $# = 2 ]; then
                                echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
-                                echo "Example: $0 audit dockerfile /root/Dockerfile"
+                                echo "Example: $0 audit dockerfile /path/to/Dockerfile"
                                ExitFatal
                            else
                                shift; shift
                                CHECK_BINARIES=1
                                HELPER_PARAMS="$1"
                                HELPER="audit_dockerfile"
                                break
@ -84,7 +98,14 @@
                            SKIP_PLUGINS=0
                            RUN_TESTS=1
                            shift
-
+                        ;;
                        *)
                            echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
                            echo " "
                            echo "Examples:"
                            echo "lynis audit dockerfile"
                            echo "lynis audit system"
                            ExitFatal
                        ;;
                    esac
                else
@ -111,6 +132,24 @@
                break
            ;;
            # Generate data
            generate)
                CHECK_BINARIES=0
                HELPER="generate"
                LOGTEXT=0
                QUIET=1
                RUN_HELPERS=1
                RUN_TESTS=0
                RUN_UPDATE_CHECK=0
                SKIP_GETHOSTID=1
                SKIP_PLUGINS=1
                SKIP_VM_DETECTION=1
                SHOW_PROGRAM_DETAILS=0
                SHOW_TOOL_TIPS=0
                shift; HELPER_PARAMS="$@"
                break
            ;;
            # Show Lynis details
            show)
                CHECK_BINARIES=0
@ -192,16 +231,10 @@
                fi
            ;;
            # Perform tests (deprecated, use audit system)
            --check-all | --checkall | -c)
                DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]"
                CHECK=1
            ;;
            # Cronjob support
            --cron-job | --cronjob | --cron)
                CRONJOB=1
-                CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors)
+                CHECK=1; COLORS=0; NEVERBREAK=1 # Use some defaults ('audit system', -Q, no colors)
                RemoveColors
            ;;
@ -215,29 +248,14 @@
                DEVELOPER_MODE=1
            ;;
-            # Display all available options with short alias
+            # DevOps mode (continuous integration)
-            --dump-options | --dumpoptions)
+            --devops)
-                OPTIONS="--auditor
+                DEVOPS_MODE=1
-                         --check-all_(-c) --cronjob_(--cron)
+            ;;
                         --debug
                         --help_(-h)
                         --info
                         --license-key --log-file
                         --manpage_(--man)
                         --no-colors --no-log
                         --pentest --profile --plugins-dir
                         --quiet_(-q) --quick_(-Q)
                         --report-file --reverse-colors
                         --tests
                         --upload
                         --version_(-V)"
                for ITEM in ${OPTIONS}; do
                    echo "${ITEM}" | tr '_' ' '
                done
                echo "This option is deprecated"
                echo "Use: lynis show options"
-                ExitClean
+            # Enable forensics mode (gather information from a mounted directory)
            --forensics)
                FORENSICS=1
            ;;
            # View help
@ -245,19 +263,6 @@
                VIEWHELP=1
            ;;
            # View program/database information
            --check-update | --check-updates | --info)
                echo "This option is deprecated"
                echo "Use: lynis update info"
                ExitClean
            ;;
            # License key for Lynis Enterprise
            --license-key)
                shift
                LICENSE_KEY=$1
            ;;
            # Adjust default logfile location
            --logfile | --log-file)
                shift
@ -265,7 +270,7 @@
            ;;
            # Don't use colors
-            --no-colors | --nocolors)
+            --no-colors | --nocolors | --no-colour | --nocolour)
                COLORS=0
                RemoveColors
            ;;
@ -275,6 +280,11 @@
                LOGFILE="/dev/null"
            ;;
            # Skip execution of plugins
            --no-plugins | --noplugins | --skip-plugins)
                SKIP_PLUGINS=1
            ;;
            --pen-test | --pentest)
                PENTESTINGMODE=1
            ;;
@ -283,7 +293,7 @@
            --profile)
                if [ $# -gt 1 ]; then
                    shift
-                    SEARCH_PROFILES=$1
+                    SEARCH_PROFILES="$1"
                else
                    echo "Specify the profile (lynis audit system --profile /home/michael/myprofile.prf)"
                    exit 1
@ -313,7 +323,6 @@
            # Quiet mode
            --quiet | -q | --silent)
                QUIET=1
                QUICKMODE=1 # Run non-interactive
            ;;
            # Non-interactive mode
@ -328,7 +337,7 @@
            ;;
            # Strip the colors which aren't clearly visible on light backgrounds
-            --reverse-colors)
+            --reverse-colors | --reverse-colour)
                BLUE="${NORMAL}";
                SECTION="${NORMAL}";
                NOTICE="${NORMAL}";
@ -355,11 +364,6 @@
                fi
            ;;
            # Skip execution of plugins
            --skip-plugins | --no-plugins | --noplugins)
                SKIP_PLUGINS=1
            ;;
            # Only scan these tests
            --tests)
                shift
@ -373,7 +377,7 @@
            ;;
            # Scan one or more tests from just on group
-            --tests-from-group | --tests-from-groups | --test-from-group | --test-from-group)
+            --tests-from-group | --tests-from-groups | --test-from-group | --test-from-groups)
                shift
                TEST_GROUP_TO_CHECK=$1
            ;;
@ -383,6 +387,10 @@
                UPLOAD_DATA=1
            ;;
            --usecwd | --use-cwd)
                USE_CWD=1
            ;;
            --verbose)
                VERBOSE=1
            ;;
@ -412,15 +420,62 @@
            # Warnings
            --warnings-only | --show-warnings-only)
                SHOW_WARNINGS_ONLY=1
                QUICKMODE=1
                QUIET=1
            ;;
            # Warning when test is slow
            --slow-warning)
                if [ $# -gt 1 ]; then
                    shift
                    if [ "$1" -gt 0 ] 2>/dev/null; then
                        SLOW_TEST_THRESHOLD="$1"
                    else
                        echo "Argument has to be number."
                        exit 1
                    fi
                else
                    echo "Specify threshold as number of seconds above which should Lynis warn about long test."
                    exit 1
                fi
            ;;
            --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
                echo "Error: Deprecated option ($1)"
                exit 1
            ;;
            # Soon to be deprecated options
            # Perform tests (deprecated, use audit system)
            --check-all | --checkall | -c)
                echo "This option (-c) is deprecated."
                echo "Use: lynis audit system [options]"
                ExitFatal
            ;;
            # View program/database information
            --check-update | --check-updates | --info)
                echo "This option (--info) is deprecated"
                echo "Use: lynis update info"
                ExitFatal
            ;;
            # Display all available options with short alias
            --dump-options | --dumpoptions)
                echo "This option (--dump-options) is deprecated"
                echo "Use: lynis show options"
                ExitFatal
            ;;
            # License key for Lynis Enterprise
            --license-key)
                echo "This option is deprecated"
                echo "Define a license key in /etc/lynis/custom.prf"
                ExitFatal
            ;;
            # Drop out when using wrong option(s)
            *)
                # Wrong option used, we bail out later
@ -433,5 +488,15 @@
    done
    # Ensure non-interactive mode when running quietly or as cronjob
    if [ ${CRONJOB} -eq 1 -o ${QUIET} -eq 1 ]; then
        if [ ${QUICKMODE} -eq 0 ]; then
            if [ ${QUIET} -eq 0 ]; then
                echo "Switched back to quick mode (cron/non-interactive/quiet)"
            fi
            QUICKMODE=1
        fi
    fi
 #================================================================================
 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
--- a/include/profiles
+++ b/include/profiles
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -32,9 +32,46 @@
    for PROFILE in ${PROFILES}; do
        LogText "Reading profile/configuration ${PROFILE}"
-        FIND=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g')
+
-        for CONFIGOPTION in ${FIND}; do
+        # Show deprecation message for old config entries such as 'config:' and 'apache:'
-            if ContainsString "config:" "${CONFIGOPTION}"; then
+        FOUND=0
        DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g')  # od -An (no file offset), -ta (named character, to be on safe side)
        if ! IsEmpty "${DATA}"; then FOUND=1; fi
        if [ ${FOUND} -eq 1 ]; then
            Display --text " "
            Display --text "=================================================================================================="
            DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries"
            Display --indent 2 --text "* ${RED}ISSUE${NORMAL}"
            Display --indent 2 --text "Your profile has one or more lines that are in an old format (key:value). They need to be converted into the new format (key=value) or disabled."
            Display --text " "
            Display --indent 2 --text "* ${GREEN}HOW TO RESOLVE${NORMAL}"
            Display --indent 2 --text "Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)"
            Display --text " "
            Display --text "=================================================================================================="
            Display --text " "
            LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries"
            ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries"
            sleep 10
        fi
        # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
        DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
        if ! IsEmpty "${DATA}"; then
            DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
            LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
            for I in ${DATA}; do
                I=$(echo ${I} | sed 's/!space!/ /g')
                LogText "Output: ${I}"
            done
            LogText "Suggestion: comment incorrect lines with a '#' and try again. Open a GitHub issue if valid characters are blocked"
            ExitFatal "unexpected characters in profile. Stopping execution (security measure)"
        fi
        # Now parse the profile and filter out unwanted characters
        DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
        for CONFIGOPTION in ${DATA}; do
            if ContainsString "^config:" "${CONFIGOPTION}"; then
                # Old style configuration
                OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
                VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g')
@ -49,8 +86,8 @@
                # Is Lynis Enterprise allowed to purge this system when it is becomes outdated?
                allow-auto-purge)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$")
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$")
-                    if [ ! -z "${FIND}" ]; then
+                    if [ -n "${FIND}" ]; then
                        Report "allow-auto-purge=1"
                    else
                        Report "allow-auto-purge=0"
@ -82,15 +119,15 @@
                colors)
                    # Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
                    SETTING_COLORS=1 # default is yes
-                    FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && COLORS=0
-                    if [ ! -z "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
+                    if [ -n "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
                    Debug "Colors set to ${SETTING_COLORS}"
                    AddSetting "colors" "${SETTING_COLORS}" "Colored screen output"
                    unset SETTING_COLORS
                ;;
                # Ignore configuration data
-                config-data)
+                config-data | permdir | permfile)
                    Debug "Ignoring configuration option, as it will be used by a specific test"
                ;;
@ -138,27 +175,27 @@
                # Do not check security repository in sources.list (Debian/Ubuntu)
                debian-skip-security-repository | debian_skip_security_repository)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=1 
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=1 
                    AddSetting "debian-skip-security-repository" "OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY" "Skip checking for a security repository (Debian and others)"
                ;;
                # Debug status to show more details while running program
                debug)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && DEBUG=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && DEBUG=1
                    Debug "Debug mode set to '${DEBUG}'"
                    AddSetting "debug" "${DEBUG}" "Debugging mode"
                ;;
                # Development mode (--developer)
                developer-mode)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && DEVELOPER_MODE=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && DEVELOPER_MODE=1
                    Debug "Developer mode set to ${DEVELOPER_MODE}"
                    AddSetting "developer" "${DEVELOPER_MODE}" "Developer mode"
                ;;
                # Show non-zero exit code when errors are found
                error-on-warnings)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && ERROR_ON_WARNINGS=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && ERROR_ON_WARNINGS=1
                    Debug "Exit with different code on warnings is set to ${ERROR_ON_WARNINGS}"
                    AddSetting "error-on-warnings" "${ERROR_ON_WARNINGS}" "Use non-zero exit code if one or more warnings were found"
                ;;
@ -169,7 +206,7 @@
                    OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
                ;;
-                # Lynis Enterprise: group name - deprecrated option
+                # Lynis Enterprise: group name - deprecated option
                group)
                    GROUP_NAME="${VALUE}"
                    AddSetting "group" "${GROUP_NAME}" "Group"
@ -177,7 +214,7 @@
                ;;
                hostalias | host-alias)
-                    if [ ! -z "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
+                    if [ -n "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
                ;;
                hostid)
@ -196,13 +233,13 @@
                # Language
                language | lang)
                    LogText "Language set via profile to '${VALUE}'"
-                    if [ ! -z "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
+                    if [ -n "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
                    AddSetting "language" "${LANGUAGE}" "Language"
                ;;
                # Lynis Enterprise license key
                license-key | license_key)
-                    if [ ! -z "${VALUE}" ]; then
+                    if [ -n "${VALUE}" ]; then
                        LICENSE_KEY="${VALUE}"
                        Report "license_key=${VALUE}"
                    fi
@ -211,7 +248,7 @@
                # Do (not) log tests if they have an different operating system
                log-tests-incorrect-os | log_tests_incorrect_os)
-                    FIND=$(echo "${VALUE}" | egrep "^(0|false|no)") && SETTING_LOG_TESTS_INCORRECT_OS=0
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)") && SETTING_LOG_TESTS_INCORRECT_OS=0
                    Debug "Logging of tests with incorrect operating system set to ${SETTING_LOG_TESTS_INCORRECT_OS}"
                    LOG_INCORRECT_OS=${SETTING_LOG_TESTS_INCORRECT_OS}
                ;;
@ -239,6 +276,11 @@
                    LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
                ;;
                disable-plugin)
                    LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})"
                    DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}"
                ;;
                # Plugin directory
                plugindir | plugin-dir)
                    if IsEmpty "${PLUGINDIR}"; then
@ -256,10 +298,10 @@
                # Quick (no waiting for keypresses)
                quick)
-                    # Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
+                    # Quick mode might already be set outside profile, so store in different variable
-                    SETTING_QUICK_MODE=0 # default is no
+                    SETTING_QUICK_MODE=1 # default is yes
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && QUICKMODE=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && QUICKMODE=0
-                    if [ ! -z "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
+                    if [ -n "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
                    Debug "Quickmode set to ${SETTING_QUICK_MODE}"
                    AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)"
                ;;
@ -267,8 +309,8 @@
                # Refresh software repositories
                refresh-repositories)
                    SETTING_REFRESH_REPOSITORIES=1 # default is yes
-                    FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && REFRESH_REPOSITORIES=0
-                    if [ ! -z "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
+                    if [ -n "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
                    Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}"
                    AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)"
                ;;
@ -276,16 +318,16 @@
                # Show more details in report
                show-report-solution)
                    SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION}
-                    FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
-                    if [ ! -z "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
+                    if [ -n "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
                    Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}"
                ;;
                # Inline tips about tool (default enabled)
                show_tool_tips | show-tool-tips)
                    SETTING_SHOW_TOOL_TIPS=1 # default is yes
-                    FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0
+                    FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && SHOW_TOOL_TIPS=0
-                    if [ ! -z "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
+                    if [ -n "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
                    Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}"
                    AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips"
                ;;
@ -294,7 +336,7 @@
                show-warnings-only)
                    QUIET=1
                    QUICKMODE=1
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SHOW_WARNINGS_ONLY=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && SHOW_WARNINGS_ONLY=1
                    Debug "Show warnings only set to ${SHOW_WARNINGS_ONLY}"
                    AddSetting "show-warnings-only" "${SHOW_WARNINGS_ONLY}" "Show only warnings"
                ;;
@ -303,8 +345,8 @@
                skip-plugins)
                    # Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable
                    SETTING_SKIP_PLUGINS=0 # default is no
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && SKIP_PLUGINS=1
-                    if [ ! -z "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
+                    if [ -n "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
                    Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}"
                    AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
                ;;
@ -317,7 +359,7 @@
                # Do not check the latest version on the internet
                skip_upgrade_test | skip-upgrade-test)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SKIP_UPGRADE_TEST=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SKIP_UPGRADE_TEST=1
                    Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
                ;;
@ -328,24 +370,38 @@
                    AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
                ;;
                ssl-certificate-paths-to-ignore)
                    # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
                    SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
                    Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
                    AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                ;;
                # Check also certificates provided by packages?
                ssl-certificate-include-packages)
                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
                    Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
                ;;
                # Set strict mode for development and quality purposes
                strict)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1
                ;;
                # The name of the customer/client that uses this system
                system-customer-name)
-                    if [ ! -z "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
+                    if [ -n "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
                ;;
                # The groups linked to a system (system-groups=customers,webservers,production)
                system-groups)
-                    if [ ! -z "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
+                    if [ -n "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
                ;;
                # Tags (tags=db,production,ssn-1304)
                tags)
-                    if [ ! -z "${VALUE}" ]; then Report "tags=${VALUE}"; fi
+                    if [ -n "${VALUE}" ]; then Report "tags=${VALUE}"; fi
                ;;
                # Define what kind of scan we are performing
@ -359,8 +415,8 @@
                # Perform upload
                upload)
                    SETTING_UPLOAD=no # default
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && UPLOAD_DATA=1
-                    if [ ! -z "${FIND}" ]; then SETTING_UPLOAD=1; fi
+                    if [ -n "${FIND}" ]; then SETTING_UPLOAD=1; fi
                    Debug "Upload set to ${SETTING_UPLOAD}"
                    AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning"
                    unset SETTING_UPLOAD
@ -413,7 +469,7 @@
                # Verbose output (--verbose)
                verbose)
-                    FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && VERBOSE=1
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && VERBOSE=1
                    Debug "Verbose set to ${VERBOSE}"
                    AddSetting "verbose" "${VERBOSE}" "Verbose output"
                ;;
@ -441,10 +497,14 @@
                # Catch all bad options and bail out
                *)
                    LogText "Unknown option ${OPTION} (with value: ${VALUE})"
-                    ${ECHOCMD} ""
+
-                    ${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
+                    ${ECHOCMD:-echo} ""
-                    ${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
+                    ${ECHOCMD:-echo} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
-                    ${ECHOCMD} ""
+                    ${ECHOCMD:-echo} ""
                    ${ECHOCMD:-echo} ""
                    ${ECHOCMD:-echo} "Full line: ${CONFIGOPTION}"
                    ${ECHOCMD:-echo} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
                    ${ECHOCMD:-echo} ""
                    ExitFatal
                ;;
@ -456,12 +516,12 @@
 #################################################################################
 #
    SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //")
-    if [ ! -z "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
+    if [ -n "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
 #
 #################################################################################
 #
    # Add group name to report - deprecated
-    if [ ! -z "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
+    if [ -n "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
 #
 #################################################################################
 #
@ -488,8 +548,8 @@
 #
 #################################################################################
 #
-    if [ ! -z "${DEPRECATED_OPTION}" ]; then
+    if [ -n "${DEPRECATED_OPTION}" ]; then
-        ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
+        ReportWarning "GEN-0030" "One or more deprecated options used in profile" "${DEPRECATED_OPTION}" "Update your profile"
    fi
 #
 #################################################################################
@ -497,7 +557,6 @@
    Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN
 LogTextBreak
 #================================================================================
 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
--- a/include/report
+++ b/include/report
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -21,58 +21,83 @@
 # Report
 #
 #################################################################################
 #
    # Add additional data fields to the report file at the end of the scan
    Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
    Report "arpwatch_running=${ARPWATCH_RUNNING}"
    # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
    Report "firewall_active=${FIREWALL_ACTIVE}"
    Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
    Report "firewall_installed=${FIREWALL_ACTIVE}"
    if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
    Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
    Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
    Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
 #
 #################################################################################
 #
    # Hardening Index
-    # Define approximately how strong a machine has been hardened
+    #
    # Goal:
    # Provide a visual way to show how much the system is hardened
    #
    # Important:
    # The index gives a simplified version of the measures taken on the system.
    # It should be used to get a first impression about the state of the system or to compare similar systems.
    # Getting the maximum score (100 or full bar) does not indicate that the system is fully secured.
-        # If no hardening has been found, set value to 1
+    # If no hardening has been found, set value to 1
-        if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
+    if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
-        HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
+    HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
-        HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
+    HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
-        # Set color related to rating
+    # Set color related to rating
-        if [ ${HPINDEX} -lt 50 ]; then
+    if [ ${HPINDEX} -lt 50 ]; then
-            HPCOLOR="${RED}"
+        HPCOLOR="${RED}"
-            HIDESCRIPTION="System has not or a low amount been hardened"
+        HIDESCRIPTION="System has not or a low amount been hardened"
-        elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
+    elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
-            HPCOLOR="${YELLOW}"
+        HPCOLOR="${YELLOW}"
-            HIDESCRIPTION="System has been hardened, but could use additional hardening"
+        HIDESCRIPTION="System has been hardened, but could use additional hardening"
-        elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
+    elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
-            HPCOLOR="${GREEN}"
+        HPCOLOR="${GREEN}"
-            HIDESCRIPTION="System seem to be decent hardened"
+        HIDESCRIPTION="System seem to be decent hardened"
-        elif [ ${HPINDEX} -gt 89 ]; then
+    elif [ ${HPINDEX} -gt 89 ]; then
-            HPCOLOR="${GREEN}"
+        HPCOLOR="${GREEN}"
-            HIDESCRIPTION="System seem to be well hardened"
+        HIDESCRIPTION="System seem to be well hardened"
-        fi
+    fi
        case ${HPAOBLOCKS} in
            0)  HPBLOCKS="#"; HPEMPTY="                   " ;;
            1)  HPBLOCKS="#"; HPEMPTY="                   " ;;
            2)  HPBLOCKS="##"; HPEMPTY="                  " ;;
            3)  HPBLOCKS="###"; HPEMPTY="                 " ;;
            4)  HPBLOCKS="####"; HPEMPTY="                " ;;
            5)  HPBLOCKS="#####"; HPEMPTY="               " ;;
            6)  HPBLOCKS="######"; HPEMPTY="              " ;;
            7)  HPBLOCKS="#######"; HPEMPTY="             " ;;
            8)  HPBLOCKS="########"; HPEMPTY="            " ;;
            9)  HPBLOCKS="#########"; HPEMPTY="           " ;;
            10) HPBLOCKS="##########"; HPEMPTY="          " ;;
            11) HPBLOCKS="###########"; HPEMPTY="         " ;;
            12) HPBLOCKS="############"; HPEMPTY="        " ;;
            13) HPBLOCKS="#############"; HPEMPTY="       " ;;
            14) HPBLOCKS="##############"; HPEMPTY="      " ;;
            15) HPBLOCKS="###############"; HPEMPTY="     " ;;
            16) HPBLOCKS="################"; HPEMPTY="    " ;;
            17) HPBLOCKS="#################"; HPEMPTY="   " ;;
            18) HPBLOCKS="##################"; HPEMPTY="  " ;;
            19) HPBLOCKS="###################"; HPEMPTY=" " ;;
            20) HPBLOCKS="####################"; HPEMPTY="" ;;
        esac
        HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
        LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
        LogText "Hardening strength: ${HIDESCRIPTION}"
    case ${HPAOBLOCKS} in
        0)  HPBLOCKS="#"; HPEMPTY="                   " ;;
        1)  HPBLOCKS="#"; HPEMPTY="                   " ;;
        2)  HPBLOCKS="##"; HPEMPTY="                  " ;;
        3)  HPBLOCKS="###"; HPEMPTY="                 " ;;
        4)  HPBLOCKS="####"; HPEMPTY="                " ;;
        5)  HPBLOCKS="#####"; HPEMPTY="               " ;;
        6)  HPBLOCKS="######"; HPEMPTY="              " ;;
        7)  HPBLOCKS="#######"; HPEMPTY="             " ;;
        8)  HPBLOCKS="########"; HPEMPTY="            " ;;
        9)  HPBLOCKS="#########"; HPEMPTY="           " ;;
        10) HPBLOCKS="##########"; HPEMPTY="          " ;;
        11) HPBLOCKS="###########"; HPEMPTY="         " ;;
        12) HPBLOCKS="############"; HPEMPTY="        " ;;
        13) HPBLOCKS="#############"; HPEMPTY="       " ;;
        14) HPBLOCKS="##############"; HPEMPTY="      " ;;
        15) HPBLOCKS="###############"; HPEMPTY="     " ;;
        16) HPBLOCKS="################"; HPEMPTY="    " ;;
        17) HPBLOCKS="#################"; HPEMPTY="   " ;;
        18) HPBLOCKS="##################"; HPEMPTY="  " ;;
        19) HPBLOCKS="###################"; HPEMPTY=" " ;;
        20) HPBLOCKS="####################"; HPEMPTY="" ;;
    esac
    HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
    LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
    LogText "Hardening strength: ${HIDESCRIPTION}"
 #
 #################################################################################
 #
    # Only show overview if not running in quiet mode
    if [ ${QUIET} -eq 0 ]; then
        echo ""; echo "================================================================================"
@ -84,19 +109,14 @@
        LogTextBreak
        #
        #################################################################################
        #
        # Show test results overview
-        #
+
-        #################################################################################
+            if [ -z "${CONTROL_URL_PROTOCOL}" ]; then CONTROL_URL_PROTOCOL="https"; fi
-        #
+            if [ -z "${CONTROL_URL_PREPEND}" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
-            if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi
+            if [ -z "${CONTROL_URL_APPEND}" ]; then CONTROL_URL_APPEND="/"; fi
-            if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
+            if [ -z "${CUSTOM_URL_PROTOCOL}" ]; then CUSTOM_URL_PROTOCOL="https"; fi
-            if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi
+            if [ -z "${CUSTOM_URL_PREPEND}" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
-            if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi
+            if [ -z "${CUSTOM_URL_APPEND}" ]; then CUSTOM_URL_APPEND="/"; fi
            if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
            if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
            # Show warnings from logfile
            SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g')
@ -119,7 +139,7 @@
                    done
                    IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
                    echo "  ${RED}!${NORMAL} ${SHOWWARNING}"
-                    if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
+                    if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
                    if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo "    - Solution : ${SOLUTION}"; fi
                    if [ -z "${IS_CUSTOM}" ]; then
                        echo "      ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
@ -152,7 +172,7 @@
                    done
                    IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
                    echo "  ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
-                    if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
+                    if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
                    if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo "    - Solution : ${SOLUTION}"; fi
                    if [ -z "${IS_CUSTOM}" ]; then
                        echo "      ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
@ -178,7 +198,11 @@
            echo ""
            echo "  ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
            echo "  ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
-            if [ ${SKIP_PLUGINS} -eq 0 ]; then echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi
+            if [ ${SKIP_PLUGINS} -eq 0 ]; then
                echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
            else
                echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
            fi
            echo ""
            echo "  ${WHITE}Components${NORMAL}:"
            if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
@ -191,15 +215,31 @@
            echo "  - Malware scanner        [${MALWARE}${NORMAL}]"
            echo ""
-            echo "  ${SECTION}Lynis Modules${NORMAL}:"
+            echo "  ${SECTION}Scan mode${NORMAL}:"
            if [ ${DEVOPS_MODE} -eq 1 ]; then
                echo "  Normal [ ]  Forensics [ ]  Integration [V]  Pentest [ ]"
            elif [ ${FORENSICS_MODE} -eq 1 ]; then
                echo "  Normal [ ]  Forensics [V]  Integration [ ]  Pentest [ ]"
            elif [ ${PENTESTINGMODE} -eq 1 ]; then
                if [ ${PRIVILEGED} -eq 0 ]; then
                    echo "  Normal [ ]  Forensics [ ]  Integration [ ]  Pentest [V] (running non-privileged)"
                else
                    echo "  Normal [ ]  Forensics [ ]  Integration [ ]  Pentest [V] (running privileged)"
                fi
            else
                echo "  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]"
            fi
            echo ""
            echo "  ${SECTION}Lynis modules${NORMAL}:"
            if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
                if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
            else
                COMPLIANCE="${YELLOW}?"
            fi
-            echo "  - Compliance Status      [${COMPLIANCE}${NORMAL}]"
+            echo "  - Compliance status      [${COMPLIANCE}${NORMAL}]"
-            echo "  - Security Audit         [${GREEN}V${NORMAL}]"
+            echo "  - Security audit         [${GREEN}V${NORMAL}]"
-            echo "  - Vulnerability Scan     [${GREEN}V${NORMAL}]"
+            echo "  - Vulnerability scan     [${GREEN}V${NORMAL}]"
            echo ""
            echo "  ${SECTION}Files${NORMAL}:"
            echo "  - Test and debug information      : ${WHITE}${LOGFILE}${NORMAL}"
@ -221,7 +261,7 @@
                if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
                    # Determine if the quality of the program can be increased by filtering out the exceptions
                    FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
-                    if [ ! "${FIND}" = "" ]; then
+                    if [ -n "${FIND}" ]; then
                        echo ""
                        echo "  ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
                        echo "  ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"
--- a/include/tests_accounting
+++ b/include/tests_accounting
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -42,7 +42,7 @@
            Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
            LogText "Result: No accounting information available"
            LogText "Remark: Possibly there is another location where the accounting data is stored"
-            ReportSuggestion ${TEST_NO} "Enable process accounting"
+            ReportSuggestion "${TEST_NO}" "Enable process accounting"
            AddHP 2 3
        fi
    fi
@ -61,7 +61,7 @@
            Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
            LogText "Result: No accounting information available"
            LogText "Remark: Possibly there is another location where the accounting data is stored"
-            ReportSuggestion ${TEST_NO} "Enable process accounting"
+            ReportSuggestion "${TEST_NO}" "Enable process accounting"
            AddHP 2 3
        fi
    fi
@ -90,7 +90,7 @@
            Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
            LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)"
            LogText "Remark: Possibly there is another location where the accounting data is stored"
-            ReportSuggestion ${TEST_NO} "Enable process accounting"
+            ReportSuggestion "${TEST_NO}" "Enable process accounting"
            AddHP 2 3
        fi
    fi
@ -105,28 +105,28 @@
        if [ -f ${ROOTDIR}etc/default/sysstat ]; then
            LogText "Result: ${ROOTDIR}etc/default/sysstat found"
            FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
            else
                LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat"
                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
-                ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
+                ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (disabled)"
            fi
        elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
            FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
            else
                LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat"
                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
-                ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
+                ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)"
            fi
        else
            LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
            Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
+            ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)"
        fi
    fi
 #
@ -134,13 +134,12 @@
 #
    # Test        : ACCT-9628
    # Description : Check auditd status
-    if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check auditd status"
        # Should not get kauditd
-        IsRunning auditd
+        if IsRunning "auditd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: auditd running"
            Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN
            LINUX_AUDITD_RUNNING=1
@ -152,7 +151,7 @@
            LogText "Result: auditd not active"
            Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
            if [ ! "${VMTYPE}" = "openvz" ]; then
-                ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
+                ReportSuggestion "${TEST_NO}" "Enable auditd to collect audit information"
            fi
            AddHP 0 1
            Report "linux_auditd_running=0"
@ -163,7 +162,7 @@
 #
    # Test        : ACCT-9630
    # Description : Check auditd rules
-    if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${AUDITDBINARY}" -a -n "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking auditd rules"
@ -172,7 +171,7 @@
            LogText "Result: auditd rules empty"
            Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
            AddHP 0 2
-            ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
+            ReportSuggestion "${TEST_NO}" "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
        else
            LogText "Result: found auditd rules"
            Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
@ -189,7 +188,7 @@
 #
    # Test        : ACCT-9632
    # Description : Check auditd configuration file
-    if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking auditd configuration file"
@ -202,12 +201,12 @@
            fi
        done
        # Check if we discovered the configuration file. It should be there is the binaries are available and process is running
-        if [ ! -z "${AUDITD_CONF_FILE}" ]; then
+        if [ -n "${AUDITD_CONF_FILE}" ]; then
            Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
        else
            LogText "Result: could not find auditd configuration file"
            Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_FOUND}" --color RED
-            ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
+            ReportSuggestion "${TEST_NO}" "Determine the location of auditd configuration file"
        fi
    fi
 #
@ -215,12 +214,12 @@
 #
    # Test        : ACCT-9634
    # Description : Check auditd log file
-    if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a -n "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking auditd log file"
        FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: log file is defined"
            LogText "Defined value: ${FIND}"
            if [ -f ${FIND} ]; then
@ -230,12 +229,12 @@
            else
                LogText "Result: can't find log file ${FIND} on disk"
                Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Check auditd log file location"
+                ReportSuggestion "${TEST_NO}" "Check auditd log file location"
            fi
        else
            LogText "Result: no log file found"
            Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
+            ReportWarning "${TEST_NO}" "Auditd log file is defined but can not be found on disk"
        fi
    fi
 #
@ -252,14 +251,14 @@
            if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
                LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
                FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    LogText "Result: found snoopy in ld.so.preload"
                    LogText "Output: ${FIND}"
                    Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
                    Report "audit_trail_tool[]=snoopy"
                else
                    Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
+                    ReportSuggestion "${TEST_NO}" "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
                    AddHP 3 3
                fi
            else
@ -277,8 +276,7 @@
    Register --test-no ACCT-9650 --os Solaris --weight L --network NO --category security --description "Check Solaris audit daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check if audit daemon is running"
-        IsRunning auditd
+        if IsRunning "auditd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: Solaris audit daemon is running"
            SOLARIS_AUDITD_RUNNING=1
            AUDIT_DAEMON_RUNNING=1
@ -298,7 +296,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check if auditd service is enabled and online"
        FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: auditd service is online"
            Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
        else
@ -317,7 +315,7 @@
        LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
        if [ -f ${ROOTDIR}etc/system ]; then
            FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
                Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
            else
@ -339,7 +337,7 @@
        LogText "Test: check if c2audit module is active"
        if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
            FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: c2audit found in modinfo output"
                Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
            else
@ -362,7 +360,7 @@
        if [ -f ${ROOTDIR}etc/security/audit_control ]; then
            LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
            FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found location ${FIND}"
                LogText "Test: Checking if location is a valid directory"
                if [ -d ${FIND} ]; then
@ -415,4 +413,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, Michael Boelen / CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, Michael Boelen / CISOfy - https://cisofy.com
--- a/include/tests_authentication
+++ b/include/tests_authentication
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -40,8 +40,13 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        # Search accounts with UID 0
        LogText "Test: Searching accounts with UID 0"
-        FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
+        # Check if device is a QNAP, as the root user is called admin, and not root
-        if [ ! -z "${FIND}" ]; then
+        if [ ${QNAP_DEVICE} -eq 1 ]; then
            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
        else
            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
        fi
        if [ -n "${FIND}" ]; then
            Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
            LogText "Result: Found more than one administrator accounts"
            ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
@ -51,7 +56,7 @@
                if [ "${USER}" = "toor" ]; then
                    LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
                    LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
-                    ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
+                    ReportSuggestion "${TEST_NO}" "Use vipw to delete the 'toor' user if not used."
                fi
            done
        else
@ -82,7 +87,7 @@
                Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED
                LogText "Result: found multiple accounts with same UID"
                LogText "Output (non-unique UIDs): ${FIND}"
-                ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
+                ReportWarning "${TEST_NO}" "Multiple accounts found with same UID"
            fi
          else
            Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE
@ -110,7 +115,7 @@
            Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
            LogText "Result: chkgrp found some errors. Run the tool manually to see details."
            LogText "chkgrp output: ${FIND}"
-            ReportWarning ${TEST_NO} "chkgrp reported inconsistencies in /etc/group file"
+            ReportWarning "${TEST_NO}" "chkgrp reported inconsistencies in /etc/group file"
        fi
    fi
 #
@ -119,7 +124,7 @@
    # Test        : AUTH-9216
    # Description : Check /etc/group and shadow group files
    # Notes       : Run grpck to test group files (most likely /etc/group and shadow group files)
-    if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for grpck binary output"
@ -142,7 +147,7 @@
            LogText "Result: grpck binary didn't find any errors in the group files"
        else
            Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "grpck binary found errors in one or more group files"
+            ReportWarning "${TEST_NO}" "grpck binary found errors in one or more group files"
        fi
        unset FIND
    fi
@ -152,51 +157,7 @@
    # Test        : AUTH-9218
    # Description : Check login shells for passwordless accounts
    # Notes       : Results should be checked
-    Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts"
+    Register --test-no AUTH-9218 --os "DragonFly FreeBSD NetBSD OpenBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        LogText "Test: Checking login shells"
        if [ -f ${ROOTDIR}etc/master.passwd ]; then
            # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
            FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
            if [ "${FIND}" = "" ]; then
                Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
            else
                Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
                for LINE in ${FIND}; do
                    LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
                    SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
                    LogText "Output: ${LINE}"
                    if [ -z "${SHELL}" ]; then
                        LogText "Result: found no shell on line"
                    else
                        LogText "Result: found possible harmful shell ${SHELL}"
                        if [ -f ${SHELL} ]; then
                            LogText "Result: shell ${SHELL} does exist"
                            FOUND=1
                        else
                            LogText "Result: shell ${SHELL} does not exist"
                            ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
                        fi
                    fi
                done
                if [ ${FOUND} -eq 1 ]; then
                    ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
                fi
            fi
          else
            Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
            LogText "Result: No /etc/master.passwd file found"
        fi
        unset LINE SHELL
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9489
    # Description : Check login shells for passwordless accounts
    # Notes       : Results should be checked
    Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        LogText "Test: Checking login shells"
@ -220,12 +181,12 @@
                            FOUND=1
                        else
                            LogText "Result: shell ${SHELL} does not exist"
-                            ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
+                            ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
                        fi
                    fi
                done
                if [ ${FOUND} -eq 1 ]; then
-                    ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
+                    ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
                fi
            fi
          else
@ -254,7 +215,7 @@
                Report "auth_groups_nonunique[]=${I}"
                LogText "Non-unique group: ${I}"
            done
-            ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct any inconsistencies"
+            ReportSuggestion "${TEST_NO}" "Check your /etc/group file and correct any inconsistencies"
        fi
    fi
 #
@ -278,7 +239,7 @@
                Report "auth_groups_nonunique[]=${I}"
                LogText "Non-unique group: ${I}"
            done
-            ReportSuggestion ${TEST_NO} "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
+            ReportSuggestion "${TEST_NO}" "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
        fi
    fi
 #
@ -297,7 +258,7 @@
                FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?)
                TESTED=1
            ;;
-            "Solaris")
+            "Solaris" | "HP-UX")
                FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?)
                TESTED=1
            ;;
@ -314,19 +275,138 @@
        else
            Display --indent 2 --text "- Password file consistency" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: pwck found one or more errors/warnings in the password file."
-            ReportSuggestion ${TEST_NO} "Run pwck manually and correct any errors in the password file"
+            ReportSuggestion "${TEST_NO}" "Run pwck manually and correct any errors in the password file"
            AddHP 0 2
        fi
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9229
    # Description : Check password hashing methods vs. recommendations in crypt(5)
    # Notes       : Applicable to all Unix-like OS
    #               Requires read access to /etc/shadow (if it exists)
    ParsePasswordEntry() {
        METHOD=$1
        case ${METHOD} in
            1:\* | 1:x | 0: | *:!* | *LOCK*)
                # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED)
                ;;
            *:\$5\$*| *:\$6\$*)
                # sha256crypt | sha512crypt: check number of rounds, should be >5000
                ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
                if [ -z "${ROUNDS}" ]; then
                    echo 'sha256crypt/sha512crypt(default<=5000rounds)'
                elif [ "${ROUNDS}" -le 5000 ]; then
                    echo 'sha256crypt/sha512crypt(<=5000rounds)'
                fi
                ;;
            *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
                # yescrypt | gost-yescrypt | bcrypt | scrypt
                ;;
            *:_*)
                echo bsdicrypt
                ;;
            *:\$1\$*)
                echo md5crypt
                ;;
            *:\$3\$*)
                echo NT
                ;;
            *:\$md5*)
                echo SunMD5
                ;;
            *:\$sha1*)
                echo sha1crypt
                ;;
            13:* | 178:*)
                echo bigcrypt/descrypt
                ;;
            *)
                echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
                ;;
        esac
    }
    Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking password hashing methods"
        SHADOW="";
        if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
        FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
            ParsePasswordEntry ${METHOD}
        done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
            LogText "Result: no poor password hashing methods found"
            AddHP 2 2
        else
            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: poor password hashing methods found: ${FIND}"
            ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values"
            AddHP 0 2
        fi
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9230
    # Description : Check group password hashing rounds in login.defs
    # Notes       : Applicable to all Unix-like OS
    PREQS_MET="NO"
    if [ -f ${ROOTDIR}etc/login.defs ]; then
        PREQS_MET="YES"
    fi
    Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs"
        FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }')
        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
            LogText "Result: number of minimum rounds used by the encryption algorithm is not configured"
            Display --indent 2 --text "- Checking minimum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorithm rounds in /etc/login.defs"
            AddHP 0 2
        elif [ "${FIND}" -lt 5000 ]; then
            LogText "Result: low number of minimum encryption algorithm rounds found: ${FIND}"
            PASSWORD_MINIMUM_ROUNDS=${FIND}
            Display --indent 2 --text "- Group password hashing rounds (minimum)"  --result "${STATUS_SUGGESTION}" --color YELLOW
            AddHP 1 2
        else
            LogText "Result: number of encryption algorithm rounds is ${FIND}"
            PASSWORD_MINIMUM_ROUNDS=${FIND}
            Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN
            AddHP 2 2
        fi
        LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/login.defs"
        FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }')
        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
            LogText "Result: number of maximum rounds used by the encryption algorithm is not configured"
            Display --indent 2 --text "- Checking maximum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorithm rounds in /etc/login.defs"
            AddHP 0 2
        elif [ "${FIND}" -lt 10000 ]; then
            LogText "Result: low number of maximum encryption algorithm rounds found: ${FIND}"
            PASSWORD_MINIMUM_ROUNDS=${FIND}
            Display --indent 2 --text "- Group password hashing rounds (maximum)"  --result "${STATUS_SUGGESTION}" --color YELLOW
            AddHP 1 2
        else
            LogText "Result: number of encryption algorithm rounds is ${FIND}"
            PASSWORD_MINIMUM_ROUNDS=${FIND}
            Display --indent 2 --text "- Group password hashing rounds (maximum)" --result CONFIGURED --color GREEN
            AddHP 2 2
        fi
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9234
    # Description : Query user accounts
    # Notes       : AIX: 100+
    #               HPUX: 100+
    #               macOS doesn't have any user info in /etc/passwd, users are managed with opendirectoryd)
-    #               OpenBSD/NetBSD: unknown
+    #               OpenBSD/NetBSD: 1000-60000, excluding 32767 (default)
    #               Arch Linux / CentOS / Ubuntu: 1000+
    Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts"
    if [ ${SKIPTEST} -eq 0 ]; then
@ -358,7 +438,7 @@
            "macOS")
                LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
                FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
-                if [ ! -z "${FIND_USERS}" ]; then
+                if [ -n "${FIND_USERS}" ]; then
                    for FUSERNAME in ${FIND_USERS}; do
                        FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
                        FIND="${FUSERNAME},${FDETAILS} ${FIND}"
@ -368,9 +448,21 @@
                fi
            ;;
-            "OpenBSD")
+            "NetBSD"|"OpenBSD")
-                LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
+                if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then
-                FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
+                    UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }')
                fi
                if [ -n "${UID_RANGE}" ]; then
                    LogText "Result: found configured user id range specified: ${UID_RANGE}"
                    UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }')
                    UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }')
                else
                    UID_MIN=1000
                    UID_MAX=60000
                    LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}"
                fi
                LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):"
                FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -v UID_MAX="${UID_MAX}" -F: '($3 >= UID_MIN && $3 <= UID_MAX && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
            ;;
            "Solaris")
@ -392,7 +484,7 @@
        else
            Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
            for I in ${FIND}; do
-                if [ ! -z "${I}" ]; then
+                if [ -n "${I}" ]; then
                    LogText "Real user: ${I}"
                    Report "real_user[]=${I}"
                fi
@ -414,7 +506,7 @@
            else
                FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
                FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
-                if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
+                if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
                    LogText "Result: NIS+ authentication enabled"
                    Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
                else
@ -441,7 +533,7 @@
            else
                FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
                FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
-                if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
+                if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
                    LogText "Result: NIS authentication enabled"
                    Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
                else
@ -473,10 +565,10 @@
        done
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: sudoers file found (${SUDOERS_FILE})"
-            Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
+            Display --indent 2 --text "- Sudoers file(s)" --result "${STATUS_FOUND}" --color GREEN
        else
            LogText "Result: sudoers file NOT found"
-            Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
+            Display --indent 2 --text "- Sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
        fi
    fi
 #
@ -484,38 +576,66 @@
 #
    # Test        : AUTH-9252
    # Description : Check ownership and permissions for sudo configuration files
-    if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
    if [ ${SKIPTEST} -eq 0 ]; then
-      SUDO_CONFIG_FILES="${SUDOERS_FILE}"
+        SUDO_CONFIG_FILES="${SUDOERS_FILE}"
-      SUDOERS_D="${SUDOERS_FILE}.d"
+        SUDOERS_D="${SUDOERS_FILE}.d"
-      if [ -d "${SUDOERS_D}" ]; then
+        if [ -d "${SUDOERS_D}" ]; then
-	LogText "Test: checking drop-in directory (${SUDOERS_D})"
+            LogText "Test: checking drop-in directory (${SUDOERS_D})"
-	FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
+            FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
-	FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
+            FIND2=$(${LSBINARY} -lnd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
-	LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}"
+            LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
-	if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then
+            case "${FIND}" in
-	  LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
+                rwx[r-][w-][x-]--- )
-	  Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
+                    LogText "Result: directory ${SUDOERS_D} permissions OK"
-	else
+                    if [ "${FIND2}" = "00" ]; then
-	  LogText "Result: directory has possibly unsafe permissions/ownership"
+                        LogText "Result: directory ${SUDOERS_D} ownership OK"
-          Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
+                        Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
-	fi
+                    else
-	SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
+                        LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
-      fi
+                        Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
-      for f in ${SUDO_CONFIG_FILES}; do
+                    fi
-        LogText "Test: checking file (${f})"
+                    ;;
-        FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
+                * )
-	FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
+                    LogText "Result: directory ${SUDOERS_D} has possibly unsafe permissions"
-        LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}"
+                    if [ "${FIND2}" = "00" ]; then
-        if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then
+                        LogText "Result: directory ${SUDOERS_D} ownership OK"
-            LogText "Result: file ${f} permissions/ownerhsip OK"
+                    else
-	    Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
+                        LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
-        else
+                    fi
-            LogText "Result: file has possibly unsafe permissions/ownership"
+                    Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
-	    Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
+                    ;;
            esac
            SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
        fi
-      done
+        for f in ${SUDO_CONFIG_FILES}; do
            LogText "Test: checking file (${f})"
            FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
            FIND2=$(${LSBINARY} -ln ${f} | ${AWKBINARY} '{print $3$4}')
            LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
            case "${FIND}" in
                r[w-]-[r-][w-]---- )
                    LogText "Result: file ${f} permissions OK"
                    if [ "${FIND2}" = "00" ]; then
                        LogText "Result: file ${f} ownership OK"
                        Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
                    else
                        LogText "Result: file ${f} has possibly unsafe ownership"
                        Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
                    fi
                    ;;
                * )
                    LogText "Result: file ${f} has possibly unsafe permissions"
                    if [ "${FIND2}" = "00" ]; then
                        LogText "Result: file ${f} ownership OK"
                    else
                        LogText "Result: file ${f} has possibly unsafe ownership"
                    fi
                    Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
                    ;;
            esac
        done
    fi
 #
 #################################################################################
@ -530,7 +650,7 @@
            Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
        else
            for I in ${FIND}; do
-                ReportWarning ${TEST_NO} "Found passwordless account (${I})"
+                ReportWarning "${TEST_NO}" "Found passwordless account (${I})"
            done
            Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
        fi
@ -597,7 +717,7 @@
        if [ ${FOUND} -eq 0 ]; then
            Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: no PAM modules for password strength testing found"
-            ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
+            ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
            AddHP 0 3
        else
            Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
@ -639,12 +759,12 @@
    # Description : Searching available PAM configurations (/etc/pam.d)
    Register --test-no AUTH-9266 --weight L --network NO --category security --description "Checking presence pam.d files"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking directory /etc/pam.d"
+        LogText "Test: Checking directory ${ROOTDIR}etc/pam.d"
        if [ -d ${ROOTDIR}etc/pam.d ]; then
            LogText "Result: directory /etc/pam.d exists"
            Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
            LogText "Test: searching PAM configuration files"
-            FIND=$(find /etc/pam.d -type f -print | sort)
+            FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
            for FILE in ${FIND}; do
                LogText "Found file: ${FILE}"
            done
@ -658,9 +778,9 @@
 #
    # Test        : AUTH-9268
    # Description : Searching available PAM files
-    # Notes       : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris
+    # Notes       : PAM is used on AIX, FreeBSD, Linux, HPUX, NetBSD, Solaris
-    if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    OS_USES_PAM="AIX DragonFly FreeBSD Linux HPUX NetBSD Solaris"
-    Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files"
+    Register --test-no AUTH-9268 --os "${OS_USES_PAM}" --weight L --network NO --category security --description "Checking presence pam.d files"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        LogText "Test: Searching pam modules"
@ -669,13 +789,13 @@
            if [ -d ${DIR} -a ! -L ${DIR} ]; then
                LogText "Result: directory ${DIR} exists"
                # Search in the specified directory
-                if [ "${OS}" = "Solaris" ]; then
+                if [ "${OS}" = "AIX" -o "${OS}" = "Solaris" ]; then
-                    # Solaris does not support -maxdepth
+                    # AIX/Solaris does not support -maxdepth
                    FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort)
                else
                    FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
                fi
-                if [ ! -z "${FIND}" ]; then FOUND=1; fi
+                if [ -n "${FIND}" ]; then FOUND=1; fi
                for FILE in ${FIND}; do
                    LogText "Found file: ${FILE}"
                    Report "pam_module[]=${FILE}"
@ -691,32 +811,39 @@
        else
            Display --indent 2 --text "- PAM modules" --result "${STATUS_FOUND}" --color GREEN
        fi
-        unset DIR; unset FILE; unset FIND
+        unset DIR FILE FIND
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9278
    # Description : Search LDAP support in PAM files
-    Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status"
+    Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: checking presence /etc/pam.d/common-auth"
+        AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth"
-        if [ -f /etc/pam.d/common-auth ]; then
+        for FILE in ${AUTH_FILES}; do
-            LogText "Result: file /etc/pam.d/common-auth exists"
+            LogText "Test: checking presence ${FILE}"
-            LogText "Test: checking presence LDAP module"
+            if [ -f ${FILE} ]; then
-            FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth)
+                LogText "Result: file ${FILE} exists"
-            if [ ! "${FIND}" = "" ]; then
+                LogText "Test: checking presence LDAP module"
-                LogText "Result: LDAP module present"
+                FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
-                LogText "Output: ${FIND}"
+                if [ -n "${FIND}" ]; then
-                Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
+                    LogText "Result: LDAP module present"
-                LDAP_AUTH_ENABLED=1
+                    LogText "Output: ${FIND}"
-                LDAP_PAM_ENABLED=1
+                    LDAP_AUTH_ENABLED=1
                    LDAP_PAM_ENABLED=1
                else
                    LogText "Result: LDAP module not found"
                fi
            else
-                LogText "Result: LDAP module not found"
+                LogText "Result: file ${FILE} not found, skipping test"
                Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
            fi
        done
        if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then
            Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
        else
-            LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
+            Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
 #
@ -726,28 +853,28 @@
    # Note        : Every Linux based operating system seem to have different passwd
    #               options, so we have to check the version first.
    if [ "${OS}" = "Linux" ]; then
-        if [ ${OS_REDHAT_OR_CLONE} -eq 0 ]; then
+        if [ "${OS_REDHAT_OR_CLONE}" -eq 0 ]; then
            case ${LINUX_VERSION} in
                "SuSE")
                    PREQS_MET="YES"
-                    FIND=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
+                    FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                    FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
                    ;;
                *)
                    PREQS_MET="YES"
-                    FIND=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
+                    FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                    FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
                    ;;
            esac
-        elif [ ${OS_REDHAT_OR_CLONE} -eq 1 ]; then
+        elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
            PREQS_MET="YES"
-            FIND=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
+            FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
-            FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
+            FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
        else
            LogText "Result: skipping test for this Linux version"
            ReportManual "AUTH-9282:01"
            PREQS_MET="NO"
-            FIND=""
+            FIND_P=""
            FIND2=""
        fi
     else
@ -757,18 +884,18 @@
    # Test        : AUTH-9282
    # Description : Search password protected accounts without expire (Linux)
    Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking password protected account without expire date"
-    if [ ${SKIPTEST} -eq 0 ]; then
+    if [ "${SKIPTEST}" -eq 0 ]; then
        LogText "Test: Checking Linux version and password expire date status"
-        if [ -z "${FIND}" ]; then
+        if [ -z "${FIND_P}" ]; then
            LogText "Result: all accounts seem to have an expire date"
            Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
        else
-            LogText "Result: found one or more accounts with expire date set"
+            LogText "Result: found one or more accounts without expire date set"
-            for I in ${FIND}; do
+            for I in ${FIND_P}; do
                LogText "Account without expire date: ${I}"
            done
            Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
+            ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts"
        fi
    fi
 #
@ -777,7 +904,7 @@
    # Test        : AUTH-9283
    # Description : Search passwordless accounts
    Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
-    if [ ${SKIPTEST} -eq 0 ]; then
+    if [ "${SKIPTEST}" -eq 0 ]; then
        LogText "Test: Checking passwordless accounts"
        if [ -z "${FIND2}" ]; then
            LogText "Result: all accounts seem to have a password"
@ -789,7 +916,7 @@
                Report "account_without_password=${I}"
            done
            Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "Found accounts without password"
+            ReportWarning "${TEST_NO}" "Found accounts without password"
        fi
    fi
 #
@ -808,10 +935,10 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking PASS_MIN_DAYS option in ${ROOTDIR}etc/login.defs"
        FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
-        if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
+        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
            LogText "Result: password minimum age is not configured"
            Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
+            ReportSuggestion "${TEST_NO}" "Configure minimum password age in /etc/login.defs"
            AddHP 0 1
        else
            LogText "Result: password needs to be at least ${FIND} days old"
@ -825,7 +952,7 @@
        if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then
            LogText "Result: password aging limits are not configured"
            Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
+            ReportSuggestion "${TEST_NO}" "Configure maximum password age in /etc/login.defs"
            AddHP 0 1
        else
            LogText "Result: max password age is ${FIND} days"
@ -851,12 +978,12 @@
                NOW=$(date "+%s")
            fi
-            DAYS_SINCE_EPOCH=$((${NOW}/86400))
+            DAYS_SINCE_EPOCH=$((NOW / 86400))
            LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
            LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
            # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
            FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                for ACCOUNT in ${FIND}; do
                    LogText "Result: password of user ${ACCOUNT} has been expired"
                    Report "account_password_expired[]=${ACCOUNT}"
@ -893,7 +1020,7 @@
            else
                LogText "Result: option present, no password needed at single user mode login"
                Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "No password needed for single user mode login"
+                ReportWarning "${TEST_NO}" "No password needed for single user mode login"
                AddHP 0 1
            fi
        else
@ -923,7 +1050,7 @@
            else
                LogText "Result: option present, no password needed at single user mode login"
                Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Set password for system boot"
+                ReportSuggestion "${TEST_NO}" "Set password for system boot"
                AddHP 0 1
            fi
        else
@ -949,7 +1076,7 @@
                LogText "Test: checking presence sulogin for single user mode"
                FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
                FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
-                if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
+                if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                    FOUND=1
                    LogText "Result: found sulogin, so single user is protected"
                fi
@ -964,7 +1091,7 @@
                LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
                LogText "Test: checking presence sulogin for single user mode"
                FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    FOUND=1
                    LogText "Result: found sulogin, so single user is protected"
                fi
@ -1002,8 +1129,8 @@
            if [ ${FOUND} -eq 0 ]; then
                LogText "Result: option not set, no password needed at single user mode boot"
                Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "No password set for single mode"
+                ReportWarning "${TEST_NO}" "No password set for single mode"
-                ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
+                ReportSuggestion "${TEST_NO}" "Set password for single user mode to minimize physical access attack surface"
                AddHP 0 2
            else
                LogText "Result: option set, password is needed at single user mode boot"
@ -1033,10 +1160,10 @@
        if [ -d ${ROOTDIR}etc/profile.d ]; then
            FOUND=0
            FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found /etc/profile.d, with one or more files in it"
                for FILE in ${FIND}; do
-                    HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
+                    HAS_MASK=$(${GREPBINARY} umask ${FILE} 2> /dev/null | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
                    for MASK in ${HAS_MASK}; do
                        if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027" ]; then
                            LogText "Result: found a strong umask '${MASK}' set in ${FILE}"
@ -1096,11 +1223,11 @@
                    AddHP 2 2
                elif [ ${GOOD_UMASK} -eq 1 -a ${WEAK_UMASK} -eq 1 ]; then
                    Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Some umasks found could be more strict (e.g. 027)"
+                    ReportSuggestion "${TEST_NO}" "Some umasks found could be more strict (e.g. 027)"
                    AddHP 1 2
                else
                    Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
+                    ReportSuggestion "${TEST_NO}" "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
                    AddHP 0 2
                fi
              else
@ -1134,7 +1261,7 @@
            if [ "${FIND}" = "" ]; then
                LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
                Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
+                ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
                AddHP 1 2
            elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
                LogText "Result: umask is ${FIND}, which is fine"
@ -1143,7 +1270,7 @@
            else
                LogText "Result: found umask ${FIND}, which could be improved"
                Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
+                ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could be more strict like 027"
                AddHP 0 2
            fi
        else
@ -1181,7 +1308,7 @@
            if [ "${FIND}" = "" ]; then
                LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
                Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
+                ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
                AddHP 1 2
            elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
                LogText "Result: umask is ${FIND}, which is fine"
@ -1190,7 +1317,7 @@
            else
                LogText "Result: found umask ${FIND}, which could be improved"
                Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
+                ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could be more strict like 027"
                AddHP 0 2
            fi
          else
@ -1225,7 +1352,7 @@
                    Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
                else
                    Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_WEAK}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
+                    ReportSuggestion "${TEST_NO}" "Umask in /etc/login.conf could be more strict like 027"
                fi
            else
                LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
@ -1244,7 +1371,7 @@
                if [ "${FIND2}" = "" ]; then
                    LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
                    Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
+                    ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
                    AddHP 1 2
                elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
                    LogText "Result: umask is ${FIND2}, which is fine"
@ -1253,7 +1380,7 @@
                else
                    LogText "Result: found umask ${FIND2}, which could be improved"
                    Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
+                    ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could be more strict like 027"
                    AddHP 0 2
                fi
            else
@ -1297,7 +1424,7 @@
            if [ -f ${ROOTDIR}etc/default/login ]; then
                LogText "Result: file ${ROOTDIR}etc/default/login exists"
                FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    FOUND=1
                    LogText "Result: retries option configured"
                    LogText "Output: ${FIND}"
@ -1369,32 +1496,113 @@
 #
    # Test        : AUTH-9408
    # Description : Logging of failed login attempts
-    if [ -f ${ROOTDIR}etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts"
    Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
+        if [ -f "${ROOTDIR}etc/pam.conf" ]; then
-        FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
+            FOUND_PAM_TALLY2=0
-        # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
+            FOUND_TALLYLOG=0
-        if [ "${FIND}" = "yes" ]; then
+            if [ -s "${ROOTDIR}var/log/tallylog" ]; then
-            AUTH_FAILED_LOGINS_LOGGED=1
+                FOUND_TALLYLOG=1
-            LogText "Result: failed login attempts are logged in /var/log/faillog"
+                LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero"
-            Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
+            else
                LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes"
            fi
            # Determine if pam_tally2 is available
            for D in $(GetReportData --key "pam_module\\\[\\\]"); do
                if ContainsString "pam_tally2" "${D}"; then
                    LogText "Result: found pam_tally2 module on disk"
                    FOUND_PAM_TALLY2=1
                fi
            done
            if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
                LogText "Outcome: authentication failures are logged using pam_tally2"
                AUTH_FAILED_LOGINS_LOGGED=1
                Report "auth_failed_logins_tooling[]=pam_tally2"
            else
                LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts"
            fi
            unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
        fi
        # Also check /etc/logins.defs, although its usage decreased over the years
        if [ -f ${ROOTDIR}etc/login.defs ]; then
            LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
            FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
            # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
            if [ "${FIND}" = "yes" ]; then
                AUTH_FAILED_LOGINS_LOGGED=1
                Report "auth_failed_logins_tooling[]=/etc/login.defs"
                LogText "Result: FAILLOG_ENAB is set to 'yes'"
                LogText "Outcome: failed login attempts are logged in ${ROOTDIR}var/log/faillog"
                Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
            else
                LogText "Result: failed login attempts may not logged"
                Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
            fi
        fi
        if [ ${AUTH_FAILED_LOGINS_LOGGED} -eq 1 ]; then
            AddHP 3 3
        else
            LogText "Result: failed login attempts are not logged"
            Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
            #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
            AddHP 0 1
            #ReportSuggestion "${TEST_NO}" "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9409
    # Description : Check for doas file
    DOAS_FILE=""
    Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO --category security --description "Checking /etc/doas.conf file"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        LogText "Test: checking presence /etc/doas.conf"
        if [ -f /etc/doas.conf ]; then
        DOAS_FILE=/etc/doas.conf
            FOUND=1
            LogText "Result: file /etc/doas.conf found"
        else
            LogText "Result: file /etc/doas.conf not found"
        fi
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: /etc/doas.conf file found"
            Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}" --color GREEN
        else
            LogText "Result: doas file NOT found"
            Display --indent 2 --text "- doas file" --result "${STATUS_NOT_FOUND}" --color YELLOW
        fi
    fi
 #
 #################################################################################
 #
    # Test        : AUTH-9410
    # Description : Check for doas file permissions
    if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking /etc/doas.conf permissions"
        FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
        LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
        case "${FIND}" in
            r[w-]-[r-][w-]---- )
                LogText "Result: file /etc/doas.conf has correct permissions"
                Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
                ;;
            * )
                LogText "Result: file has possibly unsafe file permissions"
                Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
                ;;
        esac
    fi
 #
 #################################################################################
 #
 Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
 Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
 Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
-if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
+if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
 Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
 Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
--- a/include/tests_banners
+++ b/include/tests_banners
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -27,7 +27,7 @@
 #################################################################################
 #
    BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
-    LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized"
+    LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
 #
 #################################################################################
 #
@ -108,7 +108,7 @@
        else
            LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
            Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_WEAK}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
+            ReportSuggestion "${TEST_NO}" "Add a legal banner to ${FILE}, to warn unauthorized users"
            AddHP 0 1
            Report "weak_banner_file[]=${FILE}"
        fi
@ -161,7 +161,7 @@
        else
            LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
            Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_WEAK}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
+            ReportSuggestion "${TEST_NO}" "Add legal banner to /etc/issue.net, to warn unauthorized users"
            AddHP 0 1
        fi
    fi
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -46,7 +46,7 @@
        LogText "Test: Query bootinfo for AIX boot device"
        if [ -x /usr/sbin/bootinfo ]; then
            FIND=$(/usr/sbin/bootinfo -b)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found boot device ${FIND}"
                Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
                BOOT_LOADER="ROS"
@ -76,7 +76,7 @@
                    FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
                    LogText "Result: file on disk = ${FILENAME}"
                    ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
-                    if [ ! -z "${ISFILE}" ]; then
+                    if [ -n "${ISFILE}" ]; then
                        if [ -L ${ISFILE} ]; then
                            ShowSymlinkPath ${ISFILE}
                            FILENAME="${SYMLINK}"
@ -86,7 +86,7 @@
                            LogText "Result: cmdline of PID 1 is not a file"
                        fi
                    fi
-                    if [ ! -z "${FILENAME}" ]; then
+                    if [ -n "${FILENAME}" ]; then
                        SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
                        LogText "Found: ${SHORTNAME}"
                        if [ "${SERVICE_MANAGER}" = "unknown" ]; then
@ -96,7 +96,11 @@
                                ;;
                                "init" | "initsplash")
-                                    SERVICE_MANAGER="SysV Init"
+                                    if [ -d ${ROOTDIR}etc/rc.d ]; then
                                        SERVICE_MANAGER="bsdrc.d"
                                    else
                                        SERVICE_MANAGER="SysV Init"
                                    fi
                                ;;
                                systemd)
                                    SERVICE_MANAGER="systemd"
@ -106,7 +110,7 @@
                                ;;
                                *)
                                    CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
-                                    if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
+                                    if [ -n "${CONTAINS_SYSTEMD}" ]; then
                                        SERVICE_MANAGER="systemd"
                                    else
                                        LogText "Found ${SHORTNAME}. Unclear what service manager this is"
@ -125,7 +129,7 @@
                    if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
                fi
            ;;
-            "DragonFly" | "NetBSD" | "FreeBSD")
+            "DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD")
                if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then
                    SERVICE_MANAGER="bsdrc"
                fi
@ -178,6 +182,21 @@
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5109
    # Description : Check for rEFInd
    Register --test-no BOOT-5109 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check rEFInd as bootloader"
    if [ ${SKIPTEST} -eq 0 ]; then
        BOOT_LOADER_SEARCHED=1
        FileExists ${ROOTDIR}boot/refind_linux.conf
        if [ ${FILE_FOUND} -eq 1 ]; then
            LogText "Result: found rEFInd"
            BOOT_LOADER="rEFInd"
            BOOT_LOADER_FOUND=1
        fi
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5116
    # Description : Check if system is booted in UEFI mode
@ -200,7 +219,7 @@
                LogText "Test: determine if Secure Boot is used"
                if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
                    FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
-                    if [ ! -z "${FIND}" ]; then
+                    if [ -n "${FIND}" ]; then
                        for FILE in ${FIND}; do
                            LogText "Test: checking file ${FILE}"
                            # TODO: add detection for od
@ -239,6 +258,23 @@
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5117
    # Description : Check for systemd-boot boot loader
    if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux" --weight L --network NO --category security --description "Check for systemd-boot bootloader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        BOOT_LOADER_SEARCHED=1
        CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }')
        if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then
 	    Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: found systemd-boot"
            BOOT_LOADER="systemd-boot"
            BOOT_LOADER_FOUND=1
        fi
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5121
    # Description : Check for GRUB boot loader
@ -274,7 +310,7 @@
        # Some OSes like Gentoo do not have /boot mounted by default
        # TODO: root directory and rewrite ls statement
        if [ -d /boot ]; then
-            if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
+            if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then
                BOOT_LOADER_FOUND=1
                LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
                Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
@ -291,38 +327,54 @@
 #
    # Test        : BOOT-5122
    # Description : Check for GRUB boot loader configuration
-    if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
-        LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
+
-        FileIsReadable ${GRUBCONFFILE}
+        if [ "${ROOTDIR}etc/grub.d" ]; then
-        if [ ${CANREAD} -eq 1 ]; then
+            CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
-            FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+            CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
-            FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+        else
-            FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+            CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
-            FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+        fi
-            FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+
-            # GRUB1: Password should be set (MD5 or SHA1)
+        for FILE in ${CONF_FILES}; do
-            if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
+            if [ -f "${FILE}" ]; then
-                FOUND=1
+                LogText "Found file ${FILE}, proceeding with tests."
-            # GRUB2: Superusers AND password should be defined
+                if FileIsReadable "${FILE}"; then
-            elif [ ! -z "${FIND3}" ]; then
+                    FIND=$(${GREPBINARY} 'password --md5' ${FILE} | ${GREPBINARY} -v '^#')
-                if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi
+                    FIND2=$(${GREPBINARY} 'password --encrypted' ${FILE} | ${GREPBINARY} -v '^#')
                    FIND3=$(${GREPBINARY} 'set superusers' ${FILE} | ${GREPBINARY} -v '^#')
                    FIND4=$(${GREPBINARY} 'password_pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
                    FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
                    # GRUB1: Password should be set (MD5 or SHA1)
                    if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                        FOUND=1
                    # GRUB2: Superusers AND password should be defined
                    elif [ -n "${FIND3}" ]; then
                        if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
                    else
                        LogText "Result: did not find hashed password line in this file"
                    fi
                else
                    LogText "Result: Can not read '${FILE}' (no permission?)"
                fi
            else
                LogText "Result: File '${FILE}' does not exist"
            fi
-            if [ ${FOUND} -eq 1 ]; then
+        done
        if [ ${FOUND} -eq 1 ]; then
                Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
                LogText "Result: GRUB has password protection."
                AddHP 4 4
            else
                Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED
                LogText "Result: Didn't find hashed password line in GRUB boot file!"
                ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
                AddHP 0 2
            fi
        else
-            LogText "Result: Can not read ${GRUBCONFFILE} (no permission)"
+                Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
                LogText "Result: Didn't find hashed password line in GRUB configuration"
                ReportSuggestion "${TEST_NO}" "Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)"
                AddHP 0 2
        fi
        unset CONF_FILES FILE FIND FIND2 FIND3 FIND4 FIND5 FOUND
    fi
 #
 #################################################################################
@ -399,13 +451,13 @@
                    if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
                        Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
                        LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
-                        ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
+                        ReportSuggestion "${TEST_NO}" "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
-                        ReportWarning ${TEST_NO} "No password set on LILO bootloader"
+                        ReportWarning "${TEST_NO}" "No password set on LILO bootloader"
                        AddHP 0 2
                    elif [ "${MACHINE_ROLE}" = "personal" ]; then
                        Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow
                        LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
-                        ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
+                        ReportSuggestion "${TEST_NO}" "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
                        AddHP 1 2
                    else
                        LogText "Result: no password set for LILO, with unknown machine role"
@ -480,8 +532,8 @@
            FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf)
            if [ -z "${FIND}" ]; then
                Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
-                #ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
+                #ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
-                ReportWarning ${TEST_NO} "System can be booted into single user mode without password"
+                ReportWarning "${TEST_NO}" "System can be booted into single user mode without password"
            else
                Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
                LogText "Ok, boot option is enabled."
@ -490,7 +542,7 @@
            Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
            LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical"
            LogText "access to the server can be used to possibly enter single user mode."
-            ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
+            ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
        fi
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: found OpenBSD boot loader"
@ -547,7 +599,7 @@
            LogText "Result: systemctl binary found, trying that to discover information"
            # Running services
            LogText "Searching for running services (systemctl services only)"
-            FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
+            FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service --state=running | ${AWKBINARY} -F.service '{ print $1 }')
            COUNT=0
            Report "running_service_tool=systemctl"
            for ITEM in ${FIND}; do
@ -558,11 +610,11 @@
            LogText "Hint: Run systemctl --full --type=service to see all services"
            Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
            Display --indent 8 --text "Result: found ${COUNT} running services"
-            LogText "Result: Found ${COUNT} enabled services"
+            LogText "Result: Found ${COUNT} running services"
            # Services at boot
            LogText "Searching for enabled services (systemctl services only)"
-            FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
+            FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend --type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{ print $1 }')
            COUNT=0
            Report "boot_service_tool=systemctl"
            for ITEM in ${FIND}; do
@ -573,12 +625,12 @@
            LogText "Hint: Run systemctl list-unit-files --type=service to see all services"
            Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
            Display --indent 8 --text "Result: found ${COUNT} enabled services"
-            LogText "Result: Found ${COUNT} running services"
+            LogText "Result: Found ${COUNT} enabled services"
        else
            LogText "Result: systemctl binary not found, checking chkconfig binary"
-            if [ ! -z "${CHKCONFIGBINARY}" ]; then
+            if [ -n "${CHKCONFIGBINARY}" ]; then
                LogText "Result: chkconfig binary found, trying that to discover information"
                LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
                FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
@ -613,7 +665,7 @@
        if [ "${sRUNLEVEL}" = "2" ]; then
            LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
            FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                COUNT=0
                for SERVICE in ${FIND}; do
                    LogText "Found service (at boot, runlevel 2): ${SERVICE}"
@ -624,7 +676,7 @@
                LogText "Result: found ${COUNT} services"
            fi
        elif [ -z "${sRUNLEVEL}" ]; then
-            ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
+            ReportSuggestion "${TEST_NO}" "Determine runlevel and services at startup"
        else
            LogText "Result: skipping further actions"
        fi
@ -646,7 +698,7 @@
                LogText "Result: directory ${DIR} found"
                LogText "Test: checking for available files in directory"
                FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    LogText "Result: found files in directory, checking permissions now"
                    for FILE in ${FIND}; do
                        LogText "Test: checking permissions of file ${FILE}"
@ -695,7 +747,7 @@
                LogText "Test: Checking ${CHECKFILE} file for writable bit"
                if IsWorldWritable ${CHECKFILE}; then
                    FOUND=1
-                    ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
+                    ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
                    LogText "Result: warning, file ${CHECKFILE} is world writable"
                else
                    LogText "Result: good, file ${CHECKFILE} not world writable"
@ -706,7 +758,7 @@
        # Check results
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
+            ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
            LogText "Result: found one or more scripts which are possibly writable by other users"
            AddHP 0 3
        else
@ -728,20 +780,20 @@
            Linux)
                # Idle time, not real uptime
                if [ -f /proc/uptime ]; then
-                    UPTIME_IN_SECS=$(cat /proc/uptime | ${CUTBINARY} -d ' ' -f1 | ${CUTBINARY} -d '.' -f1)
+                    UPTIME_IN_SECS=$(${CUTBINARY} -d ' ' -f1 /proc/uptime | ${CUTBINARY} -d '.' -f1)
                else
                    Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
                    ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
                fi
-                ;;
+            ;;
-             DragonFly | FreeBSD | macOS)
+            DragonFly | FreeBSD | macOS)
-                if [ ! -z "${SYSCTLBINARY}" ]; then
+                if [ -n "${SYSCTLBINARY}" ]; then
                    TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
                    TIME_NOW=$(date "+%s")
                    LogText "Boot time: ${TIME_BOOT}"
                    LogText "Current time: ${TIME_NOW}"
-                    if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
+                    if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
                        UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
                    else
                        ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -750,15 +802,15 @@
                    Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
                    ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
                fi
-                ;;
+            ;;
-             NetBSD | OpenBSD)
+            NetBSD | OpenBSD)
-                if [ ! -z "${SYSCTLBINARY}" ]; then
+                if [ -n "${SYSCTLBINARY}" ]; then
                    TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
                    TIME_NOW=$(date "+%s")
                    LogText "Boot time: ${TIME_BOOT}"
                    LogText "Current time: ${TIME_NOW}"
-                    if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
+                    if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
                        UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
                    else
                        ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -767,25 +819,26 @@
                    Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
                    ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
                fi
-                ;;
+            ;;
            Solaris)
-                if [ ! -z "${KSTATBINARY}" ]; then
+                if [ -n "${KSTATBINARY}" ]; then
                    UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
                else
                    Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
                    ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
                fi
-                ;;
+            ;;
            *)
                Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
                # Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
                ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
-                ;;
+            ;;
        esac
-        if [ ! -z "${UPTIME_IN_SECS}" ]; then
+
        if [ -n "${UPTIME_IN_SECS}" ]; then
            UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
            LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
            LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
@ -800,14 +853,14 @@
 #
    # Test        : BOOT-5260
    # Description : Check single user mode for systemd
-    Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd"
+    Register --test-no BOOT-5260 --os Linux --weight L --network NO --category security --description "Check single user mode for systemd"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching /usr/lib/systemd/system/rescue.service"
        if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
            LogText "Result: file /usr/lib/systemd/system/rescue.service"
            LogText "Test: checking presence sulogin for single user mode"
            FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                FOUND=1
                LogText "Result: found sulogin, so single user is protected"
                AddHP 3 3
@ -823,6 +876,158 @@
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5262
    # Description : Check for OpenBSD boot daemons
    Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons"
    if [ ${SKIPTEST} -eq 0 ]; then
        if HasData "${RCCTLBINARY}"; then
            LogText "Result: rcctl binary found, trying that to discover information"
            # OpenBSD (Ask rcctl(8) for running daemons)
            LogText "Searching for running daemons (rcctl)"
            FIND=$(${RCCTLBINARY} ls started)
            COUNT=0
            Report "running_service_tool=rcctl"
            for ITEM in ${FIND}; do
                LogText "Found running daemon: ${ITEM}"
                Report "running_service[]=${ITEM}"
                COUNT=$((COUNT + 1 ))
            done
            LogText "Note: Run rcctl ls all | egrep  '^(pf|check_quotas|library_aslr)$' to see all daemons"
            Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
            Display --indent 8 --text "Result: found ${COUNT} running daemons"
            LogText "Result: Found ${COUNT} running daemons"
            # OpenBSD (Ask rcctl(8) for enabled daemons)
            LogText "Searching for enabled daemons (rcctl)"
            FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
            COUNT=0
            Report "boot_service_tool=rcctl"
            for ITEM in ${FIND}; do
                LogText "Found enabled daemon at boot: ${ITEM}"
                Report "boot_service[]=${ITEM}"
                COUNT=$((COUNT + 1 ))
            done
            LogText "Note: Run rcctl ls all | egrep  '^(pf|check_quotas|library_aslr)$' to see all daemons"
            Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
            Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
            LogText "Result: Found ${COUNT} enabled daemons at boot"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5263
    # Description : Check OpenBSD world writable startup scripts
    Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        CHECKDIR="${ROOTDIR}etc/rc.d"
        LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit"
        LogText "Test: checking if directory ${DIR} exists"
        if [ -d ${CHECKDIR} ]; then
            LogText "Result: directory ${DIR} found"
            LogText "Test: checking for available files in directory"
            # OpenBSD uses symlinks to create another instance of daemons
            FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
            if [ -n "${FIND}" ]; then
                LogText "Result: found files in directory, checking permissions now"
                for FILE in ${FIND}; do
                    LogText "Test: checking permissions of file ${FILE}"
                    ShowSymlinkPath "${FILE}"
                    if [ ${FOUNDPATH} -eq 1 ]; then
                        CHECKFILE="${SYMLINK}"
                        LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})"
                    else
                        CHECKFILE="${FILE}"
                    fi
                    if IsWorldWritable ${CHECKFILE}; then
                        FOUND=1
                        LogText "Result: warning, file ${CHECKFILE} is world writable"
                    else
                        LogText "Result: good, file ${CHECKFILE} not world writable"
                    fi
                done
            else
                LogText "Result: found no files in directory."
            fi
        else
            LogText "Result: directory ${CHECKDIR} not found. Skipping.."
        fi
        # Other files
        CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local"
        for I in ${CHECKFILES}; do
            if [ -f ${I} ]; then
                ShowSymlinkPath "${I}"
                if [ ${FOUNDPATH} -eq 1 ]; then
                    CHECKFILE="${SYMLINK}"
                    LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})"
                else
                    CHECKFILE="${I}"
                fi
                LogText "Test: Checking ${CHECKFILE} file for writable bit"
                if IsWorldWritable ${CHECKFILE}; then
                    FOUND=1
                    ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
                    LogText "Result: warning, file ${CHECKFILE} is world writable"
                else
                    LogText "Result: good, file ${CHECKFILE} not world writable"
                fi
            fi
        done
        # Check results
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
            ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
            LogText "Result: found one or more scripts which are possibly writable by other users"
            AddHP 0 3
        else
            Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
            AddHP 3 3
        fi
    fi
 #
 #################################################################################
 #
    # Test        : BOOT-5264
    # Description : Run systemd-analyze security
    if [ -z "${SYSTEMDANALYZEBINARY}" ]; then SKIPREASON="systemd-analyze not available"; PREQS_MET="NO";
    else
        SYSTEMD_VERSION=$("${SYSTEMDANALYZEBINARY}" --version | ${AWKBINARY} '/^systemd / {print $2}')
        if [ "${SYSTEMD_VERSION}" -ge 240 ]; then PREQS_MET="YES"; else SKIPREASON="systemd-analyze too old (v${SYSTEMD_VERSION}), need at least v240"; PREQS_MET="NO"; fi
    fi
    Register --test-no BOOT-5264 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --os Linux --weight L --network NO --category security --description "Run systemd-analyze security"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Run systemd-analyze security"
        Display --indent 2 --text "- Running 'systemd-analyze security'"
        ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do
            if [ "${UNIT}" = "UNIT" ]; then
                continue
            fi
            COLOR="BLACK"
            case ${PREDICATE} in
                PERFECT | SAFE | OK)
                    COLOR=GREEN
                ;;
                MEDIUM)
                    COLOR=WHITE
                ;;
                EXPOSED)
                    COLOR=YELLOW
                ;;
                UNSAFE | DANGEROUS)
                    COLOR=RED
                ;;
            esac
            Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}"
            LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}"
        done
        ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
    fi
 #
 #################################################################################
 #
 Report "boot_loader=${BOOT_LOADER}"
--- a/include/tests_containers
+++ b/include/tests_containers
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -40,7 +40,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: query zoneadm to list all running zones"
        FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            COUNT=0
            for ITEM in ${FIND}; do
                COUNT=$((COUNT + 1))
@ -81,8 +81,7 @@
    # Description : Checking Docker daemon status and basic information for later tests
    Register --test-no CONT-8102 --weight L --network NO --category security --description "Checking Docker status and information"
    if [ ${SKIPTEST} -eq 0 ]; then
-        IsRunning "dockerd"
+        if IsRunning "dockerd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found Docker daemon running"
            Report "docker_daemon_running=1"
            DOCKER_DAEMON_RUNNING=1
@ -131,14 +130,14 @@
    # Test        : CONT-8106
    # Description : Checking Docker containers (basic stats)
    # Notes       : Hardening points are awarded, if there aren't a lot of stopped containers
-    if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 6 --text "- Containers"
        # Check total of containers
        LogText "Test: checking total amount of Docker containers"
-        DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} "^Containers: " | ${AWKBINARY} '{ print $2 }')
+        DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
        if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
            DOCKER_CONTAINERS_TOTAL=0
        fi
@ -171,7 +170,7 @@
    # Test        : CONT-8107
    # Description : Checking Docker number of unused containers
    # Notes       : Hardening points are awarded, if there aren't a lot of stopped containers
-    if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if there aren't too many unused containers on the system
@ -194,7 +193,7 @@
    # Test        : CONT-8108
    # Description : Checking Docker file permissions
    # Notes       : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
-    if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
    if [ ${SKIPTEST} -eq 0 ]; then
        NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"
@ -227,4 +226,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com
--- a/include/tests_crypto
+++ b/include/tests_crypto
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -21,6 +21,10 @@
 # Cryptography
 #
 #################################################################################
 #
    RNG_FOUND=0
 #
 #################################################################################
 #
    InsertSection "Cryptography"
 #
@ -28,61 +32,91 @@
 #
    # Test        : CRYP-7902
    # Description : check for expired SSL certificates
-    if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT_EXPIRED=0
        COUNT_TOTAL=0
        FOUNDPROBLEM=0
-        sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
+        SKIP=0
-        sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
+        sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
        sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
        LogText "Paths to scan: ${sSSL_PATHS}"
        IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
        LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
        for DIR in ${sSSL_PATHS}; do
            COUNT_DIR=0
            if [ -d ${DIR} ]; then
                FileIsReadable ${DIR}
                if [ ${CANREAD} -eq 1 ]; then
                    LASTSUBDIR=""
                    LogText "Result: found directory ${DIR}"
                    # Search for certificate files
-                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g')
+                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
                    for FILE in ${FILES}; do
-                        FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g')
+                        FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
-                        COUNT_DIR=$((COUNT_DIR + 1))
+                        # See if we need to skip this path
-                        FileIsReadable "${FILE}"
+                        SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ 'sub(FS $NF,x)' | ${SEDBINARY} 's/__space__/ /g')
-                        if [ ${CANREAD} -eq 1 ]; then
+                        # If we discover a new directory, do evaluation
-                            # Only check the files that are not installed by a package
+                        #Debug "File   : ${FILE}"
-                            if ! FileInstalledByPackage "${FILE}"; then
+                        #Debug "Lastdir: ${LASTSUBDIR}"
-                                LogText "Test: test if file is a certificate"
+                        #Debug "Curdir : ${SUBDIR}"
-                                OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
+                        if [ ! "${SUBDIR}" = "${LASTSUBDIR}" ]; then
-                                if [ $? -eq 0 ]; then
+                            SKIP=0
-                                    LogText "Result: file is a certificate"
+                            # Now check if this path is on the to-be-ignored list
-                                    LogText "Test: checking certificate details"
+                            for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
-                                    FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+                                if ContainsString "${D}" "${SUBDIR}"; then
-                                    if [ $? -eq 0 ]; then
+                                    SKIP=1
-                                        # Check certificate where 'end date' has been expired
+                                    LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list"
-                                        FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
+                                fi
-                                        EXIT_CODE=$?
+                            done
-                                        CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
+                        fi
-                                        CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
+                        if [ ${SKIP} -eq 0 ]; then
-                                        Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
+                            #Debug "Testing ${FILE} in path: $SUBDIR"
-                                        if [ ${EXIT_CODE} -eq 0 ]; then 
+                            COUNT_DIR=$((COUNT_DIR + 1))
-                                            LogText "Result: certificate ${FILE} seems to be correct and still valid"
+                            FileIsReadable "${FILE}"
                            if [ ${CANREAD} -eq 1 ]; then
                                # Only check the files that are not installed by a package, unless enabled by profile
                                if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
                                    echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$"
                                    CER_DER=$?
                                    OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                    if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
                                        LogText "Result: file is a certificate file"
                                        if [ ${CER_DER} -eq 0 ]; then
                                            SSL_DER_OPT="-inform der"
                                        else
-                                            FOUNDPROBLEM=1
+                                            SSL_DER_OPT=
-                                            COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
+                                        fi
-                                            LogText "Result: certificate ${FILE} has been expired"
+                                        FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
                                        if [ $? -eq 0 ]; then
                                            # Check certificate where 'end date' has been expired
                                            FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
                                            EXIT_CODE=$?
                                            CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
                                            CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
                                            Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
                                            if [ ${EXIT_CODE} -eq 0 ]; then 
                                                LogText "Result: certificate ${FILE} seems to be correct and still valid"
                                            else
                                                FOUNDPROBLEM=1
                                                COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
                                                LogText "Result: certificate ${FILE} has been expired"
                                            fi
                                        else
                                            LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
                                        fi
                                    else
-                                        LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
+                                        LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
                                    fi
                                else
                                    LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
                                fi
                            else
                                LogText "Result: can not read file ${FILE} (no permission)"
                            fi
                        else
                            LogText "Result: can not read file ${FILE} (no permission)"
                        fi
                        LASTSUBDIR="${SUBDIR}"
                    done
                    COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
                    LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
@ -100,9 +134,166 @@
            Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
        else
            Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
-            ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
+            ReportSuggestion "${TEST_NO}" "Check available certificates for expiration"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : CRYP-7930
    # Description : Determine if system uses LUKS block device encryption
    Register --test-no CRYP-7930 --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses LUKS block device encryption"
    if [ ${SKIPTEST} -eq 0 ]; then
        CRYPTTABFILE="${ROOTDIR}etc/crypttab"
        FOUND=0
        # cryptsetup only works as root
        if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then
            for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do
                if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then
                    LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
                    Report "encryption[]=luks,block_device,${BLOCK_DEV}"
                    FOUND=$((FOUND +1))
                else
                    LogText "Result: block device ${BLOCK_DEV} is not LUKS encrypted"
                fi
            done
            unset BLOCK_DEV
        # This will enable us to do a test for forensics or when crypsetup/lsblk are not available
        elif [ -f ${CRYPTTABFILE} ]; then
            LogText "Result: crypttab (${CRYPTTABFILE}) exists"
            DATA=$(${GREPBINARY} "^[a-z]" ${CRYPTTABFILE} | ${TRBINARY} -cd '[:alnum:]_\-=,\n\t ' | ${SEDBINARY} 's/[[:blank:]]/__space__/g')
            for LINE in ${DATA}; do
                LINE=$(echo ${LINE} | ${SEDBINARY} 's/__space__/ /g')
                if ContainsString "luks," "${LINE}"; then
                    PARTITION=$(echo ${LINE} | ${AWKBINARY} '{print $1}' | ${AWKBINARY} -F_ '{print $1}')
                    LogText "Result: Found LUKS encryption on partition ${PARTITION}"
                    Report "encryption[]=luks,partition,${PARTITION}"
                    FOUND=$((FOUND +1))
                fi
            done
            unset DATA LINE PARTITION
        fi
        if [ ${FOUND} -gt 0 ]; then
            Display --indent 2 --text "- Found ${FOUND} LUKS encrypted block devices." --result OK --color WHITE
        fi
        unset FOUND
    fi
 #
 #################################################################################
 #
    # Test        : CRYP-7931
    # Description : Determine if system uses encrypted swap
    if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap"
    if [ ${SKIPTEST} -eq 0 ]; then
        ENCRYPTED_SWAPS=0
        UNENCRYPTED_SWAPS=0
        # Redirect errors, as RHEL 5/6 and others don't have the --show option
        SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
        if [ $? -eq 0 ]; then
            for BLOCK_DEV in ${SWAPS}; do
                if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
                    LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
                    ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
                    Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
                elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
                    LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
                    ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
                    Report "encrypted_swap[]=${BLOCK_DEV},other"
                else
                    LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
                    UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
                    Report "non_encrypted_swap[]=${BLOCK_DEV}"
                fi
            done
            Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
        else
            LogText "Result: skipping testing as swapon returned an error."
        fi
    fi
 #
 #################################################################################
 #
    # Test        : CRYP-8002
    # Description : Gather available kernel entropy
    Register --test-no CRYP-8002 --os Linux --weight L --network NO --root-only NO --category security --description "Gather available kernel entropy"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -f ${ROOTDIR}proc/sys/kernel/random/entropy_avail ]; then
            DATA=$(${AWKBINARY} '$1 ~ /^[0-9]+$/ {print $1}' ${ROOTDIR}proc/sys/kernel/random/entropy_avail)
            if [ -n "${DATA}" ]; then
                LogText "Result: found kernel entropy value of ${DATA}"
                Report "kernel_entropy=${DATA}"
                if [ ${DATA} -gt 200 ]; then
                    Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_YES}" --color GREEN
                else
                    Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_NO}" --color YELLOW
                    # TODO - enable suggestion when information on website is available
                fi
            fi
        fi
    fi
 #
 #################################################################################
 #
    # Test        : CRYP-8004
    # Description : Test for presence of hardware random number generators
    Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of hardware random number generators"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
        if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
            DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
            if [ "${DATA}" != "none" ]; then
                LogText "Result: positive match, found RNG: ${DATA}"
                if IsRunning "rngd"; then
                    Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
                    LogText "Result: rngd is running"
                    RNG_FOUND=1
                else
                    Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
                    # TODO - enable suggestion when website has listing for this control
                    # ReportSuggestion "${TEST_NO}" "Utilize hardware random number generation by running rngd"
                fi
            else
                Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
                LogText "Result: no HW RNG available"
            fi
        else
            Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED
            LogText "Result: could not find ${ROOTDIR}sys/class/misc/hw_random/rng_current"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : CRYP-8005
    # Description : Test for presence of software pseudo random number generators
    Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: looking for software pseudo random number generators"
        FOUND=""
        for SERVICE in audio-entropyd haveged jitterentropy-rngd; do
            # Using --full as jitterentropy-rngd would otherwise not match
            if IsRunning --full "${SERVICE}"; then
                FOUND="${FOUND} ${SERVICE}"
            fi
        done
        if [ -z "${FOUND}" ]; then
            Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
            # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
        else
            RNG_FOUND=1
            Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
            LogText "Result: found ${FOUND} running"
        fi
    fi
 #
 #################################################################################
 #
    Report "rng_found=${RNG_FOUND}"
 #
 #################################################################################
 #
--- a/include/tests_custom.template
+++ b/include/tests_custom.template
@ -109,7 +109,7 @@
 #################################################################################
 #
    # Test        : CUST-0040
-    # Description : Our second test, with a prequisite test
+    # Description : Our second test, with a prerequisite test
    # First check if OPENSSLBINARY is known as a prerequisite for this test
    # ! means "not". So if the binary is known, the prerequisite is matched. Otherwise we set it to NO and define a reason why we skipped this test
@ -134,7 +134,7 @@
            Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
        else
            Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "This is a suggestion"
+            ReportSuggestion "${TEST_NO}" "This is a suggestion"
        fi
    fi
 #
--- a/include/tests_databases
+++ b/include/tests_databases
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -28,6 +28,14 @@
    sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf"
    REDIS_CONFIGURATION_FILES=""
    REDIS_CONFIGURATION_FOUND=0
    MYSQL_RUNNING=0
    DATABASE_ENGINE_RUNNING=0
    MONGODB_RUNNING=0
    POSTGRESQL_RUNNING=0
    ORACLE_RUNNING=0
    DB2_RUNNING=0
    REDIS_RUNNING=0
 #
 #################################################################################
 #
@ -71,7 +79,7 @@
    # Test        : DBS-1816
    # Description : Check empty MySQL root password
    # Notes       : Only perform test when MySQL is running and client is available
-    if [ ! -z "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
+    if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
    Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Trying to login to local MySQL server without password"
@ -81,7 +89,7 @@
        FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?)
        if [ "${FIND}" = "0" ]; then
           LogText "Result: Login succeeded, no MySQL root password set!"
-           ReportWarning ${TEST_NO} "No MySQL root password set"
+           ReportWarning "${TEST_NO}" "No MySQL root password set"
           Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
           AddHP 0 5
        else
@ -144,7 +152,7 @@
            if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
                if HasData "${PGREPBINARY}"; then
                    AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
-                    if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
+                    if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
                else
                    LogText "Result: skipped this part of the test, as pgrep is not available"
                fi
@ -152,7 +160,7 @@
            if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
                LogText "Result: no authorization enabled via parameter or configuration file"
                Report "mongodb_authorization_disabled=1"
-                ReportWarning ${TEST_NO} "MongoDB instance allows any user to access databases"
+                ReportWarning "${TEST_NO}" "MongoDB instance allows any user to access databases"
                Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_DISABLED}" --color RED
            else
                if IsVerbose; then Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_ENABLED}" --color GREEN; fi
@ -179,6 +187,31 @@
    fi
 #
 #################################################################################
 #
    # Test        : DBS-1828
    # Description : Test PostgreSQL configuration file(s)
    #
    # Authentication:
    # /var/lib/pgsql/data/pg_hba.conf
    #
    # Configuration
    # Arch            /var/lib/postgres/data/postgresql.conf
    # CentOS/Fedora   /var/lib/pgsql/data/postgresql.conf
    # Ubuntu          /etc/postgresql/x.y/main/postgresql.conf
    if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
    Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data"
        CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "postgresql.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}" | ${SEDBINARY} "s/ /:space:/g"')
        for CF in ${CONFIG_FILES}; do
            Report "postgresql_config_file[]=${CF}"
            LogText "Found configuration file (${CF})"
        done
    fi
 #
 #################################################################################
 #
    # Test        : DBS-1840
    # Description : Check if Oracle is being used
@ -219,7 +252,7 @@
 #################################################################################
 #
    # Test        : DBS-1860
-    # Description : Checks if a DB2 instance is currently runnigng
+    # Description : Checks if a DB2 instance is currently running
    Register --test-no DBS-1860 --weight L --network NO --category security --description "Checking active DB2 instances"
    if [ ${SKIPTEST} -eq 0 ]; then
        if IsRunning db2sysc; then
@ -268,7 +301,7 @@
        for DIR in ${PATHS}; do
            LogText "Action: scanning directory (${DIR}) for Redis configuration files"
            FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
-            if [ ! -z "${FILES}" ]; then
+            if [ -n "${FILES}" ]; then
                ALLFILES="${ALLFILES} ${FILES}"
            else
                LogText "Result: no configuration files found in this directory"
@ -279,12 +312,12 @@
                LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
                # Exclude Sentinel configuration file
                FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    LogText "Result: file is a Sentinel configuration file, skipping it"
                else
                    LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
                    FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
-                    if [ ! -z "${FIND}" ]; then
+                    if [ -n "${FIND}" ]; then
                        REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
                        REDIS_CONFIGURATION_FOUND=1
                        LogText "Result: found a Redis configuration file (${CONFFILE})"
@ -297,7 +330,7 @@
            fi
        done
        # Sort the list of discovered configuration files so we can make them unique
-        REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | ${UNIQBINARY} | ${TRBINARY} '\n' ' ')
+        REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
        for FILE in ${REDIS_CONFIGURATION_FILES}; do
            if IsWorldReadable ${FILE}; then
                LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"
--- a/include/tests_dns
+++ b/include/tests_dns
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -24,8 +24,8 @@
 #
 #    # TODO create records on test domain
 #    # TODO after update even IP match can be checked to detect hijacking
-#    SIGOKDNS="sigok.example.org"      # adress with good DNSSEC signature
+#    SIGOKDNS="sigok.example.org"      # address with good DNSSEC signature
-#    SIGFAILDNS="sigfail.example.org"  # adress with bad  DNSSEC signature
+#    SIGFAILDNS="sigfail.example.org"  # address with bad  DNSSEC signature
 #    TIMEOUT=";; connection timed out; no servers could be reached"
 #
 #################################################################################
@ -35,10 +35,10 @@
 #################################################################################
 #
 #    # Test        : DNS-1600
-#    # Description : Validate DNSSEC signiture is checked
+#    # Description : Validate DNSSEC signature is checked
 #    Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
 #    if [ "${SKIPTEST}" -eq 0 ]; then
-#        if [ ! -z "${DIGBINARY}" ]; then
+#        if [ -n "${DIGBINARY}" ]; then
 #
 #            GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
 #            BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
@ -47,16 +47,16 @@
 #                LogText "Result: received timeout, can't determine DNSSEC validation"
 #                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
 #                #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
-#            elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
+#            elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
 #                LogText "Result: good signature failed, yet bad signature was accepted"
 #                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
 #                #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
-#            elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
+#            elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
 #                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
 #                LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
-#                #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
+#                #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC validating name servers"
 #                AddHP 2 2
-#            elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
+#            elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
 #                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
 #                LogText "Result: altered DNS responses were ignored"
 #                AddHP 0 2
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -35,7 +35,7 @@
    Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking AFICK binary"
-        if [ ! -z "${AFICKBINARY}" ]; then
+        if [ -n "${AFICKBINARY}" ]; then
            LogText "Result: AFICK is installed (${AFICKBINARY})"
            Report "file_integrity_tool[]=afick"
            FILE_INT_TOOL="afick"
@ -54,7 +54,7 @@
    Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking AIDE binary"
-        if [ ! -z "${AIDEBINARY}" ]; then
+        if [ -n "${AIDEBINARY}" ]; then
            LogText "Result: AIDE is installed (${AIDEBINARY})"
            Report "file_integrity_tool[]=aide"
            FILE_INT_TOOL="aide"
@ -70,13 +70,13 @@
 #
    # Test        : FINT-4315
    # Description : Check AIDE configuration file
-    if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
-        AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
+        AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
        LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
        for I in ${AIDE_CONFIG_LOCS}; do
-            if [ -f ${I}/aide.conf ]; then
+            if [ -f "${I}/aide.conf" ]; then
                LogText "Result: found aide.conf in directory ${I}"
                AIDECONFIG="${I}/aide.conf"
            fi
@ -98,13 +98,45 @@
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4316
    # Description : Presence of AIDE database and size check
    if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
    if [ ${SKIPTEST} -eq 0 ]; then
        AIDE_DB=$(${GREPBINARY} ^database= ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
        if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
            I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
            AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
        fi
        LogText "Test: search for AIDE database on disk ${AIDE_DB}"
        if [ ! -e "${AIDE_DB}" ]; then
            Display --indent 6 --text "- AIDE database" --result "${STATUS_NOT_FOUND}" --color RED
            LogText "Result: AIDE database ${AIDE_DB} does not exist"
            ReportWarning "${TEST_NO}" "No AIDE database was found, needed for AIDE functionality"
        else
            LogText "Checking database size ${AIDE_DB}"
            if [ -s "${AIDE_DB}" ]; then
                Display --indent 6 --text "- AIDE database" --result "${STATUS_FOUND}" --color GREEN
                LogText "Result: AIDE database ${AIDE_DB} exist and has a size greater than zero"
            else
                Display --indent 6 --text "- AIDE database" --result "${STATUS_WARNING}" --color YELLOW
                LogText "Result: AIDE database ${AIDE_DB} exist but has a size of zero"
                ReportSuggestion "${TEST_NO}" "Check the AIDE database as it may contain errors"
            fi
        fi
        unset AIDE_DB I
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4318
    # Description : Check if Osiris is installed
    Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking Osiris binary"
-        if [ ! -z "${OSIRISBINARY}" ]; then
+        if [ -n "${OSIRISBINARY}" ]; then
            LogText "Result: Osiris is installed (${OSIRISBINARY})"
            Report "file_integrity_tool[]=osiris"
            FILE_INT_TOOL="osiris"
@ -123,7 +155,7 @@
    Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking Samhain binary"
-        if [ ! -z "${SAMHAINBINARY}" ]; then
+        if [ -n "${SAMHAINBINARY}" ]; then
            LogText "Result: Samhain is installed (${SAMHAINBINARY})"
            Report "file_integrity_tool[]=samhain"
            FILE_INT_TOOL="samhain"
@ -142,7 +174,7 @@
    Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking Tripwire binary"
-        if [ ! -z "${TRIPWIREBINARY}" ]; then
+        if [ -n "${TRIPWIREBINARY}" ]; then
            LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
            Report "file_integrity_tool[]=tripwire"
            FILE_INT_TOOL="tripwire"
@ -161,15 +193,14 @@
    Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if OSSEC syscheck daemon is running"
-        IsRunning ossec-syscheckd
+        if IsRunning "ossec-syscheckd"; then
-        if [ ${RUNNING} -eq 1 ]; then
+            LogText "Result: syscheck (OSSEC) active"
            LogText "Result: syscheck (OSSEC) installed"
            Report "file_integrity_tool[]=ossec"
            FILE_INT_TOOL="ossec-syscheck"
            FILE_INT_TOOL_FOUND=1
            Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
        else
-            LogText "Result: syscheck (OSSEC) not installed"
+            LogText "Result: syscheck (OSSEC) is not active"
            if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
@ -182,7 +213,7 @@
    Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking mtree binary"
-        if [ ! -z "${MTREEBINARY}" ]; then
+        if [ -n "${MTREEBINARY}" ]; then
            LogText "Result: mtree is installed (${MTREEBINARY})"
            Report "file_integrity_tool[]=mtree"
            FILE_INT_TOOL="mtree"
@ -202,8 +233,8 @@
    Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
-        IsRunning 'lfd '
+        LogText "Test: determine lfd status"
-        if [ ${RUNNING} -eq 1 ]; then
+        if IsRunning "lfd - sleeping"; then
            LogText "Result: lfd daemon is running (CSF)"
            Report "file_integrity_tool[]=csf-lfd"
            Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
@ -223,7 +254,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        # LFD configuration parameters
        ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
-        if [ ! -z "${ENABLED}" ]; then
+        if [ -n "${ENABLED}" ]; then
            LogText "Result: lfd service is configured to run"
            Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
        else
@ -231,7 +262,7 @@
            Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
        fi
        ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
-        if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
+        if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
            LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
            Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
        else
@ -239,7 +270,7 @@
            Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
        fi
        ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
-        if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
+        if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
            Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
        else
            Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
@ -253,8 +284,7 @@
    Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if osqueryd syscheck daemon is running"
-        IsRunning osqueryd
+        if IsRunning "osqueryd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: syscheck (osquery) installed"
            Report "file_integrity_tool[]=osquery"
            FILE_INT_TOOL="osquery"
@ -267,17 +297,118 @@
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4339
    # Description : Check IMA/EVM status
    if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
    Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        if [ -e /sys/kernel/security/ima ]; then
            FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count)
        fi
        if [ "${FOUND}" -ne 1 ]; then
            LogText "Result: EVM tools found but IMA/EVM disabled"
            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
        else
            LogText "Result: EVM tools found, IMA/EVM enabled"
            FILE_INT_TOOL="evmctl"
            FILE_INT_TOOL_FOUND=1
            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4340
    # Description : Check dm-integrity status
    if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi
    Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        ROOTPROTECTED=0
 	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
 	for DEVICE in /dev/mapper/*; do
 	    if [ -e "${DEVICE}" ]; then
 		FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
 		if [ ! -z "${FIND}" ]; then
 		    FOUND=1
 		    LogText "Result: found dm-integrity device ${DEVICE}"
 		    if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
 			ROOTPROTECTED=1
 		    fi
 		fi
 	    fi
 	done
        if [ "${FOUND}" -ne 1 ]; then
            LogText "Result: dm-integrity tools found but no active devices"
            Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE
        else
            LogText "Result: dm-integrity tools found, active devices"
 	    if [ ${ROOTPROTECTED} -eq 1 ]; then
 		LogText "Result: root filesystem is protected by dm-integrity"
 		Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
 	    else
 		LogText "Result: root filesystem is not protected by dm-integrity but active devices found"
 		Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW
 	    fi
            FILE_INT_TOOL="dm-integrity"
            FILE_INT_TOOL_FOUND=1
            Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4341
    # Description : Check dm-verity status
    if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi
    Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        ROOTPROTECTED=0
 	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
 	for DEVICE in /dev/mapper/*; do
 	    if [ -e "${DEVICE}" ]; then
 		FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
 		if [ ! -z "${FIND}" ]; then
 		    FOUND=1
 		    LogText "Result: found dm-verity device ${DEVICE}"
 		    if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
 			ROOTPROTECTED=1
 		    fi
 		fi
 	    fi
 	done
        if [ "${FOUND}" -ne 1 ]; then
            LogText "Result: dm-verity tools found but no active devices"
            Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE
        else
            LogText "Result: dm-verity tools found, active devices"
 	    if [ ${ROOTPROTECTED} -eq 1 ]; then
 		LogText "Result: root filesystem is protected by dm-verity"
 		Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN
 	    else
 		LogText "Result: root filesystem is not protected by dm-verity but active devices found"
 		Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW
 	    fi
            FILE_INT_TOOL="dm-verity"
            FILE_INT_TOOL_FOUND=1
        fi
    fi
 #
 #################################################################################
 #
    # Test        : FINT-4402 (was FINT-4316)
    # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
-    if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
        if [ -z "${FIND}" ]; then
            LogText "Result: No SHA256 or SHA512 found for creating checksums"
            Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
-            ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
+            ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE"
            AddHP 1 3
        else
            LogText "Result: Found SHA256 or SHA512 found for creating checksums"
@ -300,7 +431,7 @@
        else
            LogText "Result: No file integrity tools found"
            Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
+            ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files"
            AddHP 0 5
        fi
    fi
@ -310,4 +441,4 @@
    WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com
--- a/include/tests_file_permissions
+++ b/include/tests_file_permissions
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -32,27 +32,37 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Starting file permissions check"
        LogText "Test: Checking file permissions"
        FOUND=0
        for PROFILE in ${PROFILES}; do
            LogText "Using profile ${PROFILE} for baseline."
-            FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2)
+            FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
-            for I in ${FIND}; do
+            for F in ${FILES}; do
-                LogText "Checking ${I}"
+                LogText "Test: checking file/directory ${F}"
-                CheckFilePermissions ${I}
+                if [ -f "${F}" ]; then
-                LogText "  Expected permissions: ${PROFILEVALUE}"
+                    PERMS=$(${GREPBINARY} '^permfile=' ${PROFILE} | ${GREPBINARY} "=${F}:" | ${CUTBINARY} -d: -f2)
-                LogText "  Actual permissions: ${FILEVALUE}"
+                    if HasCorrectFilePermissions "${F}" "${PERMS}"; then
-                LogText "  Result: $PERMS"
+                        Display --indent 4 --text "File: ${F}" --result "${STATUS_OK}" --color GREEN
-                if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
+                    else
-                    if IsVerbose; then Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
+                        Display --indent 4 --text "File: ${F}" --result "${STATUS_SUGGESTION}" --color YELLOW
-                elif [ "${PERMS}" = "OK" ]; then
+                        FOUND=1
-                    Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN
+                    fi
-                elif [ "${PERMS}" = "BAD" ]; then
+                elif [ -d "${F}" ]; then
-                    Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED
+                    PERMS=$(${GREPBINARY} '^permdir=' ${PROFILE} | ${GREPBINARY} "=${F}:" | ${CUTBINARY} -d: -f2)
-                    ReportWarning ${TEST_NO} "Incorrect permissions for file ${I}"
+                    if HasCorrectFilePermissions "${F}" "${PERMS}"; then
                        Display --indent 4 --text "Directory: ${F}" --result "${STATUS_OK}" --color GREEN
                    else
                        Display --indent 4 --text "Directory: ${F}" --result "${STATUS_SUGGESTION}" --color YELLOW
                        FOUND=1
                    fi
                else
-                    LogText "UNKNOWN status for file"
+                    if IsVerbose; then Display --indent 4 --text "${F}" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
                    LogText "Skipping file/directory ${F} as it does not exist on this system"
                fi
            done
        done
        if [ ${FOUND} -eq 1 ]; then
            ReportSuggestion "${TEST_NO}" "Consider restricting file permissions" "See screen output or log file" "text:Use chmod to change file permissions"
        fi
    fi
 #
 #################################################################################
@ -62,4 +72,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com
--- a/include/tests_filesystems
+++ b/include/tests_filesystems
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -44,15 +44,20 @@
            if [ -L ${I} ]; then
                ShowSymlinkPath ${I}
                LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
-                ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" ""
+                ReportSuggestion "${TEST_NO}" "Symlinked mount point needs to be checked manually" "${I}" ""
                Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
            elif [ -d ${I} ]; then
                LogText "Result: directory ${I} exists"
-                FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}')
+                case "${OS}" in
                    "AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;;
                    "HP-UX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($1==MP) { print $1 }}') ;;
                    *) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;;
                esac
                if IsEmpty "${FIND}"; then
                    LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
                    Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
-                    ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
+                    ReportSuggestion "${TEST_NO}" "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
                    AddHP 9 10
                else
                    LogText "Result: found ${I} as a separated mount point"
@ -85,7 +90,7 @@
                 ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
            ;;
        esac
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found one or more volume groups"
            for I in ${FIND}; do
                LogText "Found LVM volume group: ${I}"
@ -148,7 +153,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for Linux EXT file systems"
        FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found one or more EXT file systems"
            for I in ${FIND}; do
                FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
@ -158,7 +163,27 @@
            done
        else
            LogText "Result: no EXT file systems found"
-            Report "file_systems_ext[]=none"
+        fi
    fi
 #
 #################################################################################
 #
    # Test        : FILE-6324
    # Description : Checking Linux XFS file systems
    Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for Linux XFS file systems"
        FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
        if [ -n "${FIND}" ]; then
            LogText "Result: found one or more XFS file systems"
            for I in ${FIND}; do
                FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
                FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
                LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
                Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|"
            done
        else
            LogText "Result: no XFS file systems found"
        fi
    fi
 #
@ -187,10 +212,11 @@
 #################################################################################
 #
    # Test        : FILE-6330
-    # Description : Query all ZFS mounts from /etc/fstab
+    # Description : Query ZFS mounts
    # Note        : mount -p does not work under Linux
    Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Query /etc/fstab for available ZFS mount points"
+        LogText "Test: Discover for available ZFS mount points"
        FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
@ -211,7 +237,7 @@
    # Description : Query all HAMMER PFS mounts from /etc/fstab
    Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Query /etc/fstab for available HAMMER PFS  mount points"
+        LogText "Test: Query /etc/fstab for available HAMMER PFS mount points"
        FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}')
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
@ -248,12 +274,12 @@
            # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
            HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
-            if [ ! -z "${HAS_UUID}" ]; then
+            if [ -n "${HAS_UUID}" ]; then
                UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
                LogText "Result: Using ${UUID} as UUID"
-                if [ ! -z "${BLKIDBINARY}" ]; then
+                if [ -n "${BLKIDBINARY}" ]; then
                    FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
-                    if [ ! -z "${FIND2}" ]; then
+                    if [ -n "${FIND2}" ]; then
                        REAL="${FIND2}"
                    fi
                else
@ -262,7 +288,7 @@
                    if [ -L /dev/disk/by-uuid/${UUID} ]; then
                        LogText "Result: found disk via /dev/disk/by-uuid listing"
                        ShowSymlinkPath /dev/disk/by-uuid/${UUID}
-                        if [ ! -z "${sFILE}" ]; then
+                        if [ -n "${sFILE}" ]; then
                            REAL="${sFILE}"
                            LogText "Result: disk is ${REAL}"
                        fi
@ -303,8 +329,8 @@
        else
            Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
            LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
-            #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})"
+            #ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})"
-            ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
+            ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options"
            LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
        fi
    fi
@ -318,7 +344,7 @@
    if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
        LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
        LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
-        if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
+        if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
            if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
        else
            PREQS_MET="NO";
@ -372,7 +398,7 @@
            LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
            LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
            LogText "directories by setting a boot option."
-            ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
+            ReportSuggestion "${TEST_NO}" "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
        fi
    fi
 #
@ -391,7 +417,7 @@
            AddHP 3 3
        else
            Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
+            ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
            AddHP 0 3
        fi
        unset FIND
@ -414,7 +440,7 @@
            AddHP 3 3
        else
            Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
+            ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
            AddHP 0 3
        fi
        unset FIND
@ -440,7 +466,7 @@
        FOUND=0
        LogText "Test: Checking acl option on ext[2-4] root file system"
        FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found ACL option"
            FOUND=1
        else
@ -456,11 +482,11 @@
                FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
            fi
            # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
-            if [ ! -z "${FIND1}" ]; then
+            if [ -n "${FIND1}" ]; then
                LogText "Result: found ${FIND1}"
                LogText "Test: Checking default options on ${FIND1}"
                FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
-                if [ ! -z "${FIND2}" ]; then
+                if [ -n "${FIND2}" ]; then
                    LogText "Result: found ACL option in default mount options"
                    FOUND=1
                else
@ -504,7 +530,7 @@
            NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
            NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: mount system / is configured with options: ${FIND}"
                if [ "${FIND}" = "defaults" ]; then
                    Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
@ -530,31 +556,39 @@
    #            ---------------------------------------------------------
    #               Mount point              nodev  noexec  nosuid
    #               /boot                      v      v       v
    #               /dev                              v       v
    #               /dev/shm                   v      v       v
    #               /home                      v              v
    #               /run                       v              v
    #               /tmp                       v      v       v
-    #               /var                                      v
+    #               /var                       v              v
    #               /var/log                   v      v       v
    #               /var/log/audit             v      v       v
    #               /var/tmp                   v      v       v
    #            ---------------------------------------------------------
-    FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
+    FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev:noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /run:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nodev,nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
-    Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options"
+    Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ -f /etc/fstab ]; then
+        if [ -f ${ROOTDIR}etc/fstab ]; then
            for I in ${FILESYSTEMS_TO_CHECK}; do
                FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1)
                EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g')
-                FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab)
+                FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab)
                if [ "${FS_FSTAB}" = "glusterfs" ]; then
                    EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
                    if [ -z "${EXPECTED_FLAGS}" ]; then
                        FS_FSTAB=""
                    fi
                fi
-                if [ ! -z "${FS_FSTAB}" ]; then
+                if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise
-                    FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
+                    FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }')
                    FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
                else
                    FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
                fi
                if [ -n "${FS_FSTAB}" ]; then
                    # In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line)
                    LogText "File system:    ${FILESYSTEM}"
                    LogText "Expected flags: ${EXPECTED_FLAGS}"
                    LogText "Found flags:    ${FOUND_FLAGS}"
@ -562,7 +596,7 @@
                    FULLY_HARDENED=1
                    for FLAG in ${EXPECTED_FLAGS}; do
                        FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
-                        if [ "${FLAG_AVAILABLE}" = "" ]; then
+                        if [ -z "${FLAG_AVAILABLE}" ]; then
                            LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
                            FULLY_HARDENED=0
                        else
@ -571,29 +605,37 @@
                        fi
                    done
                    if [ ${FULLY_HARDENED} -eq 1 ]; then
-                        LogText "Result: marked ${FILESYSTEM} as fully hardenened"
+                        LogText "Result: marked ${FILESYSTEM} as fully hardened"
                        Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
                        AddHP 5 5
                    elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
-                        LogText "Result: marked ${FILESYSTEM} as fully hardenened"
+                        LogText "Result: marked ${FILESYSTEM} as partially hardened"
                        Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
                        AddHP 4 5
                    else
-                        if [ "${FOUND_FLAGS}" = "defaults" ]; then
+                        # if 
-                            LogText "Result: marked ${FILESYSTEM} options as default (non hardened)"
+                        if ContainsString "defaults" "${FOUND_FLAGS}"; then
                            LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
                            Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
                            AddHP 3 5
                        else
-                            LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
+                            LogText "Result: marked ${FILESYSTEM} options as non-default (unclear about hardening)"
                            Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
                            AddHP 4 5
                        fi
                    fi
                else
-                    LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
+                    LogText "Result: file system ${FILESYSTEM} not found in ${ROOTDIR}etc/fstab"
                fi
            done
        fi
        NMOUNTS=$(mount | ${WCBINARY} --lines)
        NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines)
        NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines)
        NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines)
        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines)
        LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
        Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
    fi
 #
 #################################################################################
@ -605,7 +647,7 @@
        if [ -f ${ROOTDIR}etc/fstab ]; then
            FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
            BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
                if [ "${BIND}" = "YES" ]; then
                    Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
@ -627,7 +669,6 @@
    # Description : Check for nodirtime option
    # Want to contribute to Lynis? Create this test
 #
 #################################################################################
 #
@ -635,7 +676,6 @@
    # Description : Check for relatime
    # Want to contribute to Lynis? Create this test
 #
 #################################################################################
 #
@ -648,11 +688,36 @@
 #
 #################################################################################
 #
-    # Test        : FILE-6394 TODO
+    # Test        : FILE-6394
    # Description : Check vm.swappiness (Linux)
-
+    Register --test-no FILE-6394 --os Linux --weight L --network NO --category security --description "Determine level of swappiness."
-    # Want to contribute to Lynis? Create this test
+    if [ ${SKIPTEST} -eq 0 ]; then
-
+        SWAPLEVEL=$(${CAT_BINARY} /proc/sys/vm/swappiness)
        LogText "Test: checking level of vm.swappiness: ${SWAPLEVEL}"
        PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}')
        if [ ${SWAPLEVEL} -gt 60 ]; then
            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is more frequent than default."
            # Check if swap is on a HDD or SDD for frequent swapping
            if [ -d "/sys/block/${PHYSDISK}" ]; then
                HDDORSDD=$(${CAT_BINARY} "/sys/block/${PHYSDISK}/queue/rotational")
                if [ ${HDDORSDD} -eq 1 ]; then
                    ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL} > 60 (default) - consider installing an SSD for swap partition for better performance."
                fi
            fi
        elif [ ${SWAPLEVEL} -eq 0 ]; then
            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning swapping is disabled."
            ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL}. Consider setting value to minimum of 1 for minimizing swappiness, but not quite disabling it. Will prevent OOM killer from killing processes when running out of physical memory."
        elif [ ${SWAPLEVEL} -eq 1 ]; then
            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping can still occur but at very minimum."
        elif [ ${SWAPLEVEL} -eq 10 ]; then
            LogText "Result: vm.swappiness=${SWAPLEVEL} which is the preferred setting for database servers."
        elif [ ${SWAPLEVEL} -lt 60 ]; then
            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is less frequent than default. This is only recommended for servers."
        else
            LogText "Result: vm.swappiness=${SWAPLEVEL} which is the standard level of swappiness and works well for desktop systems."
        fi
        if IsVerbose; then Display --indent 2 --text "- Swappiness: ${SWAPLEVEL}" --result "INFO" --color WHITE; fi
    fi
 #
 #################################################################################
 #
@ -690,7 +755,7 @@
        else
            LogText "Result: database not found"
            Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
+            ReportSuggestion "${TEST_NO}" "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
        fi
    fi
 #
@ -733,10 +798,10 @@
    # Test        : FILE-6430
    # Description : Disable mounting of some filesystems
    # Rationale   : Unless there is a specific reason to use a particular file system, disable it.
-    # Data        : cramfs freevxfs hfs hfsplus jffs2 squashfs udf 
+    # Data        : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
    Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
+        if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
            Display --indent 2 --text "- Disable kernel support of some filesystems"
            LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
            FOUND=0
@ -744,19 +809,17 @@
            AVAILABLE_MODPROBE_FS=""
            for FS in ${LIST_FS_NOT_SUPPORTED}; do
                # Check if filesystem is present in modprobe output
-                FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
+                FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
-                    LogText "Result: found module support in kernel: ${FIND}"
+                    LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
                    Debug "Module ${FS} present in the kernel"
                    LogText "Test: Checking if ${FS} is active"
                    # Check if FS is present in lsmod output
                    FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
                    if IsEmpty "${FIND}"; then
-                        LogText "Result: module ${FS} is not loaded in the kernel"
+                        LogText "Result: module ${FS} is currently not loaded in the kernel."
                        AddHP 2 3
                        if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
                        # Tip to disable a particular module if it is not loaded TODO
                        #ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
                        FOUND=1
                        AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
                    else
@ -767,9 +830,19 @@
                    AddHP 3 3
                    if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
                fi
                FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
                if [ -n "${FIND}" ]; then
 		                FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
 		                FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
                    if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
                        Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
                        LogText "Result: module ${FS} is blacklisted"
                    fi
 		            fi
            done
            if [ ${FOUND} -eq 1 ]; then
                Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
                ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)"
            fi
        else
            LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -41,7 +41,7 @@
    Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            FIREWALL_ACTIVE=1
            IPTABLES_ACTIVE=1
            IPTABLES_MODULE_ACTIVE=1
@ -73,11 +73,11 @@
            # If we have a kernel configuration file, use it for testing
            # Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
            # tests, when using iptables --list
-            if [ ! -z "${LINUXCONFIGFILE}" ]; then
+            if [ -n "${LINUXCONFIGFILE}" ]; then
                if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
                    LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
                    FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
-                    if [ ! -z "${FIND}" ]; then
+                    if [ -n "${FIND}" ]; then
                        HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
                        # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
                        # active list.
@ -115,7 +115,7 @@
            FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY}  -z -o -w  '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
        done
-        echo "${FIND}" | while read line; do
+        echo "${FIND}" | while read -r line; do
            table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
            chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
            policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
@ -128,7 +128,7 @@
                        "ACCEPT")
                             LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
-                             #ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
+                             #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
                             AddHP 1 3
                             ;;
                         "DROP")
@ -139,7 +139,7 @@
                         *)
                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
                             LogText "Result: Unknown policy: ${policy}"
-                             #ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy"
+                             #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
                             ;;
                    esac
                fi
@ -151,18 +151,18 @@
 #
    # Test        : FIRE-4512
    # Description : Check iptables for empty ruleset (should have at least 5 or more rules)
-    if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            FIREWALL_ACTIVE=1
            if [ ${FIND} -le 5 ]; then
                # Firewall is active, but needs configuration
                FIREWALL_EMPTY_RULESET=1
                LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
                Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
+                ReportWarning "${TEST_NO}" "iptables module(s) loaded, but no rules active"
            else
                LogText "Result: one or more rules are available (${FIND} rules)"
                Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
@ -174,7 +174,7 @@
 #
    # Test        : FIRE-4513
    # Description : Check iptables for unused rules
-    if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
@ -187,7 +187,7 @@
            LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
            LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
            LogText "Output: iptables rule numbers: ${FIND}"
-            ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
+            ReportSuggestion "${TEST_NO}" "Check iptables rules to see which rules are currently not used"
            LogText "Tip: iptables --list --numeric --line-numbers --verbose"
        fi
    fi
@ -212,7 +212,7 @@
        # Check status with pfctl
        LogText "Test: checking pf status via pfctl"
-        if [ ! -z "${PFCTLBINARY}" ]; then
+        if [ -n "${PFCTLBINARY}" ]; then
            FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
            if [ "${FIND}" = "Disabled" ]; then
                if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
@ -233,7 +233,7 @@
        if [ ${PFFOUND} -eq 0 ]; then
            # Check for pf kernel module (FreeBSD and similar)
            LogText "Test: searching for pf kernel module"
-            if [ ! -z "${KLDSTATBINARY}" ]; then
+            if [ -n "${KLDSTATBINARY}" ]; then
                FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
                if [ -z "${FIND}" ]; then
                    LogText "Result: Can not find pf KLD"
@ -245,8 +245,7 @@
                LogText "Result: no kldstat binary, skipping this part"
            fi
-            IsRunning pflogd
+            if IsRunning "pflogd"; then
            if [ ${RUNNING} -eq 1 ]; then
                LogText "Result: found pflog daemon in process list"
                Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
                PFFOUND=1
@ -283,7 +282,7 @@
            else
                Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
                LogText "Result: found one or more warnings in the pf filter rules"
-                ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
+                ReportWarning "${TEST_NO}" "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
            fi
        else
            LogText "Result: /etc/pf.conf does NOT exist"
@ -353,7 +352,7 @@
    # Description : Check IPFW (FreeBSD)
    Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${SYSCTLBINARY}" ]; then
+        if [ -n "${SYSCTLBINARY}" ]; then
            # For now, only check for IPv4.
            FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
            if [ "${FIND}" = "1" ]; then
@ -386,7 +385,7 @@
    Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
            AddHP 3 3
            LogText "Result: application firewall of macOS is enabled"
@ -408,10 +407,11 @@
    Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # Little Snitch Daemon (macOS)
        LogText "Test: checking process Little Snitch Daemon"
-        IsRunning --full "Little Snitch Daemon"
+        if IsRunning --full "Little Snitch Daemon"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_ENABLED}" --color GREEN
            LogText "Result: Little Snitch found"
            FOUND=1
@ -423,8 +423,7 @@
        # HandsOff! Daemon (macOS)
        LogText "Test: checking process HandsOffDaemon"
-        IsRunning HandsOffDaemon
+        if IsRunning "HandsOffDaemon"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking Hands Off! Daemon" --result "${STATUS_ENABLED}" --color GREEN
            LogText "Result: Hands Off! found"
            FOUND=1
@ -436,8 +435,7 @@
        # LuLu Daemon (macOS)
        LogText "Test: checking process LuLu"
-        IsRunning LuLu
+        if IsRunning "LuLu"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking LuLu Daemon" --result "${STATUS_ENABLED}" --color GREEN
            LogText "Result: LuLu found"
            FOUND=1
@ -449,8 +447,7 @@
        # Radio Silence (macOS)
        LogText "Test: checking process Radio Silence"
-        IsRunning --full "Radio Silence"
+        if IsRunning --full "Radio Silence"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking Radio Silence" --result "${STATUS_ENABLED}" --color GREEN
            LogText "Result: Radio Silence found"
            FOUND=1
@ -478,7 +475,7 @@
    Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found nftables kernel module"
            FIREWALL_ACTIVE=1
            NFTABLES_ACTIVE=1
@ -506,13 +503,13 @@
    # Test        : FIRE-4540
    # Description : Check nftables configuration
    if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
+    Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check for empty ruleset
-        NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c)
+        NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
-        if [ ${NFT_RULES_LENGTH} -le 16 ]; then
+        if [ ${NFT_RULES_LENGTH} -le 3 ]; then
            FIREWALL_EMPTY_RULESET=1
-            LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
+            LogText "Result: this firewall set has 3 rules or less and is considered to be empty"
        else
            LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
        fi
@ -526,7 +523,7 @@
    Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
-            if [ ! -z "${IPTABLESSAVEBINARY}" ]; then
+            if [ -n "${IPTABLESSAVEBINARY}" ]; then
                HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
                if [ -z "${HAS_LOGGING}" ]; then
                    Report "firewall_no_logging[]=iptables"
@ -553,7 +550,7 @@
        else
            Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
            LogText "Result: no host based firewall/packet filter found or configured"
-            ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
+            ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic"
            AddHP 0 5
        fi
    fi
@ -563,7 +560,7 @@
    # Test        : FIRE-4594
    # Description : Check for APF (Advanced Policy Firewall)
    Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
-    if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    if [ ${SKIPTEST} -eq 0 ]; then
        FILE="/etc/apf/conf.apf"
        LogText "Test: check ${FILE}"
@ -596,11 +593,6 @@
 #################################################################################
 #
 # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
 Report "firewall_active=${FIREWALL_ACTIVE}"
 Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
 Report "firewall_installed=${FIREWALL_ACTIVE}"
 WaitForKeyPress
 #
--- a/include/tests_hardening
+++ b/include/tests_hardening
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -20,7 +20,7 @@
 #
    InsertSection "Hardening"
-    # COMPILER_INSTALLED is initialised before
+    # COMPILER_INSTALLED is initialized before
    HARDEN_COMPILERS_NEEDED=0
 #
 #################################################################################
@ -54,12 +54,12 @@
            LogText "Result: no compilers found"
        else
            # TODO - c89 c99 cpp ld
-            TEST_BINARIES="${ASBINARY} ${GCCBINARY}"
+            TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}"
            for ITEM in ${TEST_BINARIES}; do
                FILE="${ITEM}"
                LogText "Test: Check file permissions for ${ITEM}"
                ShowSymlinkPath ${ITEM}
-                if [ ! -z "${SYMLINK}" ]; then
+                if [ -n "${SYMLINK}" ]; then
                    FILE="${SYMLINK}"
                fi
@ -76,7 +76,7 @@
            # Report suggestion is one or more compilers can be better hardened
            if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
                LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
-                ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
+                ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only"
            fi
        fi
    fi
@ -99,7 +99,7 @@
            else
                Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
            fi
-            ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
+            ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
            AddHP 1 3
            LogText "Result: no malware scanner found"
        fi
--- a/include/tests_homedirs
+++ b/include/tests_homedirs
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -37,8 +37,8 @@
    Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Read sixth field of /etc/passwd
-        LogText "Test: query /etc/passwd to obtain home directories"
+        LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories"
-        FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u)
+        FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u)
        for I in ${FIND}; do
            if [ -d ${I} ]; then
                LogText "Result: found home directory: ${I} (directory exists)"
@ -50,12 +50,83 @@
    fi
 #
 #################################################################################
 #
    # Test        : HOME-9304
    # Description : Check if users' home directories permissions are 750 or more restrictive
    Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if users' home directories permissions are 750 or more restrictive
        FOUND=0
        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
        while read -r LINE; do
            USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
            DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
            LogText "Test: checking directory '${DIR}' for user '${USER}'"
            if [ -d "${DIR}" ]; then
                WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
                OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
                if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then
                    LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}"
                    FOUND=1
                else
                    LogText "Result: permissions of home directory ${DIR} of user ${USER} are fine"
                fi
            fi
        done << EOF
 ${USERDATA}
 EOF
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_WARNING}" --color RED
            ReportSuggestion "${TEST_NO}" "Double check the permissions of home directories as some might be not strict enough."
        else
            Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_OK}" --color GREEN
            LogText "Result: OK, all permissions of the home directories are 750 or more restrictive"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : HOME-9306
    # Description : Check if users own their home directories
    Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if users own their home directories
        FOUND=0
        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
        while read -r LINE; do
            USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
            DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
            LogText "Test: checking directory '${DIR}' for user '${USER}'"
            if [ -d "${DIR}" ]; then
                OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
                if [ ! "${OWNER}" = "${USER}" ]; then
                    LogText "Result: the home directory ${DIR} of user ${USER} is owned by ${OWNER}. Correct: chown ${USER} ${DIR}" 
                    FOUND=1
                else
                    LogText "Result: ownership of home directory ${DIR} for user ${USER} looks to be correct"
                fi
            fi
        done << EOF
 ${USERDATA}
 EOF
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_WARNING}" --color RED
            ReportSuggestion "${TEST_NO}" "Double check the ownership of home directories as some might be incorrect."
        else
            Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_OK}" --color GREEN
            LogText "Result: OK, all users own their home directories"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : HOME-9310
    # Description : Check for suspicious shell history files
    Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${HOMEDIRS}" ]; then
+        if [ -n "${HOMEDIRS}" ]; then
            if [ "${OS}" = "Solaris" ]; then
                # Solaris doesn't support -maxdepth
                FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
@ -70,12 +141,12 @@
                LogText "Result: the following files seem to be of the wrong file type:"
                LogText "Output: ${FIND}"
                LogText "Info: above files could be redirected files to avoid logging and should be investigated"
-                ReportWarning ${TEST_NO} "Incorrect file type found for shell history file"
+                ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file"
            fi
-            LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
+            LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious."
        else
            Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
-            LogText "Result: Homedirs is empty, test will be skipped"
+            LogText "Result: Homedirs is empty, therefore test will be skipped"
        fi
    fi
 #
@ -93,7 +164,7 @@
    # Notes       : For performance reasons we combine the scanning of different files, so inode caching is used
    #               as much as possible for every find command
    # Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
-    if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
    if [ ${SKIPTEST} -eq 0 ]; then
        IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')
--- a/include/tests_insecure_services
+++ b/include/tests_insecure_services
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-# Unsecure services
+# Insecure services
 #
 #################################################################################
 #
@ -28,32 +28,55 @@
 #
    INETD_ACTIVE=0
    INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
    INETD_PACKAGE_INSTALLED=0
    XINETD_ACTIVE=0
    XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf"
    XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d"
 #
 #################################################################################
 #
    # Test        : INSE-8000
    # Description : Check for installed inetd package
    Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check for installed inetd daemon
        LogText "Test: Checking if inetd is installed"
        if PackageIsInstalled "inetd"; then
            INETD_PACKAGE_INSTALLED=1
            LogText "Result: inetd is installed"
            Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
            #ReportSuggestion "${TEST_NO}" "If there are no inetd services required, it is recommended that the daemon be removed"
        else
            LogText "Result: inetd is NOT installed"
            Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8002
    # Description : Check for inetd status
-    Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon"
+    if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check running processes
        LogText "Test: Searching for active inet daemon"
-        IsRunning inetd
+        if IsRunning "inetd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: inetd is running"
-            Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
+            Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN
            INETD_ACTIVE=1
        else
            LogText "Result: inetd is NOT running"
-            Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
+            Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8004
-    # Description : Check for inetd configuration file
+    # Description : Check for inetd configuration file (inetd)
    if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
+    Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check configuration file
        LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
@ -73,16 +96,16 @@
    if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled"
    if [ ${SKIPTEST} -eq 0 ]; then
-        # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
+        # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002)
-        LogText "Test: check if all services are disabled if inetd is disabled"
+        LogText "Test: check if all services are disabled when inetd is disabled"
        FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$")
        if [ -z "${FIND}" ]; then
            LogText "Result: no services found in ${INETD_CONFIG_FILE}"
-            Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
+            Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN
        else
            LogText "Result: found services in inetd, even though inetd is not running"
-            Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
+            Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
+            ReportSuggestion "${TEST_NO}" "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
        fi
    fi
 #
@ -95,7 +118,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking telnet presence in inetd configuration"
        FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE})
-        if [ "${FIND}" = "" ]; then
+        if [ -z "${FIND}" ]; then
            LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
            Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
            AddHP 3 3
@ -109,19 +132,379 @@
 #
 #################################################################################
 #
-    if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
+    # Test        : INSE-8100
    # Description : Check for installed xinetd daemon
    Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check for installed xinetd daemon
        LogText "Test: Checking for installed xinetd daemon"
        if PackageIsInstalled "xinetd"; then
            LogText "Result: xinetd is installed"
            Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "If there are no xinetd services required, it is recommended that the daemon be removed"
        else
            LogText "Result: xinetd is NOT installed"
            Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8102
    # Description : Check for xinetd status
    Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check running processes
        LogText "Test: Searching for active extended internet services daemon (xinetd)"
        if IsRunning "xinetd"; then
            LogText "Result: xinetd is running"
            Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN
            XINETD_ACTIVE=1
        else
            LogText "Result: xinetd is NOT running"
            Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8104
    # Description : Check for xinetd configuration file
    if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check configuration file
        LogText "Test: Searching for file ${XINETD_CONFIG_FILE}"
        if [ -f "${XINETD_CONFIG_FILE}" ]; then
            LogText "Result: ${XINETD_CONFIG_FILE} exists"
            Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE
        else
            LogText "Result: ${XINETD_CONFIG_FILE} does not exist"
            Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8106
    # Description : Check for xinetd configuration file contents if xinetd is NOT active
    if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102)
        LogText "Test: check if all services are disabled if xinetd is disabled"
        FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR})
        if [ -z "${FIND}" ]; then
            LogText "Result: no services found in ${XINETD_CONFIG_DIR}"
            Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN
        else
            LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running"
            Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8116
    # Description : Check for insecure services enabled via xinetd
    if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd"
    if [ ${SKIPTEST} -eq 0 ]; then
        XINETD_INSECURE_SERVICE_FOUND=0
        ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh rsync talk telnet tftp"
        for SERVICE in ${ITEMS}; do
            LogText "Test: checking service ${SERVICE}"
            if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then
                FILE="${XINETD_CONFIG_DIR}/${SERVICE}"
                if [ -f "${FILE}" ]; then
                    LogText "Test: checking status in xinetd configuration file (${FILE})"
                    FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
                    if [ -n "${FIND}" ]; then
                        LogText "Result: found insecure service enabled: ${SERVICE}"
                        XINETD_INSECURE_SERVICE_FOUND=1
                        ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
                        Report "insecure_service[]=${SERVICE}"
                    fi
                fi
            else
                LogText "Result: skipped, as this item is excluded using the profile"
            fi
        done
        if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then
            LogText "Result: no insecure services found in xinetd configuration"
            Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN
            AddHP 3 3
        else
            LogText "Result: one ore more insecure services discovered in xinetd configuration"
            Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED
            AddHP 0 3
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8200
    # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
    if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if tcp_wrappers is installed"
        FOUND=0
        PACKAGES="tcp_wrappers tcpd"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
        done
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: tcp_wrappers is installed"
            Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN
        else
            LogText "Result: tcp_wrappers is NOT installed"
            Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW
            #ReportSuggestion "${TEST_NO}" "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8300
    # Description : Check if rsh client is installed
    Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if rsh client is installed"
        FOUND=0
        PACKAGES="rsh rsh-client rsh-redone-client"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
        done
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: rsh client is installed"
            Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Remove rsh client when it is not in use or replace with the more secure SSH package"
        else
            LogText "Result: rsh client is NOT installed"
            Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8302
    # Description : Check presence of rsh Trust Files
    #Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files"
    #if [ ${SKIPTEST} -eq 0 ]; then
    #    # Check presence of Rsh Trust Files
    #    FOUND=0
    #    for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
    #        USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
    #        DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
    #            if [ -d ${DIR} ]; then
    #                for RHOSTS in ${DIR}/.rhosts; do
    #                    if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then
    #                        LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}"
    #                        FOUND=1
    #                    fi
    #                done
    #            fi
    #    done
    #    if [ -f /etc/hosts.equiv ];then
    #        LogText "FOUND /etc/hosts.equiv"
    #        FOUND=1
    #    fi
    #    if [ ${FOUND} -eq 1 ]; then
    #        LogText "Result: found one or more Rsh Trust Files"
    #        Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW
    #        ReportSuggestion "${TEST_NO}" "Remove every Rsh Trust Files as they can allow unauthenticated access to a system"
    #    else
    #        LogText "Result: no Rsh Trust Files found"
    #        Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN
    #    fi
    #fi
 #
 #################################################################################
 #
    # Test        : INSE-8304
    # Description : Check if rsh server is installed
    Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if rsh server is installed
        LogText "Test: Checking if rsh server is installed"
        FOUND=0
        PACKAGES="rsh-server rsh-redone-server"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
        done
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: rsh server is installed"
            Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Remove the rsh-server package and replace with a more secure alternative like SSH"
            Report "insecure_service[]=rsh-server"
        else
            LogText "Result: rsh server is NOT installed"
            Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8310
    # Description : Check if telnet client is installed
    Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if telnet client is installed
        LogText "Test: Checking if telnet client is installed"
        if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: telnet client is installed"
            Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW
            # Telnet client usage might be used for troubleshooting instead of system administration
            #ReportSuggestion "${TEST_NO}" "telnet client contain numerous security exposures and have been replaced with the more secure SSH package"
        else
            LogText "Result: telnet client is NOT installed"
            Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8312
    # Description : Check if telnet server is installed
    Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if TFTP server is installed
        LogText "Test: Checking if telnet server is installed"
        FOUND=0
        PACKAGES="telnetd telnet-server"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
        done
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: telnet server is installed"
            Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible"
            Report "insecure_service[]=telnet-server"
        else
            LogText "Result: telnet server is NOT installed"
            Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8314
    # Description : Check if NIS client is installed
    Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=""
        LogText "Test: Checking if NIS client is installed"
        PACKAGES="nis ypbind"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then
                FOUND="${PACKAGE}"
            fi
        done
        if [ -n "${FOUND}" ]; then
            LogText "Result: NIS client is installed"
            Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications."
        else
            LogText "Result: NIS client is NOT installed"
            Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8316
    # Description : Check if NIS server is installed
    Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=""
        LogText "Test: Checking if NIS server is installed"
        PACKAGES="nis ypserv"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then
                FOUND="${PACKAGE}"
            fi
        done
        if [ -n "${FOUND}" ]; then
            LogText "Result: NIS server is installed"
            Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services"
        else
            LogText "Result: NIS server is NOT installed"
            Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8318
    # Description : Check if TFTP client is installed
    Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if TFTP client is installed"
        FOUND=""
        PACKAGES="atftp tftp tftp-hpa"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then
                FOUND="${PACKAGE}"
            fi
        done
        if [ -n "${FOUND}" ]; then
            LogText "Result: TFTP client is installed"
            Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)"
        else
            LogText "Result: TFTP client is NOT installed"
            Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    # Test        : INSE-8320
    # Description : Check if TFTP server is installed
    Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking if TFTP server is installed"
        FOUND=""
        PACKAGES="atftpd tftpd tftp-server tftpd-hpa"
        for PACKAGE in ${PACKAGES}; do
            if PackageIsInstalled "${PACKAGE}"; then
                FOUND="${PACKAGE}"
            fi
        done
        if [ -n "${FOUND}" ]; then
            LogText "Result: TFTP server is installed"
            Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services"
        else
            LogText "Result: TFTP server is NOT installed"
            Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_OK}" --color GREEN
        fi
    fi
 #
 #################################################################################
 #
    if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
    Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
    if [ ${SKIPTEST} -eq 0 ]; then
-        TEST_SERVICES="com.apple.fingerd"
+        TEST_SERVICES="com.apple.fingerd com.apple.ftp-proxy"
        for ITEM in ${TEST_SERVICES}; do
-            if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then
+            if ${LAUNCHCTL_BINARY} list | ${GREPBINARY} -sq ${ITEM}; then
-                Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED
+                Display --indent 2 --text "- ${ITEM}" --result "${STATUS_NO}" --color RED
                LogText "Result: found ${ITEM}, which is considered an insecure service"
-                AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
+                ReportSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
                AddHP 0 1
            else
-                Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN
+                Display --indent 2 --text "- ${ITEM}" --result "${STATUS_OK}" --color GREEN
-                LogText "Result: $text, OK"
+                LogText "Result: did not find ${ITEM}, which is fine"
                AddHP 1 1
            fi
        done
@ -130,9 +513,6 @@
 #################################################################################
 #
 # To do:
 # - mark in report when a system was tested for any insecure services
 WaitForKeyPress
 #
--- a/include/tests_kernel
+++ b/include/tests_kernel
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -26,11 +26,12 @@
 #
 #################################################################################
 #
    CORE_DUMPS_DISABLED=0
    CPU_PAE=0
    CPU_NX=0
    LINUXCONFIGFILE=""
    LINUXCONFIGFILE_ZIPPED=0
    LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
    APT_ARCHIVE_DIRECTORY="${ROOTDIR}var/cache/apt/archives"
 #
 #################################################################################
 #
@ -48,7 +49,7 @@
                    LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
                    ReportException "${TEST_NO}:01"
                else
-                    FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
+                    FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
                    if HasData "${FIND2}"; then
                        LogText "Result: Found match on runlevel5/graphical"
                        Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -102,8 +103,7 @@
    # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
    # More info   : pae and nx bit are both visible on AMD and Intel CPU's if supported
-    if [ "${HARDWARE}" = "x86_64" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no KRNL-5677 --platform x86_64 --os Linux --weight L --network NO --category security --description "Check CPU options and support"
    Register --test-no KRNL-5677 --preqs-met "${PREQS_MET}" --os Linux --weight L --network NO --category security --description "Check CPU options and support"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Checking CPU support (NX/PAE)"
        LogText "Test: Checking /proc/cpuinfo"
@ -144,7 +144,7 @@
                Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
            else
                Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
+                ReportSuggestion "${TEST_NO}" "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
            fi
        else
            Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
@ -182,7 +182,7 @@
    # Description : Check if Linux is build as a monolithic kernel or not
    Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
+        if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
            LogText "Test: checking if kernel is monolithic or modular"
            # Checking if any modules are loaded
            FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
@ -207,7 +207,7 @@
    # Description : Checking Linux loaded kernel modules
    Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
+        if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
            FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
            Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
            if HasData "${FIND}"; then
@ -234,18 +234,19 @@
    # Description : Checking for available Linux kernel configuration file in /boot
    Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
    if [ ${SKIPTEST} -eq 0 ]; then
-        CHECKFILE="/boot/config-$(uname -r)"
+        CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
        CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz"
        if [ -f ${CHECKFILE} ]; then
            LINUXCONFIGFILE="${CHECKFILE}"
            LogText "Result: found config (${LINUXCONFIGFILE})"
            Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
-        elif [ -f /proc/config.gz ]; then
+        elif [ -f ${CHECKFILE_ZIPPED} ]; then
-            LINUXCONFIGFILE="${CHECKFILE}"
+            LINUXCONFIGFILE="${CHECKFILE_ZIPPED}"
            LINUXCONFIGFILE_ZIPPED=1
-            LogText "Result: found config: /proc/config.gz (compressed)"
+            LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)"
            Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
        else
-            LogText "Result: no Linux kernel configuration file found in /boot"
+            LogText "Result: no Linux kernel configuration file found in ${ROOTDIR}boot"
            Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
        if HasData "${LINUXCONFIGFILE}"; then
@ -266,15 +267,15 @@
    Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
-        if [ ! "${GREPTOOL}" = "" ]; then
+        if [ -n "${GREPTOOL}" ]; then
            LogText "Test: Checking the default I/O kernel scheduler"
            LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
-            if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
+            if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then
                LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
                Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
                Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
            else
-                LogText "Result: no default i/o kernel scheduler found"
+                LogText "Result: no default I/O kernel scheduler found"
                Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
            fi
        else
@ -322,8 +323,8 @@
        LogText "Test: Active kernel modules (KLDs)"
        LogText "Description: View all active kernel modules (including kernel)"
        LogText "Test: Checking modules"
-        if [ -f ${ROOTDIR}sbin/kldstat ]; then
+        if [ -x /sbin/kldstat ]; then
-            FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
+            FIND=$(/sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
            if [ $? -eq 0 ]; then
                LogText "Loaded modules according kldstat:"
                COUNT=0
@ -339,7 +340,7 @@
            fi
        else
            echo "[ ${WHITE}SKIPPED${NORMAL} ]"
-            LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
+            LogText "Result: no results, can NOT find /sbin/kldstat"
        fi
    fi
 #
@ -374,10 +375,17 @@
        LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
        if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
            LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
-            LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
+            LogText "Test: checking presence of ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz"
-            if [ -f ${ROOTDIR}vmlinuz ]; then
+            if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
                HAS_VMLINUZ=1
-                FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
+                if [ -f ${ROOTDIR}vmlinuz ]; then
                    FINDVMLINUZ=${ROOTDIR}vmlinuz
                else
                    FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
                fi
                LogText "Result: found ${FINDVMLINUZ}"
                LogText "Test: checking readlink location of ${FINDVMLINUZ}"
                FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
                LogText "Output: readlink reported file ${FINDKERNFILE}"
                LogText "Test: checking package from dpkg -S"
                FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
@ -385,9 +393,15 @@
            elif [ -e ${ROOTDIR}dev/grsec ]; then
                FINDKERNEL=linux-image-$(uname -r)
                LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
            elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
                FINDKERNEL=raspberrypi-kernel
                LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
            elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
                FINDKERNEL=linux-image-$(uname -r)
                LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
            else
-                LogText "This system is missing ${ROOTDIR}vmlinuz.  Unable to check whether kernel is up-to-date."
+                LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz.  Unable to check whether kernel is up-to-date."
-                ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
+                ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
            fi
            LogText "Test: Using apt-cache policy to determine if there is an update available"
            FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
@ -399,7 +413,7 @@
                LogText "Result: Exception occurred, no output from apt-cache policy"
                if [ ${HAS_VMLINUZ} -eq 1 ]; then
                    ReportException "${TEST_NO}:01"
-                    ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy to determine why its output is empty"
+                    ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
                fi
                LogText "Result: apt-cache policy did not return an installed kernel version"
            else
@ -415,7 +429,7 @@
                else
                    Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
                    LogText "Result: kernel update available according 'apt-cache policy'."
-                    ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
+                    ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
                fi
            fi
        else
@ -429,61 +443,167 @@
    # Description : Checking core dumps configuration (Linux)
    Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking presence /etc/security/limits.conf"
+        Display --indent 2 --text "- Checking core dumps configuration"
-        if [ -f /etc/security/limits.conf ]; then
+        LogText "Test: Checking presence of systemd"
-            LogText "Result: file /etc/security/limits.conf exists"
+        # systemd option
-            LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
+        if [ $HAS_SYSTEMD -eq 1 ]; then
-            FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }')
+            LogText "Result: systemd is present on this system"
-            FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }')
+            LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/systemd/coredump.conf and ${ROOTDIR}etc/systemd/coredump.conf.d/*.conf"
-            if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
+            # check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none
-                LogText "Result: core dumps (soft or hard) are enabled"
+            SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
-                Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
+            SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
-                ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
+            SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
-                AddHP 1 2
+            SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
-            else
+            SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
-                LogText "Result: core dumps (soft and hard) are both disabled"
+            # check conf files in possibly existing coredump.conf.d folders 
-                Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
+            # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
-                CORE_DUMPS_DISABLED=1
+            # while there could be multiple files overwriting each other, we are checking the number of occurrences
-                AddHP 3 3
+            SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
-            fi
+            SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
-
+            SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
-            # Sysctl option
+            SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
-            LogText "Test: Checking sysctl value of fs.suid_dumpable"
+            SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
-            FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
+            if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
-            if [ -z "${FIND}" ]; then
+               ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
-                LogText "Result: sysctl key fs.suid_dumpable not found"
+               ( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
-            else
+               ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ); then
-                LogText "Result: value ${FIND} found"
+                LogText "Result: core dumps are disabled by 'ProcessSizeMax=0' and 'Storage=none' in systemd configuration files"
            fi
            if [ "${FIND}" = "2" ]; then
                LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
                Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
                AddHP 1 1
-            elif [ "${FIND}" = "1" ]; then
+                TMP_COLOR="GREEN"
-                LogText "Result: all programs can perform core dumps (value 1, for debugging)"
+                if [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -gt 1 ]; then
-                Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
+                    LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set multiple times in systemd configuration files. Check config!"
-                ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
+                    ReportSuggestion "${TEST_NO}" "Check systemd configuration for duplicate entries of core dump settings"
                    TMP_COLOR="YELLOW"
                fi
                Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DISABLED}" --color "${TMP_COLOR}"
            elif [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
                LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set in ${ROOTDIR}etc/systemd/coredump.conf but overwritten in subdir config files"
                ReportSuggestion "${TEST_NO}" "Check systemd configuration for overwriting core dump settings"
                Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color YELLOW
                AddHP 0 1
            elif ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] ) || \
                 ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
                 ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
                 ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
                LogText "Result: core dumps are explicitely enabled in systemd configuration files"
                ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
                Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
                AddHP 0 1
            else
-                LogText "Result: found default option, some programs can dump (not processes which need to change credentials)"
+                LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'"
-                Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
+                Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE
                AddHP 0 1
            fi
        fi
        # Profile option
        LogText "Test: Checking presence ${ROOTDIR}etc/profile"
        if [ -f "${ROOTDIR}etc/profile" ]; then
            LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
            # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
            ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
            ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
            if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
                LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
                AddHP 1 1
            elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
                LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
                Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE
                AddHP 0 1
            elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
                LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED
                AddHP 0 1
            else
                LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
                Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW
            fi
        fi
        # Limits option
        LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
        if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
            LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
            LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
            # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
            FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
            FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
            FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
            # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
            if [ "${FIND3}" = "core dumps disabled" ]; then
                FIND1="soft core disabled"
                FIND2="hard core disabled"
            elif [ "${FIND3}" = "core dumps enabled" ]; then
                FIND1="soft core enabled"
                FIND2="hard core enabled"
            fi
            IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
            IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
            if [ "${FIND2}" = "hard core disabled" ]; then
                LogText "Result: core dumps are hard disabled"
                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
                if [ "${FIND1}" = "soft core disabled" ]; then
                    Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
                else
                    Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
                fi
                AddHP 3 3
            elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
                LogText "Result: core dumps (soft and hard) are enabled"
                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
                ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
                AddHP 0 3
            elif [ "${FIND1}" = "soft core disabled" ]; then
                LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
                AddHP 2 3
            elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
                LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
                AddHP 0 3
            else
                LogText "Result: core dumps are not explicitly disabled"
                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
                ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
                AddHP 1 3
            fi
        else
-            LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
+            LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
        fi
        # TODO: Check ulimit settings in /etc/profile and /etc/profile.d
        # Sysctl option
        LogText "Test: Checking sysctl value of fs.suid_dumpable"
        FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
        if [ -z "${FIND}" ]; then
            LogText "Result: sysctl key fs.suid_dumpable not found"
        else
            LogText "Result: value ${FIND} found"
        fi
        if [ "${FIND}" = "2" ]; then
            LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
            Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE
            AddHP 1 1
        elif [ "${FIND}" = "1" ]; then
            LogText "Result: all programs can perform core dumps (value 1, for debugging)"
            Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
            ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
            AddHP 0 1
        else
            # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped
            # https://www.kernel.org/doc/Documentation/sysctl/fs.txt
            LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump"
            Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN
            AddHP 1 1
        fi
    fi
 #
 #################################################################################
 #
    # Test        : KRNL-5826
    # Description : Checking core dumps configuration (Solaris)
    #Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
    #if [ ${SKIPTEST} -eq 0 ]; then
 #
 #################################################################################
 #
    # Test        : KRNL-5830
    # Description : Check if system needs a reboot (Linux only)
@ -509,11 +629,12 @@
        else
            LogText "Result: file ${FILE} not found"
        fi
        # Check if /boot exists
-        if [ -d ${ROOTDIR}boot ]; then
+        if [ -d "${ROOTDIR}boot" ]; then
            LogText "Result: /boot exists, performing more tests from here"
            FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
                    LogText "Result: found /boot/vmlinuz (not symlinked)"
                    NEXTLINE=0
@ -521,12 +642,13 @@
                    for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
                        if [ ${NEXTLINE} -eq 1 ]; then
                            FINDVERSION="${I}"
                            break
                        else
                            # Searching for the Linux kernel after the keyword 'version'
                            if [ "${I}" = "version" ]; then NEXTLINE=1; fi
                        fi
                    done
-                    if [ ! -z "${FINDVERSION}" ]; then
+                    if [ -n "${FINDVERSION}" ]; then
                        CURRENT_KERNEL=$(uname -r)
                        if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
                            LogText "Result: reboot needed, as current kernel is different than the one loaded"
@ -535,11 +657,50 @@
                    else
                        ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
                    fi
-                elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
+                elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
-                    LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
+                    if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
-                    LogText "Test: checking kernel version on disk"
+                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
-                    VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
+                        FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
-                    if [ ! -z "${VERSION_ON_DISK}" ]; then
+                    elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
                        FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
                    else
                        # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default
                        FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)
                        LogText "Result: found ${FOUND_VMLINUZ}"
                    fi
                    VERSION_ON_DISK=""
                    if [ -L "${FOUND_VMLINUZ}" ]; then
                        LogText "Result: found a symlink, retrieving destination"
                        FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}")
                        LogText "Result: destination file is ${FOUND_VMLINUZ}"
                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
                        LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
                    elif [ -f "${FOUND_VMLINUZ}" ]; then
                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
                        LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
                    fi
                    if [ -z "${VERSION_ON_DISK}" ]; then
                        LogText "Test: checking kernel version on disk"
                        NEXTLINE=0
                        VERSION_ON_DISK=""
                        for I in $(file ${FOUND_VMLINUZ}); do
                            if [ ${NEXTLINE} -eq 1 ]; then
                                VERSION_ON_DISK="${I}"
                                break
                            else
                                # Searching for the Linux kernel after the keyword 'version'
                                if [ "${I}" = "version" ]; then NEXTLINE=1; fi
                            fi
                        done
                    fi
                    if [ -z "${VERSION_ON_DISK}" ]; then
                        LogText "Result: could not find the version on disk"
                        ReportException "${TEST_NO}:4" "Could not find the kernel version"
                    else
                        LogText "Result: found version ${VERSION_ON_DISK}"
                        ACTIVE_KERNEL=$(uname -r)
                        LogText "Result: active kernel version ${ACTIVE_KERNEL}"
@ -550,9 +711,6 @@
                            REBOOT_NEEDED=1
                            LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
                        fi
                    else
                        LogText "Result: could not find the version on disk"
                        ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
                    fi
                else
                    if [ -L ${ROOTDIR}boot/vmlinuz ]; then
@ -564,7 +722,7 @@
                    MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
                    LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
                    FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
-                    if [ ! -z "${FIND}" ]; then
+                    if [ -n "${FIND}" ]; then
                        for ITEM in ${FIND}; do
                            LogText "Result: found ${ITEM}"
                        done
@ -572,7 +730,7 @@
                        # Ignore rescue images. Remove generic. and huge. for Slackware machines
                        LogText "Action: checking relevant kernels"
                        KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
-                        KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
+                        KERNELS_ONE_LINE=$(${ECHOCMD} ${KERNELS} | ${TRBINARY} '\n' ' ')
                        LogText "Output: ${KERNELS_ONE_LINE}"
                    elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
                        LogText "Output: Found a kernel file in ${ROOTDIR}boot"
@ -580,11 +738,11 @@
                        # Examples:
                        # /boot/kernel-genkernel-x86_64-3.14.14-gentoo
                        KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
-                        if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
+                        if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
                    else
                        ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
                    fi
-                    if [ ! -z "${KERNELS}" ]; then
+                    if [ -n "${KERNELS}" ]; then
                        FOUND_KERNEL=0
                        for I in ${KERNELS}; do
                            # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
@ -616,7 +774,108 @@
                LogText "Result: Skipping this test, as there are no files in /boot"
            fi
        else
-            LogText "Result: /boot does not exist"
+            LogText "Result: /boot does not exist or not privileged to read files"
        fi
        # Attempt to check for Raspbian if reboot is needed
        # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
        # and compares that date with the currently running kernel's build date (uname -v).
        # Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of
        # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
        if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
            LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"
            LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
            FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
            | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
            if [ -n "${FOUND_KERNEL_DATE}" ]; then
                FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
            else
                LogText "Result: Skipping this test, as there was no package date to extract"
            fi
            if [ -n "${FOUND_KERNEL_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -gt 1 ]; then
                LogText "Result: Got package date: ${FOUND_KERNEL_DATE} (= ${FOUND_KERNEL_IN_SECONDS} seconds)"
                UNAME_OUTPUT="$(${UNAMEBINARY} -v 2> /dev/null)"
            else
                LogText "Result: Skipping this test, as extracting the seconds of package date failed"
            fi
            if [ -n "${UNAME_OUTPUT}" ]; then
                LogText "Result: Got an output from 'uname -v'"
                LogText "Check: Trying to extract kernel build date from 'uname -v' output"
                next=""
                for part in ${UNAME_OUTPUT}; do
                    if [ -z "$next" ]; then
                        if [ "${part}" = "Mon" ] || [ "${part}" = "Tue" ] || [ "${part}" = "Wed" ] || [ "${part}" = "Thu" ] || [ "${part}" = "Fri" ] || [ "${part}" = "Sat" ] || [ "${part}" = "Sun" ]; then
                            next="month"
                        fi
                    elif [ "$next" = "month" ]; then
                        if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
                            UNAME_DATE_MONTH="${part}"
                            next="day"
                        fi
                    elif [ "${next}" = "day" ]; then
                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
                            UNAME_DATE_DAY="${part}"
                            next="time"
                        fi
                    elif [ "${next}" = "time" ]; then
                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
                            next="year"
                        fi
                    elif [ "${next}" = "year" ]; then
                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
                            UNAME_DATE_YEAR="${part}"
                            break
                        fi
                    fi
                done
                if [ -n "${UNAME_DATE_MONTH}" ] && [ -n "${UNAME_DATE_DAY}" ] && [ -n "${UNAME_DATE_YEAR}" ]; then
                    LogText "Result: Extracted kernel build date is: ${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}"
                    UNAME_DATE_IN_SECONDS=$(date -d "${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" "+%s" 2> /dev/null)
                    LogText "Check: Comparing kernel build date in seconds (${UNAME_DATE_IN_SECONDS}s) with package date in seconds (${FOUND_KERNEL_IN_SECONDS}s)"
                    if [ -n "${UNAME_DATE_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -ge ${UNAME_DATE_IN_SECONDS} ]; then
                        LogText "Result: package creation date is older than running kernel. Hence, this check should be valid."
                        LogText "Check if package create date and kernel build date are not more than 3 days apart."
                        SECONDS_APART=$(( ${FOUND_KERNEL_IN_SECONDS} - ${UNAME_DATE_IN_SECONDS} ))
                        if [ ${SECONDS_APART} -ge 60 ]; then
                            MINUTES_APART=$(( ${SECONDS_APART} / 60 ))
                            if [ ${MINUTES_APART} -ge 60 ]; then
                                DAYS_APART=$(( ${MINUTES_APART} / 60 ))
                                if [ ${DAYS_APART} -ge 24 ]; then DAYS_APART=$(( ${DAYS_APART} / 24 )); else DAYS_APART=0; fi
                            else
                                DAYS_APART=0
                            fi
                        else
                            DAYS_APART=0
                        fi
                        # assuming kernels are packaged definitely within 3 days. ACCEPTED_TIME_DIFF needs a value in seconds
                        ACCEPTED_TIME_DIFF=$((3 * 24 * 60 * 60))
                        if [ ${FOUND_KERNEL_IN_SECONDS} -le $((${UNAME_DATE_IN_SECONDS} + ${ACCEPTED_TIME_DIFF})) ]; then
                            LogText "Result: package create date and kernel build date are only ${DAYS_APART} day(s) apart."
                            LogText "Result: Assuming no reboot needed."
                            REBOOT_NEEDED=0
                        else
                            LogText "Result: package create date and kernel build date are ${DAYS_APART} day(s) apart."
                            LogText "Result: Assuming reboot is needed."
                            REBOOT_NEEDED=1
                        fi
                    else
                        LogText "Result: Package's create date is older than running kernel, which is unexpected. Might not be a valid test. Skipping..."
                    fi
                else
                    LogText "Result: Could not extract Day, Month and Year from 'uname -v' output"
                fi
            else
                LogText "Result: Did not get output from 'uname -v'. Skipping test."
            fi
        else
            LogText "Result: /var/cache/apt/archives/ does not exist"
        fi
        # Display discovered status
@ -625,7 +884,7 @@
            AddHP 5 5
        elif [ ${REBOOT_NEEDED} -eq 1 ]; then
            Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
-            ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot"
+            ReportWarning "${TEST_NO}" "Reboot of system is most likely needed" "" "text:reboot"
            AddHP 0 5
        else
            Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
@ -639,4 +898,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com
--- a/include/tests_kernel_hardening
+++ b/include/tests_kernel_hardening
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -47,7 +47,7 @@
        done
        # Scan custom profile
-        if [ ! -z "${CUSTOM_PROFILE}" ]; then
+        if [ -n "${CUSTOM_PROFILE}" ]; then
            FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
            for LINE in ${FIND}; do
                SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -57,7 +57,7 @@
        fi
        # Last, use data from default profile
-        if [ ! -z "${DEFAULT_PROFILE}" ]; then
+        if [ -n "${DEFAULT_PROFILE}" ]; then
            FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
            for LINE in ${FIND}; do
                SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -76,7 +76,7 @@
                tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
                tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
                tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
-                if [ ! -z "${tFINDcurvalue}" ]; then
+                if [ -n "${tFINDcurvalue}" ]; then
                    positive_match=0
                    for value in ${tFINDexpvalue}; do
                        if [ "${value}" = "${tFINDcurvalue}" ]; then
@ -106,7 +106,7 @@
        # Add suggestion if one or more sysctls have a different value than scan profile
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: found ${N} keys that can use tuning, according scan profile"
-            ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
+            ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
        fi
    fi
 #
--- a/include/tests_ldap
+++ b/include/tests_ldap
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -36,16 +36,14 @@
    # Description : Check running OpenLDAP instance
    Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance"
    if [ ${SKIPTEST} -eq 0 ]; then
-        # TODO adding additional slash needed?
+        if IsRunning "slapd"; then
        IsRunning slapd
        if [ ${RUNNING} -eq 0 ]; then
            Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
            LogText "Result: No running slapd process found."
        else
            Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: Found running slapd process"
            SLAPDFOUND=1
            SLAPD_RUNNING=1
        else    
            Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
            LogText "Result: No running slapd process found."
        fi
    fi
 #
@ -66,7 +64,7 @@
            fi
        done
        # Check if we found a valid location
-        if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
+        if [ -n "${SLAPD_CONF_LOCATION}" ]; then
            Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
        else
            Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -91,7 +89,7 @@
 #################################################################################
 #
    # Test        : LDAP-2240
-    # Description : Check OpenLDAP unencrypted RootDN password
+    # Description : Check OpenLDAP plaintext RootDN password
 #
 #################################################################################
 #
--- a/include/tests_logging
+++ b/include/tests_logging
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -47,7 +47,7 @@
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
            LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
-            ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
+            ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured."
            AddHP 0 3
        else
            Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
@ -65,8 +65,7 @@
    Register --test-no LOGG-2132 --weight L --network NO --category security --description "Check for running syslog-ng daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for syslog-ng daemon in process list"
-        IsRunning syslog-ng
+        if IsRunning "syslog-ng"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: Found syslog-ng in process list"
            Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
            SYSLOG_DAEMON_PRESENT=1
@ -93,7 +92,7 @@
        else
            LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
            Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
+            ReportSuggestion "${TEST_NO}" "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
        fi
    fi
 #
@ -104,8 +103,7 @@
    Register --test-no LOGG-2136 --weight L --network NO --category security --description "Check for running systemd journal daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for systemd journal daemon in process list"
-        IsRunning systemd-journal
+        if IsRunning "systemd-journal"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
            SYSTEMD_JOURNAL_RUNNING=1
            Report "syslog_daemon_present=1"
@ -122,8 +120,7 @@
    Register --test-no LOGG-2210 --weight L --network NO --category security --description "Check for running metalog daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for metalog daemon in process list"
-        IsRunning metalog
+        if IsRunning "metalog"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: Found metalog in process list"
            Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
            SYSLOG_DAEMON_PRESENT=1
@ -143,8 +140,7 @@
    Register --test-no LOGG-2230 --weight L --network NO --category security --description "Check for running RSyslog daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for RSyslog daemon in process list"
-        IsRunning rsyslogd
+        if IsRunning "rsyslogd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: Found rsyslogd in process list"
            Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
            SYSLOG_DAEMON_PRESENT=1
@ -164,8 +160,7 @@
    Register --test-no LOGG-2240 --weight L --network NO --category security --description "Check for running RFC 3195 compliant daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
-        IsRunning rfc3195d
+        if IsRunning "rfc3195d"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: Found rfc3195d in process list"
            Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
            SYSLOG_DAEMON_PRESENT=1
@ -190,14 +185,13 @@
        if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
            # Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
            #FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
-            IsRunning klogd
+            if IsRunning "klogd"; then
            if [ ${RUNNING} -eq 1 ]; then
                LogText "Result: klogd running"
                Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
            else
                LogText "Result: No klogd found"
                Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
-                ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
+                ReportWarning "${TEST_NO}" "klogd is not running, which could lead to missing kernel messages in log files"
            fi
        else
            LogText "Result: test skipped, because other facility is being used to log kernel messages"
@ -212,15 +206,14 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Result: Checking for unkilled minilogd instances"
        # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
-        IsRunning minilogd
+        if IsRunning "minilogd"; then
        if [ ${RUNNING} -eq 0 ]; then
            Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
            LogText "Result: No minilogd is running"
        else
            Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
            LogText "Result: minilogd found in process list"
            # minilogd daemon seems to be running
-            ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
+            ReportWarning "${TEST_NO}" "minilogd is running, which should normally not be running"
        else
            Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
            LogText "Result: No minilogd is running"
        fi
    fi
 #
@ -254,7 +247,7 @@
        else
            Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
            LogText "Result: No logrotate configuration found"
-            ReportSuggestion ${TEST_NO} "Check if log files are properly rotated"
+            ReportSuggestion "${TEST_NO}" "Check if log files are properly rotated"
        fi
    fi
 #
@ -262,7 +255,7 @@
 #
    # Test        : LOGG-2148
    # Description : Checking log files rotated with logrotate
-    if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking which files are rotated with logrotate and if they exist"
@ -286,7 +279,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking which directories can be found in logrotate configuration"
        FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
-        if IsEmpty "${FIND}" ]; then
+        if IsEmpty "${FIND}"; then
            LogText "Result: nothing found"
        else
            LogText "Result: found one or more directories (via logrotate configuration)"
@ -311,7 +304,7 @@
        # Try local hosts file
        LogText "Result: Checking for loghost in /etc/inet/hosts"
        FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            SOLARIS_LOGHOST_FOUND=1
            LogText "Result: Found loghost entry in /etc/inet/hosts"
        else
@ -320,7 +313,7 @@
            # Try name resolving if no entry is present in local host file
            LogText "Result: Checking for loghost via name resolving"
            FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                SOLARIS_LOGHOST_FOUND=1
                LogText "Result: name resolving was successful"
                LogText "Output: ${FIND}"
@ -335,8 +328,8 @@
        else
            Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
            LogText "Result: No loghost entry found"
-            ReportWarning ${TEST_NO} "No loghost entry found"
+            ReportWarning "${TEST_NO}" "No loghost entry found"
-            ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
+            ReportSuggestion "${TEST_NO}" "Add a loghost entry to /etc/inet/hosts or other name services"
        fi
    fi
 #
@ -348,40 +341,95 @@
    if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking syslog configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
+
-            SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
+        if [ ${RSYSLOG_RUNNING} -eq 1 ]; then
-        else
+            DATA=""
-            SYSLOGD_CONF="/etc/syslog.conf"
+            TARGET="${ROOTDIR}etc/rsyslog.conf"
            if [ -f ${TARGET} ]; then
                LogText "Test: analyzing file ${TARGET} for remote target"
                DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
                if [ -z "${DATA}" ]; then
                    LogText "Result: no remote target found"
                else
                    LogText "Result: found remote target"
                    REMOTE_LOGGING_ENABLED=1
                    for D in ${DATA}; do
                        if SafeInput "${D}"; then
                            D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
                            LogText "Data: ${D}"
                        fi
                    done
                fi
            fi
            TARGET="${ROOTDIR}etc/rsyslog.d"
            if [ -d ${TARGET} ]; then
                FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
                for F in ${FILES}; do
                    F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
                    LogText "Test: analyzing file ${F} for remote target"
                    DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
                    if [ -n "${DATA}" ]; then
                        LogText "Result: found remote target"
                        REMOTE_LOGGING_ENABLED=1
                        for D in ${DATA}; do
                            if SafeInput "${D}"; then
                                D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
                                LogText "Data: ${D}"
                            fi
                        done
                    else
                        # Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
                        DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
                        if [ -n "${DATA}" ]; then
                            LogText "Result: most likely remote log host is used, as keyword 'target' is used"
                            REMOTE_LOGGING_ENABLED=1
                        else
                            LogText "Result: no remote target found"
                        fi
                    fi
                done
            fi
        fi
        # Test generic syslog files (syslog-ng and older syslog daemons)
        if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
            SYSLOGD_CONF="${ROOTDIR}etc/syslog-ng/syslog-ng.conf"
        else
            SYSLOGD_CONF="${ROOTDIR}etc/syslog.conf"
        fi
        if [ -f ${SYSLOGD_CONF} ]; then
            LogText "Test: check if logs are also logged to a remote logging host"
            FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: remote logging enabled"
                REMOTE_LOGGING_ENABLED=1
            else
                # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
                DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
                for DESTINATION in ${DESTINATIONS}; do
-                    FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
+                    FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
-                    if [ ! -z "${FIND2}" = "" ]; then
+                    if [ -n "${FIND2}" ]; then
                        LogText "Result: found destination ${DESTINATION} configured for remote logging"
                        REMOTE_LOGGING_ENABLED=1
                    fi
                done
            fi
            if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
                LogText "Result: no remote logging found"
                ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
                AddHP 1 3
                Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
            else
                AddHP 5 5
                Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
            fi
        else
            LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
        fi
        # Show result
        if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
            Report "remote_syslog_configured=0"
            LogText "Result: no remote logging found"
            ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection"
            AddHP 1 3
            Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
        else
            Report "remote_syslog_configured=1"
            AddHP 5 5
            Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
        fi
    fi
 #
 #################################################################################
@ -461,17 +509,15 @@
    Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking open log files with lsof"
-        if [ ! -z "${LSOFBINARY}" ]; then
+        if [ -n "${LSOFBINARY}" ]; then
-            FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
+            FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
            for I in ${FIND}; do
                LogText "Found logfile: ${I}"
                Report "open_logfile[]=${I}"
            done
            Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
        else
            LogText "Result: lsof not installed, skipping test"
-            Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
+            Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE
            # Add suggestion
        fi
    fi
 #
@ -479,7 +525,7 @@
 #
    # Test        : LOGG-2190
    # Description : Checking deleted files
-    if [ ! -z "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
    if [ ${SKIPTEST} -eq 0 ]; then
        EARLY_MYSQL=""
@ -488,12 +534,7 @@
        LSOF_GREP="WARNING|Output information"
        # MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
-        if [ ! -z "${DPKGBINARY}" ]; then
+        LSOF_GREP="${LSOF_GREP}|mysqld"
            EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
        elif [ ! -z "${RPMBINARY}" ]; then
            EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
        fi
        if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
        # grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
        if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
@ -502,15 +543,15 @@
            LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
        fi
-        FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
+        FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found one or more files which are deleted, but still in use"
            for I in ${FIND}; do
                LogText "Found deleted file: ${I}"
                Report "deleted_file[]=${I}"
            done
            Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
+            ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why."
        else
            LogText "Result: no deleted files found"
            Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
@ -521,11 +562,11 @@
 #
    # Test        : LOGG-2192
    # Description : Check for open log files which are empty. This may indicate a problem with log rotation, or unused services
-    if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
+        FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            for I in ${FIND}; do
                LogText "Found an opened logfile that is empty: ${I}"
                Report "open_empty_log_file[]=${I}"
--- a/include/tests_mac_frameworks
+++ b/include/tests_mac_frameworks
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -50,7 +50,7 @@
    if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${AASTATUSBINARY}" ]; then
+        if [ -n "${AASTATUSBINARY}" ]; then
            CAN_READ_FILE=0
            FILE="/sys/kernel/security/apparmor/profiles"
            if [ -f ${FILE} ]; then
@ -75,6 +75,12 @@
                    Report "apparmor_enabled=1"
                    Report "apparmor_policy_loaded=1"
                    AddHP 3 3
                    # ignore kernel threads (Parent PID = 2 [kthreadd])
                    NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines)
                    Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
                    for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
                        LogText "Result: Unconfined process: ${PROCESS}"
                    done
                elif [ $? -eq 4 ]; then
                    LogText "Result: Can not determine status, most likely due to lacking permissions"
                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
@ -83,7 +89,7 @@
                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
                elif [ $? -eq 2 ]; then
                    LogText "Result: AppArmor is enabled, but no policy is loaded"
-                    ReportSuggestion ${TEST_NO} "Load AppArmor policies"
+                    ReportSuggestion "${TEST_NO}" "Load AppArmor policies"
                    Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
                    Report "apparmor_enabled=1"
                    Report "apparmor_policy_loaded=0"
@ -114,7 +120,7 @@
    Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking if we have sestatus binary"
-        if [ ! -z "${SESTATUSBINARY}" ]; then
+        if [ -n "${SESTATUSBINARY}" ]; then
            LogText "Result: found sestatus binary (${SESTATUSBINARY})"
            Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
        else
@ -148,10 +154,21 @@
                Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
            else
                LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
-                ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
+                ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
                Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
            fi
            Display --indent 8 --text "Current SELinux mode: ${FIND}"
            PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines)
            Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
            LogText "Permissive SELinux object types: ${PERMISSIVE}"
            UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
            INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
            NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines)
            NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines)
            Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
            LogText "Unconfined processes: ${UNCONFINED}"
            LogText "Processes with initrc_t type: ${INITRC}"
        else
            LogText "Result: SELinux framework is disabled"
            Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
@ -189,6 +206,13 @@
            LogText "Result: TOMOYO Linux is enabled"
            Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
            Report "tomoyo_enabled=1"
            if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
                NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${WCBINARY} --lines)
                Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
                for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
                    LogText "Result: Unconfined process: ${PROCESS}"
                done
            fi
            AddHP 3 3
        else
            LogText "Result: TOMOYO Linux is disabled"
@ -206,7 +230,7 @@
    Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check Linux kernel configuration
-        if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
+        if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
            FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
            if [ ! "${FIND}" = "" ]; then
                LogText "Result: grsecurity available (in kernel config)"
@ -222,7 +246,7 @@
            Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
        if HasData "${GRADMBINARY}"; then
-            FIND=$(${GRADMBINARY} --status)
+            FIND=$(${GRADMBINARY} --status 2>/dev/null)
            if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
                MAC_FRAMEWORK_ACTIVE=1
            fi
--- a/include/tests_mail_messaging
+++ b/include/tests_mail_messaging
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -44,8 +44,7 @@
    Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check Exim status"
-        IsRunning exim4 || IsRunning exim
+        if IsRunning "exim4" || IsRunning "exim"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Exim process"
            Display --indent 2 --text "- Exim status" --result "${STATUS_RUNNING}" --color GREEN
            EXIM_RUNNING=1
@ -62,11 +61,11 @@
    # Test        : MAIL-8804
    # Description : Exim configuration options
    if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
+    Register --test-no MAIL-8804 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
    if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then
        LogText "Test: Exim configuration options"
-        EXIM_ROUTERS=$(exim -bP router_list)
+        EXIM_ROUTERS=$(${EXIMBINARY} -bP router_list)
        unset FIND FIND2 FIND3 FIND4
@ -77,31 +76,31 @@
        # Smarthost or Satellite
        FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            EXIM_TYPE="LOCAL ONLY"
-        elif [ ! -z "${FIND2}" ]; then
+        elif [ -n "${FIND2}" ]; then
            EXIM_TYPE="INTERNET HOST"
-        elif [ ! -z "${FIND3}" ]; then
+        elif [ -n "${FIND3}" ]; then
            FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
-            if [ ! -z "${FIND4}" ]; then
+            if [ -n "${FIND4}" ]; then
                EXIM_TYPE="SATELLITE"
            else
                EXIM_TYPE="SMARTHOST"
            fi
        fi
-        if [ ! -z "${EXIM_TYPE}" ]; then
+        if [ -n "${EXIM_TYPE}" ]; then
            LogText "Result: Exim Type - ${EXIM_TYPE}"
            Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
        else
            LogText "Result: Exim Type - Not Configured"
-            Display --indent 4 --text "- Type" --result "Not Configured" --color WHITE
+            Display --indent 4 --text "- Type" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
        fi
        if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
            LogText "Test: Exim Public Interfaces"
-            EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
+            EXIM_IP=$(${EXIMBINARY} -bP local_interfaces | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
-            if [ ! -z "${EXIM_IP}" ]; then
+            if [ -n "${EXIM_IP}" ]; then
                LogText "Result: ${EXIM_IP}"
                Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
            else
@ -110,56 +109,129 @@
            fi
            LogText "Test: Exim TLS State"
-            EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+            EXIM_TLS=$(${EXIMBINARY} -bP tls_advertise_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
-            if [ ! -z "${EXIM_TLS}" ]; then
+            if [ -n "${EXIM_TLS}" ]; then
                LogText "Result: Enabled"
-                Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
+                Display --indent 4 --text "- TLS" --result "${STATUS_ENABLED}" --color GREEN
            else
                LogText "Result: Not enabled"
-                Display --indent 4 --text "- TLS" --result "NOT ENABLED" --color WHITE
+                Display --indent 4 --text "- TLS" --result "${STATUS_DISABLED}" --color WHITE
            fi
        fi
-        if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
+        if [ -n "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
            LogText "Test: Exim Certificate and Private Key"
            case "${EXIM_TYPE}" in
                "INTERNET HOST" | "SMARTHOST" )
-                    EXIM_CERTIFICATE=$(exim -bP tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+                    EXIM_CERTIFICATE=$(${EXIMBINARY} -bP tls_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
-                    EXIM_PRIVATEKEY=$(exim -bP tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+                    EXIM_PRIVATEKEY=$(${EXIMBINARY} -bP tls_privatekey | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
                "SATELLITE" )
-                    EXIM_CERTIFICATE=$(exim -bP transport remote_smtp_smarthost | grep tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+                    EXIM_CERTIFICATE=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
-                    EXIM_PRIVATEKEY=$(exim -bP transport remote_smtp_smarthost | grep tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+                    EXIM_PRIVATEKEY=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_privatekey | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
            esac
-            if [ ! -z "${EXIM_CERTIFICATE}" ]; then
+            if [ -n "${EXIM_CERTIFICATE}" ]; then
                LogText "Result: ${EXIM_CERTIFICATE}"
                if [ -f "${EXIM_CERTIFICATE}" ]; then
                    Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
-                    LogText "Result: Certificate found."
+                    LogText "Result: Certificate found"
                else
                    Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_FOUND}" --color YELLOW
-                    LogText "Result: Certificate not found."
+                    LogText "Result: Certificate not found"
                fi
            else
-                LogText "Result: Certificate not set."
+                LogText "Result: Certificate not set"
-                Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
+                Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
            fi
-            if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
+            if [ -n "${EXIM_PRIVATEKEY}" ]; then
                LogText "Result: ${EXIM_PRIVATEKEY}"
                if [ -f "${EXIM_PRIVATEKEY}" ]; then
-                    LogText "Result: Private Key found."
+                    LogText "Result: Private Key found"
                    Display --indent 4 --text "- Private Key" --result "${STATUS_FOUND}" --color GREEN
                else
                    Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_FOUND}" --color YELLOW
-                    LogText "Result: Private Key not found."
+                    LogText "Result: Private Key not found"
                fi
            else
-                LogText "Result: Private Key not set."
+                LogText "Result: Private Key not set"
-                Display --indent 4 --text "- Private Key not set" --result "${STATUS_WARNING}" --color WHITE
+                Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
            fi
            LogText "Test: Exim Verify Certificates"
            case "${EXIM_TYPE}" in
                "INTERNET HOST" | "SMARTHOST" )
                    EXIM_CERTIFICATES=$(${EXIMBINARY} -bP tls_verify_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
                "SATELLITE" )
                    EXIM_CERTIFICATES=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_verify_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
            esac
            case "${EXIM_CERTIFICATES}" in
                "")
                    # This condition results in a RED warning because it should never be hit
                    LogText "Result: Verify Certificates not set"
                    Display --indent 4 --text "- Verify Certificates not set" --result "${STATUS_WARNING}" --color RED
                    ;;
                "system")
                    # This is the default setting and should be the most common
                    LogText "Result: Verify Certificates set to system default"
                    Display --indent 4 --text "- Verify Certificates" --result "DEFAULT" --color WHITE
                    ;;
                *)
                    # This condition should only be hit when it has been set to a custom value
                    LogText "Result: Verify Certificates set to \"${EXIM_CERTIFICATES}\""
                    Display --indent 4 --text "- Verify Certificates" --result "CUSTOM" --color GREEN
                    ;;
            esac
            case "${EXIM_TYPE}" in
                "INTERNET HOST" | "SMARTHOST" )
                    EXIM_VERIFY_HOSTS=$(${EXIMBINARY} -bP tls_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    EXIM_TRY_VERIFY_HOSTS=$(${EXIMBINARY} -bP tls_try_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
                "SATELLITE" )
                    EXIM_VERIFY_HOSTS=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    EXIM_TRY_VERIFY_HOSTS=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_try_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
                    ;;
            esac
            LogText "Test: Exim Try Verify Hosts"
            if [ -n "${EXIM_TRY_VERIFY_HOSTS}" ]; then
                LogText "Result: Try Verify Hosts enabled"
                case "${EXIM_TYPE}" in
                    "INTERNET HOST" )
                        Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_ENABLED}" --color GREEN
                        ;;
                    "SATELLITE" | "SMARTHOST" )
                        Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_ENABLED}" --color YELLOW
                        ;;
                esac
            else
                LogText "Result: Try Verify Hosts not enabled"
                Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_DISABLED}" --color WHITE
            fi
            LogText "Test: Exim Verify Hosts"
            if [ -n "${EXIM_VERIFY_HOSTS}" ]; then
                LogText "Result: Verify Hosts enabled"
                case "${EXIM_TYPE}" in
                    "INTERNET HOST" )
                        Display --indent 4 --text "- Verify Hosts" --result "${STATUS_ENABLED}" --color YELLOW
                        ;;
                    "SATELLITE" | "SMARTHOST" )
                        Display --indent 4 --text "- Verify Hosts" --result "${STATUS_ENABLED}" --color GREEN
                        ;;
                esac
            else
                LogText "Result: Verify Hosts not enabled"
                Display --indent 4 --text "- Verify Hosts" --result "${STATUS_DISABLED}" --color WHITE
            fi
        fi
    fi
@ -175,7 +247,7 @@
        LogText "Test: check Postfix status"
        # Some other processes also use master, therefore it should include both master and postfix
        FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
-        if [ ! -z "${FIND1}" ]; then
+        if [ -n "${FIND1}" ]; then
            LogText "Result: found running Postfix process"
            Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
            POSTFIX_RUNNING=1
@ -210,11 +282,11 @@
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: using postconf to see if Postfix configuration has errors"
        FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            Report "postfix_config_error=1"
            Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
            LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
-            ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
+            ReportSuggestion "${TEST_NO}" "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
        else
            LogText "Result: all looks to be fine with Postfix configuration"
            if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi
@ -233,21 +305,21 @@
        FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
        FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
        FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
-        if [ ! -z "${LINUX_VERSION}" ]; then
+        if [ -n "${LINUX_VERSION}" ]; then
            FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
        fi
        SHOWWARNING=0
-        if [ ! -z "${FIND1}" ]; then
+        if [ -n "${FIND1}" ]; then
            SHOWWARNING=1
            Report "banner_software_disclosure[]=${FIND1}"
-        elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
+        elif [ -n "${FIND2}" -a -n "${FIND3}" ]; then
            SHOWWARNING=1
            Report "banner_software_disclosure[]=${FIND2}"
-        elif [ ! -z "${FIND4}" ]; then
+        elif [ -n "${FIND4}" ]; then
            SHOWWARNING=1
            Report "banner_os_disclosure[]=${FIND4}"
-        elif [ ! -z "${FIND5}" ]; then
+        elif [ -n "${FIND5}" ]; then
            SHOWWARNING=1
            Report "banner_os_disclosure[]=${FIND5}"
        fi
@ -255,8 +327,8 @@
        if [ ${SHOWWARNING} -eq 1 ]; then
            Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED
            LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
-            ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)"
+            ReportWarning "${TEST_NO}" "Found some information disclosure in SMTP banner (OS or software name)"
-            ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
+            ReportSuggestion "${TEST_NO}" "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
        else
            if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi
        fi
@ -283,8 +355,7 @@
    Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check dovecot status"
-        IsRunning dovecot
+        if IsRunning "dovecot"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running dovecot process"
            Display --indent 2 --text "- Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
            DOVECOT_RUNNING=1
@ -305,8 +376,7 @@
    Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check Qmail status"
-        IsRunning qmail-smtpd
+        if IsRunning "qmail-smtpd"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Qmail process"
            Display --indent 2 --text "- Qmail status" --result "${STATUS_RUNNING}" --color GREEN
            QMAIL_RUNNING=1
@ -325,8 +395,7 @@
    Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check sendmail status"
-        IsRunning sendmail
+        if IsRunning "sendmail"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Sendmail process"
            Display --indent 2 --text "- Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
            SENDMAIL_RUNNING=1
@ -342,7 +411,7 @@
 #
    # Test        : MAIL-8920
    # Description : Check OpenSMTPD process status
-    if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check smtpd status"
--- a/include/tests_malware
+++ b/include/tests_malware
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -31,8 +31,10 @@
    BITDEFENDER_DAEMON_RUNNING=0
    CLAMD_RUNNING=0
    CLAMSCAN_INSTALLED=0
    CROWDSTRIKE_FALCON_SENSOR_RUNNING=0
    ESET_DAEMON_RUNNING=0
    FRESHCLAM_DAEMON_RUNNING=0
    KASPERSKY_SCANNER_RUNNING=0
    MCAFEE_SCANNER_RUNNING=0
    MALWARE_SCANNER_INSTALLED=0
    SOPHOS_SCANNER_RUNNING=0
@ -45,7 +47,7 @@
    Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking presence chkrootkit"
-        if [ ! -z "${CHKROOTKITBINARY}" ]; then
+        if [ -n "${CHKROOTKITBINARY}" ]; then
            Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: Found ${CHKROOTKITBINARY}"
            MALWARE_SCANNER_INSTALLED=1
@ -63,7 +65,7 @@
    Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking presence Rootkit Hunter"
-        if [ ! -z "${RKHUNTERBINARY}" ]; then
+        if [ -n "${RKHUNTERBINARY}" ]; then
            Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: Found ${RKHUNTERBINARY}"
            MALWARE_SCANNER_INSTALLED=1
@ -100,34 +102,9 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # ESET security products
        LogText "Test: checking process esets_daemon"
        IsRunning esets_daemon
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            ESET_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found ESET security product"
            Report "malware_scanner[]=eset"
        fi
        # Bitdefender (macOS)
        LogText "Test: checking process epagd"
        IsRunning epagd
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            BITDEFENDER_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found Bitdefender security product"
            Report "malware_scanner[]=bitdefender"
        fi
        # Avast (macOS)
        LogText "Test: checking process com.avast.daemon"
-        IsRunning com.avast.daemon
+        if IsRunning "com.avast.daemon"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            AVAST_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
@ -138,8 +115,7 @@
        # Avira
        LogText "Test: checking process Avira daemon"
-        IsRunning avqmd
+        if IsRunning "avqmd"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            AVIRA_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
@ -148,10 +124,31 @@
            Report "malware_scanner[]=avira"
        fi
        # Bitdefender (macOS)
        LogText "Test: checking process epagd"
        if IsRunning "bdagentd" || IsRunning "epagd"; then
            FOUND=1
            BITDEFENDER_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found Bitdefender security product"
            Report "malware_scanner[]=bitdefender"
        fi
        # CrowdStrike falcon-sensor
        LogText "Test: checking process falcon-sensor (CrowdStrike)"
        if IsRunning "falcon-sensor"; then
            FOUND=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found falcon-sensor service"
            CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
            Report "malware_scanner[]=falcon-sensor"
        fi
        # Cylance (macOS)
        LogText "Test: checking process CylanceSvc"
-        IsRunning CylanceSvc
+        if IsRunning "CylanceSvc"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found CylancePROTECT service"
@ -160,15 +157,40 @@
            Report "malware_scanner[]=cylance-protect"
        fi
        # ESET security products
        LogText "Test: checking process esets_daemon"
        if IsRunning "esets_daemon"; then
            FOUND=1
            ESET_DAEMON_RUNNING=1
            MALWARE_SCANNER_INSTALLED=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found ESET security product"
            Report "malware_scanner[]=eset"
        fi
        # Kaspersky products
        LogText "Test: checking process wdserver or klnagent (Kaspersky)"
        # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
        if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
            if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
        else
            if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
        fi
        if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
            FOUND=1
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: Found Kaspersky"
            MALWARE_SCANNER_INSTALLED=1
            Report "malware_scanner[]=kaspersky"
        fi
        # McAfee products
        LogText "Test: checking process cma or cmdagent (McAfee)"
        # cma is too generic to match on, so we want to ensure that it is related to McAfee first
        if [ -x /opt/McAfee/cma/bin/cma ]; then
-            IsRunning cma
+            if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
            if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
        else
-            IsRunning cmdagent
+            if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
            if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
        fi
        if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
            FOUND=1
@ -180,14 +202,12 @@
        # Sophos savscand/SophosScanD
        LogText "Test: checking process savscand"
-        IsRunning savscand
+        if IsRunning "savscand"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            SOPHOS_SCANNER_RUNNING=1
        fi
        LogText "Test: checking process SophosScanD"
-        IsRunning SophosScanD
+        if IsRunning "SophosScanD"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            SOPHOS_SCANNER_RUNNING=1
        fi
@ -200,18 +220,15 @@
        # Symantec rtvscand/smcd/symcfgd
        LogText "Test: checking process rtvscand"
-        IsRunning rtvscand
+        if IsRunning "rtvscand"; then
        if [ ${RUNNING} -eq 1 ]; then
            SYMANTEC_SCANNER_RUNNING=1
        fi
        LogText "Test: checking process Symantec management client service"
-        IsRunning smcd
+        if IsRunning "smcd"; then
        if [ ${RUNNING} -eq 1 ]; then
            SYMANTEC_SCANNER_RUNNING=1
        fi
        LogText "Test: checking process Symantec Endpoint Protection configuration service"
-        IsRunning symcfgd
+        if IsRunning "symcfgd"; then
        if [ ${RUNNING} -eq 1 ]; then
            SYMANTEC_SCANNER_RUNNING=1
        fi
        if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
@ -224,8 +241,7 @@
        # TrendMicro (macOS)
        LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
-        IsRunning TmccMac
+        if IsRunning "TmccMac"; then
        if [ ${RUNNING} -eq 1 ]; then
            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
            LogText "Result: found Trend Micro component"
            FOUND=1
@ -267,8 +283,7 @@
    Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking running ClamAV daemon (clamd)"
-        IsRunning clamd
+        if IsRunning "clamd"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: found running clamd process"
            MALWARE_SCANNER_INSTALLED=1
@ -286,8 +301,7 @@
    Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking running freshclam daemon"
-        IsRunning freshclam
+        if IsRunning "freshclam"; then
        if [ ${RUNNING} -eq 1 ]; then
            FRESHCLAM_DAEMON_RUNNING=1
            Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: found running freshclam process"
@ -295,7 +309,7 @@
        else
            Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: freshclam is not running"
-            ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
+            ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
        fi
    fi
 #
@ -307,7 +321,7 @@
    Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
    if [ ${SKIPTEST} -eq 0 ]; then
        CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
-        if [ ! -z "${CLAMSCANBINARY}" ]; then
+        if [ -n "${CLAMSCANBINARY}" ]; then
            LogText "Result: Found ClamXav clamscan installed"
            Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
            MALWARE_SCANNER_INSTALLED=1
--- a/include/tests_memory_processes
+++ b/include/tests_memory_processes
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -30,17 +30,17 @@
    # Description : Query /proc/meminfo
    Register --test-no PROC-3602 --os Linux --weight L --network NO --category security --description "Checking /proc/meminfo for memory details"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ -f /proc/meminfo ]; then
+        if [ -f ${ROOTDIR}proc/meminfo ]; then
-            LogText "Result: found /proc/meminfo"
+            LogText "Result: found ${ROOTDIR}proc/meminfo"
-            Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
+            Display --indent 2 --text "- Checking ${ROOTDIR}proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
-            FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo)
+            FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' ${ROOTDIR}proc/meminfo)
            MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }')
            MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }')
            LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
            Report "memory_size=${MEMORY_SIZE}"
            Report "memory_units=${MEMORY_UNITS}"
        else
-            LogText "Result: /proc/meminfo file not found on this system"
+            LogText "Result: ${ROOTDIR}proc/meminfo file not found on this system"
        fi
    fi
 #
@ -80,12 +80,12 @@
        fi
        if [ -z "${FIND}" ]; then
            LogText "Result: no zombie processes found"
-            Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
+            Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_NOT_FOUND}" --color GREEN
        else
            LogText "Result: found one or more dead or zombie processes"
            LogText "Output: PIDs ${FIND}"
            Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED
-            ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
+            ReportSuggestion "${TEST_NO}" "Check the output of ps for dead or zombie processes"
        fi
    fi
 #
@ -104,19 +104,40 @@
        fi
        if [ -z "${FIND}" ]; then
            LogText "Result: No processes were waiting for IO requests to be handled first"
-            Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
+            Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_NOT_FOUND}" --color GREEN
        else
            LogText "Result: found one or more processes which were waiting to get IO requests handled first"
            LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
            LogText "Output: PIDs ${FIND}"
            Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED
-            ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
+            ReportSuggestion "${TEST_NO}" "Check process listing for processes waiting for IO requests"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : PROC-3802
    # Description : Check presence of prelink tooling
    Register --test-no PROC-3802 --package-manager-required --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling"
    if [ ${SKIPTEST} -eq 0 ]; then
        if PackageIsInstalled "prelink"; then
            LogText "Result: prelink packages is installed"
            # TODO
            # - Add item to website with rationale
            #ReportSuggestion "${TEST_NO}" "Disable and remove prelinking of binaries"
            AddHP 1 3
            Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_FOUND}" --color YELLOW
        else
            Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_NOT_FOUND}" --color GREEN
            LogText "Result: prelink package is NOT installed"
            AddHP 3 3
        fi
    fi
 #
 #################################################################################
 #
 WaitForKeyPress
 #
--- a/include/tests_nameservices
+++ b/include/tests_nameservices
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -84,7 +84,7 @@
                if [ ${COUNT} -gt 6 ]; then
                    LogText "Result: Found ${COUNT} search domains"
                    Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
-                    ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
+                    ReportWarning "${TEST_NO}" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
                else
                    LogText "Result: Found ${COUNT} search domains"
                    Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
@ -95,7 +95,7 @@
            if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
                LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
                Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
-                ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
+                ReportWarning "${TEST_NO}" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
            else
                LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
            fi
@ -124,7 +124,7 @@
                    Report "resolv_conf_option[]=${ITEM}"
                    # TODO add suggestions for the related options
                    # rotate --> add performance tune point
-                    # timeout --> add performe tune point when smaller than 3 seconds
+                    # timeout --> add performance tune point when smaller than 3 seconds
                done
                Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
            fi
@ -188,7 +188,7 @@
        # If files and commands can't be found, use defined value from resolv.conf
        if [ -z "${DOMAINNAME}" ]; then
-            if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
+            if [ -n "${RESOLV_DOMAINNAME}" ]; then
                LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
                DOMAINNAME=${RESOLV_DOMAINNAME}
            else
@ -197,14 +197,14 @@
            fi
        fi
-        if [ ! -z "${DOMAINNAME}" ]; then
+        if [ -n "${DOMAINNAME}" ]; then
            LogText "Result: found domain name"
            Report "domainname=${DOMAINNAME}"
            Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
            Display --indent 6 --text "Domain name: ${DOMAINNAME}"
        else
            Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
+            ReportSuggestion "${TEST_NO}" "Check DNS configuration for the dns domain name"
        fi
    fi
 #
@ -215,8 +215,7 @@
    Register --test-no NAME-4032 --weight L --network NO --category security --description "Check nscd status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking nscd status"
-        IsRunning nscd
+        if IsRunning "nscd"; then
        if [ ${RUNNING} -eq 1 ]; then
            NAME_CACHE_USED=1
            LogText "Result: nscd is running"
            Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
@ -233,8 +232,7 @@
    Register --test-no NAME-4034 --weight L --network NO --category security --description "Check Unbound status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking Unbound (unbound) status"
-        IsRunning unbound
+        if IsRunning "unbound"; then
        if [ ${RUNNING} -eq 1 ]; then
            UNBOUND_RUNNING=1
            NAME_CACHE_USED=1
            LogText "Result: Unbound daemon is running"
@ -278,8 +276,7 @@
    Register --test-no NAME-4202 --weight L --network NO --category security --description "Check BIND status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for running BIND instance"
-        IsRunning named
+        if IsRunning "named"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found BIND process"
            Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
            BIND_RUNNING=1
@ -303,7 +300,7 @@
                LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
            fi
        done
-        if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
+        if [ -n "${BIND_CONFIG_LOCATION}" ]; then
            Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
        else
            Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -327,7 +324,7 @@
            else
                LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
                Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
+                ReportWarning "${TEST_NO}" "Errors discovered in BIND configuration file"
            fi
        else
            LogText "Result: named-checkconf not found, skipping test"
@ -350,8 +347,8 @@
        else
            LogText "Result: possible BIND version available in version banner"
            Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "Found BIND version in banner"
+            ReportWarning "${TEST_NO}" "Found BIND version in banner"
-            ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
+            ReportSuggestion "${TEST_NO}" "The version in BIND can be masked by defining 'version none' in the configuration file"
            AddHP 0 2
        fi
    fi
@ -384,8 +381,7 @@
    Register --test-no NAME-4230 --weight L --network NO --category security --description "Check PowerDNS status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for running PowerDNS instance"
-        IsRunning pdns_server
+        if IsRunning "pdns_server"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found PowerDNS process"
            Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
            POWERDNS_RUNNING=1
@ -449,12 +445,12 @@
 #
    # Test        : NAME-4238
    # Description : Check PowerDNS authoritative status
-    if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for PowerDNS master status"
        FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Found master=yes in configuration file"
            Display --indent 4 --text "- PowerDNS authoritative master: YES"
            POWERDNS_AUTH_MASTER=1
@ -464,7 +460,7 @@
        fi
        LogText "Test: Checking for PowerDNS slave status"
        FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Found slave=yes in configuration file"
            Display --indent 4 --text "- PowerDNS authoritative slave: YES"
            POWERDNS_AUTH_SLAVE=1
@ -481,13 +477,11 @@
    Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking status of ypbind daemon"
-        IsRunning ypbind
+        if IsRunning "ypbind"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: ypbind is running"
            Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN
            YPBIND_RUNNING=1
-            IsRunning ypldap
+            if IsRunning "ypldap"; then
            if [ ${RUNNING} -eq 1 ]; then
                LogText "Result: ypldap is running"
                Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
            else
@ -509,7 +503,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking $(domainname) for NIS domain value"
        FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Value: ${FIND}"
            NISDOMAIN="${FIND}"
        else
@ -520,7 +514,7 @@
        if [ -f ${ROOTDIR}etc/defaultdomain ]; then
            LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
            FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
-            if [ ! -z "${FIND2}" ]; then
+            if [ -n "${FIND2}" ]; then
                LogText "Output: ${FIND2}"
                NISDOMAIN="${FIND2}"
            else
@ -533,7 +527,7 @@
            LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
            LogText "Test: checking NISDOMAIN value in file"
            FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
-            if [ ! -z "${FIND3}" ]; then
+            if [ -n "${FIND3}" ]; then
                LogText "Found NIS domain: ${FIND3}"
                NISDOMAIN="${FIND3}"
            else
@ -553,7 +547,7 @@
            fi
        fi
        # Check if we found any NIS domain
-        if [ ! -z "${NISDOMAIN}" ]; then
+        if [ -n "${NISDOMAIN}" ]; then
            LogText "Found NIS domain: ${NISDOMAIN}"
            Report "nisdomain=${NISDOMAIN}"
            Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
@ -565,27 +559,27 @@
 #
 #################################################################################
 #
-    if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi
+    if [ -f ${ROOTDIR}etc/hosts ]; then
        Display --indent 2 --text "- Checking /etc/hosts"
    else
        LogText "Result: no /etc/hosts file found"
    fi
    # Test        : NAME-4402
    # Description : Check /etc/hosts configuration
-    Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
+    if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
-        if [ -f ${ROOTDIR}etc/hosts ]; then
+        OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
-            OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
+        if [ -z "${OUTPUT}" ]; then
-            if [ -z "${OUTPUT}" ]; then
+            LogText "Result: OK, no duplicate lines found"
-                LogText "Result: OK, no duplicate lines found"
+            Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
                Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
            else
                LogText "Found duplicate line: ${OUTPUT}"
                LogText "Result: found duplicate line"
                Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
                ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
            fi
        else
-            LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
+            LogText "Found duplicate line: ${OUTPUT}"
-            Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
+            LogText "Result: found duplicate line"
            Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
        fi
    fi
 #
@ -593,42 +587,44 @@
 #
    # Test        : NAME-4404
    # Description : Check /etc/hosts contains an entry for this server name
-    if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/hosts contains an entry for this server name"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check /etc/hosts contains an entry for this server name"
-        if [ -f /etc/hosts ]; then
+        if [ -n "${HOSTNAME}" ]; then
-            sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
+            DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
-            if [ "${sFIND}" != "" ]; then
+            if [ -n "${DATA}" ]; then
-                LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
+                LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
-                Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
+                Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
            else
-                LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
+                LogText "Result: No entry found for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
-                Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
+                Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_NOT_FOUND}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
+                ReportSuggestion "${TEST_NO}" "Add the IP name and FQDN to /etc/hosts for proper name resolving"
                LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
            fi
-         fi
+        else
-     fi
+            LogText "Result: Skipping test, no hostname configured"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : NAME-4406
    # Description : Check server hostname mapping
-    if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${HOSTNAME}" -a -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Check server hostname not locally mapped in /etc/hosts"
+        LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
-        sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
+        DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
-        if [ ! "${sFIND}" = "" ]; then
+        if [ -n "${DATA}" ]; then
            LogText "Result: Found this server hostname mapped to a local address"
-            LogText "Output: ${sFIND}"
+            LogText "Output: ${DATA}"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
+            Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_FOUND}" --color YELLOW
            LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
-            ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
+            ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system"
        else
            LogText "Result: this server hostname is not mapped to a local address"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
+            Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_NOT_FOUND}" --color GREEN
        fi
    fi
 #
@ -636,29 +632,29 @@
 #
    # Test        : NAME-4408
    # Description : Check localhost entry
-    if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
+    if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
    Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check server hostname not locally mapped in /etc/hosts"
        FIND=$(${GETENT_BINARY} hosts localhost | ${AWKBINARY} '{print $1}' | ${SORTBINARY} | ${TRBINARY} -d '\n')
        if [ "${FIND}" = "127.0.0.1" ]; then
            LogText "Result: localhost mapped to 127.0.0.1"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
+            Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
-            report "localhost-mapped-to=${FIND}"
+            Report "localhost-mapped-to=${FIND}"
        elif [ "${FIND}" = "::1" ]; then
            LogText "Result: localhost mapped to ::1"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
+            Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
-            report "localhost-mapped-to=${FIND}"
+            Report "localhost-mapped-to=${FIND}"
        elif [ "${FIND}" = "127.0.0.1::1" ]; then
            LogText "Result: localhost mapped to 127.0.0.1 and ::1"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
+            Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
-            report "localhost-mapped-to=${FIND}"
+            Report "localhost-mapped-to=${FIND}"
        else
            LogText "Output: ${FIND}"
            LogText "Result: this server hostname is not mapped to a local address"
-            Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_SUGGESTION}" --color YELLOW
+            Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)."
-            ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
+            ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
        fi
    fi
 #
--- a/include/tests_networking
+++ b/include/tests_networking
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -34,6 +34,55 @@
    InsertSection "Networking"
 #
 #################################################################################
 #
    # Test        : NETW-2400
    # Description : Test hostname for valid characters and length
    # Notes       : FQDN: max 253 characters
    #             : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters
    #               dots allowed as separator
    Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Test first the fully qualified domain name
        if [ ${#FQDN} -gt 253 ]; then
            # Too long
            LogText "Result: FQDN is more than 253 characters"
            Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED
            ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)"
        elif [ ${#FQDN} -eq 0 ]; then
            # FQDN not defined
            LogText "Result: FQDN is not defined"
            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi
        else
            # Fine
            LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)"
            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi
        fi
        # Now test short hostname
        if [ ${#HOSTNAME} -eq 0 ]; then
            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi
            LogText "Result: hostname is not defined"
        else
            # Test length
            if [ ${#HOSTNAME} -gt 63 ]; then
                LogText "Result: hostname is more than 63 characters"
                Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED
            else
                LogText "Result: hostnamed is defined and not longer than 63 characters"
            fi
            # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
            FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9\.\-]')
            if [ -z "${FIND}" ]; then
                LogText "Result: good, no unexpected characters discovered in hostname"
                if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi
            else
                LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity"
                Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED
                ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters"
            fi
        fi
    fi
 #
 #################################################################################
 #
    # Test        : NETW-2600
    # Description : Gather IPv6 configuration
@ -47,7 +96,7 @@
        IPV6_MISCONFIGURED=0
        IPV6_MISCONFIGURED_MTU=0
        FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            IPV6_CONFIGURED=1
            for I in ${FIND}; do
                SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
@ -124,7 +173,7 @@
        if [ -f /etc/resolv.conf ]; then
            LogText "Result: Found /etc/resolv.conf file"
            FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                Display --indent 4 --text "- Testing nameservers"
                LogText "Test: Querying nameservers"
                for I in ${FIND}; do
@ -134,7 +183,7 @@
                    if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
                        LOCAL_DNSRESOLVER_FOUND=1
                    fi
-                    if [ ! -z "${DIGBINARY}" ]; then
+                    if [ -n "${DIGBINARY}" ]; then
                        # See if we can query something at the nameserver
                        # 0=good, other=bad
                        DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
@ -147,8 +196,8 @@
                            Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
                            LogText "Result: nameserver ${I} does NOT respond"
                            LogText "Exit-code from dig: ${DNSRESPONSE}"
-                            ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
+                            ReportSuggestion "${TEST_NO}" "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
-                            ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
+                            ReportWarning "${TEST_NO}" "Nameserver ${I} does not respond"
                        fi
                    else
                        LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
@ -167,13 +216,13 @@
    Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
    if [ ${SKIPTEST} -eq 0 ]; then
        SKIP=0
-        if [ ! -z "${DIGBINARY}" ]; then
+        if [ -n "${DIGBINARY}" ]; then
            if [ ${NUMBERACTIVENS} -lt 2 ]; then
                Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
                LogText "Result: less than 2 responsive nameservers found"
-                ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
+                ReportWarning "${TEST_NO}" "Couldn't find 2 responsive nameservers"
                LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
-                ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
+                ReportSuggestion "${TEST_NO}" "Check your resolv.conf file and fill in a backup nameserver if possible"
                AddHP 1 2
            else
                Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
@ -189,16 +238,50 @@
    fi
 #
 #################################################################################
 #
    # Test        : NETW-2706
    # Description : Check systemd-resolve output and upstream DNSSEC status
    # Notes       : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
    if [ -n "${RESOLVECTLBINARY}" ]; then
        PREQS_MET="YES"
        RESOLVE_CMD="${RESOLVECTLBINARY}"
        RESOLVE_CMD_PARAM="statistics"
    elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
        PREQS_MET="YES"
        RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
        RESOLVE_CMD_PARAM="--statistics"
    else
        PREQS_MET="NO"
    fi
    Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
    if [ ${SKIPTEST} -eq 0 ]; then
        SKIP=0
        DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
        if [ "${DNSSEC_STATUS}" = "yes" ]; then
            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
            LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
        elif [ "${DNSSEC_STATUS}" = "no" ]; then
            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
            LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
        else
            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
            LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
        fi
    else
        LogText "Result: Test most likely skipped due to not having resolvectl"
    fi
 #
 #################################################################################
 #
    # Test        : NETW-3001
    # Description : Find default gateway (route)
    # More info   : BSD: ^default   Linux: 0.0.0.0
-    if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
    if [ $SKIPTEST -eq 0 ]; then
        LogText "Test: Searching default gateway(s)"
        FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            for I in ${FIND}; do
                LogText "Result: Found default gateway ${I}"
                Report "default_gateway[]=${I}"
@ -222,9 +305,9 @@
                FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print  $1 }')
            ;;
            Linux)
-                if [ ! -z "${IPBINARY}" ]; then
+                if [ -n "${IPBINARY}" ]; then
                    FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
-                elif [ ! -z "${IFCONFIGBINARY}" ]; then
+                elif [ -n "${IFCONFIGBINARY}" ]; then
                    FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print  $1 }}')
                fi
            ;;
@ -265,14 +348,14 @@
                FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
                ;;
            Linux)
-                if [ ! -z "${IFCONFIGBINARY}" ]; then
+                if [ -n "${IFCONFIGBINARY}" ]; then
                    FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
                    # CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
                    if [ -z "${FIND}" ]; then
                        FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
                    fi
                else
-                    if [ ! -z "${IPBINARY}" ]; then
+                    if [ -n "${IPBINARY}" ]; then
                        LogText "Test: Using ip binary to gather hardware addresses"
                        FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
                    else
@ -320,12 +403,12 @@
                FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
                ;;
            Linux)
-                if [ ! -z "${IFCONFIGBINARY}" ]; then
+                if [ -n "${IFCONFIGBINARY}" ]; then
                    FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
                    # Version which works for multiple types of ifconfig (e.g. Slackware)
                    FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
                else
-                    if [ ! -z "${IPBINARY}" ]; then
+                    if [ -n "${IPBINARY}" ]; then
                        LogText "Test: Using ip binary to gather IP addresses"
                        FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
                        FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
@ -370,58 +453,57 @@
    # Description : Check listening ports
    Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
    if [ ${SKIPTEST} -eq 0 ]; then
        DATA=""
        FIND=""; FIND2=""
        COUNT=0
        case ${OS} in
-            DragonFly|FreeBSD)
+            DragonFly | FreeBSD)
-                if [ ! -z "${SOCKSTATBINARY}" ]; then
+                if [ -n "${SOCKSTATBINARY}" ]; then
                    FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
                    # To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
                else
                    FIND=""
                fi
                FIND2=""
-                ;;
+            ;;
            Linux)
-                if [ ! -z "${NETSTATBINARY}" ]; then
+                if [ -n "${SSBINARY}" ]; then
                    LogText "Test: Retrieving ss information to find listening ports"
                    DATA=$(${SSBINARY} --query=udp,tcp -plnt | ${AWKBINARY} '{ if ($1!="Netid") { print "raw,ss,v1|"$1"|"$5"|"$7"|" }}' | ${SEDBINARY} 's/pid=[0-9]\{1,\},fd=[0-9]\{1,\}//g' | ${SEDBINARY} 's/users://' | ${SEDBINARY} 's/,)//g' | ${TRBINARY} -d '()"')
                elif [ -n "${NETSTATBINARY}" ]; then
                    LogText "Test: Retrieving netstat information to find listening ports"
                    # UDP
                    FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
                    # TCP
                    FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null  | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
                else
-                    if [ ! "${SSBINARY}" = "" ]; then
+                    ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
                        # UDP
                        FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
                        # TCP
                        FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
                    else
                        ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
                    fi
                fi
-                ;;
+            ;;
            macOS)
-                if [ ! "${LSOFBINARY}" = "" ]; then
+                if [ -n "${LSOFBINARY}" ]; then
                    LogText "Test: Retrieving lsof information to find listening ports"
                    # UDP and TCP combined
-                    FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
+                    FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
                else
                    FIND=""
                fi
                # Not needed as we have a combined test
                FIND2=""
-                ;;
+            ;;
            NetBSD)
-                if [ ! "${SOCKSTATBINARY}" = "" ]; then
+                if [ -n "${SOCKSTATBINARY}" ]; then
                    LogText "Test: Retrieving sockstat information to find listening ports"
                    FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
                else
                    FIND=""
                fi
                FIND2=""
-                ;;
+            ;;
            OpenBSD)
-                if [ ! "${NETSTATBINARY}" = "" ]; then
+                if [ -n "${NETSTATBINARY}" ]; then
                    LogText "Test: Retrieving netstat information to find listening ports"
                    # UDP
                    FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
                    # TCP
@ -429,16 +511,21 @@
                else
                    ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
                fi
-                ;;
+            ;;
            *)
                # Got this exception? Provide your details and output of netstat or any other tool to determine this information.
                ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
-                ;;
+            ;;
        esac
-        # Retrieve information from sockstat, when available
+        if [ -n "${DATA}" ]; then
-        LogText "Test: Retrieving sockstat information to find listening ports"
+            for ITEM in ${DATA}; do
-        if HasData "${FIND}"; then
+                COUNT=$((COUNT + 1))
                Report "network_listen[]=${ITEM}"
            done
        fi
        if [ -n "${FIND}" ]; then
            for ITEM in ${FIND}; do
                COUNT=$((COUNT + 1))
                LogText "Found listening info: ${ITEM}"
@ -446,18 +533,17 @@
            done
        fi
-        if [ ! "${FIND2}" = "" ]; then
+        if [ -n "${FIND2}" ]; then
            for ITEM in ${FIND2}; do
                COUNT=$((COUNT + 1))
                LogText "Found listening info: ${ITEM}"
                Report "network_listen_port[]=${ITEM}"
            done
        fi
-        if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
+        if [ -z "${DATA}" -a -z "${FIND}" ]; then
            Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
        else
            Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
            Display --indent 6 --text "* Found ${COUNT} ports"
        fi
    fi
 #
@ -486,10 +572,10 @@
                # Check if this interface was whitelisted
                if [ ${WHITELISTED} -eq 0 ]; then
                    FOUNDPROMISC=1
-                    ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
+                    ReportWarning "${TEST_NO}" "Found promiscuous interface (${ITEM})"
                    LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
                else
-                    LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
+                    LogText "Result: Found promiscuous interface ${ITEM} (*whitelisted via profile*)"
                fi
            done
        fi
@ -507,35 +593,54 @@
 #
    # Test        : NETW-3015
    # Description : Checking promiscuous interfaces (Linux)
-    # Note        : Need ifconfig binary at this moment (does not work on Arch Linux)
+    Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
    if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking promiscuous interfaces (Linux)"
+        FOUNDPROMISC=99
-        NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
+        NETWORK=""
-        if [ ! "${NETWORK}" = "" ]; then
+        USE_IP_INSTEAD_IFCONFIG=0
        if [ -n "${IPBINARY}" ]; then
            LogText "Test: Using ip binary to retrieve network interfaces"
            NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
            USE_IP_INSTEAD_IFCONFIG=1
        elif [ -n "${IFCONFIGBINARY}" ]; then
            LogText "Test: Using ifconfig binary to retrieve network interfaces"
            NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
        fi
        LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
        if [ -n "${NETWORK}" ]; then
            FOUNDPROMISC=0
            for I in ${NETWORK}; do
-                FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
+                if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
-                if [ ! "${FIND}" = "" ]; then
+                    FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} "promiscuity [1-9]")
                else
                    FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
                fi
                if [ -n "${FIND}" ]; then
                    LogText "Result: Promiscuous interface: ${I}"
                    ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
-                    if [ "${ISWHITELISTED}" = "" ]; then
+                    if [ -z "${ISWHITELISTED}" ]; then
                        FOUNDPROMISC=1
-                        ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
+                        ReportWarning "${TEST_NO}" "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
                        LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
                    else
                        LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
                    fi
                fi
            done
        else
            LogText "Result: no network interfaces discovered, so nothing tested"
        fi
        # Show result
        if [ ${FOUNDPROMISC} -eq 0 ]; then
            Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
            LogText "Result: No promiscuous interfaces found"
-        else
+        elif [ ${FOUNDPROMISC} -eq 1 ]; then
            Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
        else
            Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW
        fi
    fi
 #
@ -574,8 +679,7 @@
    # Description : Checking for DHCP client
    Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status"
    if [ ${SKIPTEST} -eq 0 ]; then
-        IsRunning dhclient || IsRunning dhcpcd || IsRunning udhcpc
+        if IsRunning "dhclient" || IsRunning "dhcpcd" || IsRunning "udhcpc"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
            DHCP_CLIENT_RUNNING=1
        else
@ -591,32 +695,95 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # addrwatch
        if IsRunning "addrwatch"; then
            FOUND=1
        fi
        # arpwatch
-        IsRunning arpwatch
+        if IsRunning "arpwatch"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            ARPWATCH_RUNNING=1
            Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
        fi
        # arpon
-        IsRunning arpon
+        if IsRunning "arpon"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1
            ARPON_RUNNING=1
            Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
        fi
-        if [ ${FOUND} -eq 0 ]; then
+
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
        else
            Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Consider running ARP monitoring software (arpwatch,arpon)"
+            #ReportSuggestion "${TEST_NO}" "Consider running ARP monitoring software (addrwatch,arpwatch,arpon)"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : NETW-3200
    # Description : Determine available network protocols
    # Notes       : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net
    #               To see active/enabled protocols: ls -d /proc/sys/net
    Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
    if [ ${SKIPTEST} -eq 0 ]; then
        TESTED=0
        FOUND_UNCOMMON_PROTOCOL_ENABLED=0
        case ${OS} in
            Linux)
                TESTED=1
                LogText "Test: checking the status of some network protocols that typically are not used"
                UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
                for P in ${UNCOMMON_PROTOCOLS}; do
                    LogText "Test: now checking module '${P}'"
                    if ! SkipAtomicTest "${TEST_NO}:${P}"; then
                        UNCOMMON_PROTOCOL_DISABLED=0
                        # First check modprobe.conf
                        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
                            DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
                            if [ -n "${DATA}" ]; then
                                LogText "Result: found ${P} module disabled via modprobe.conf"
                                UNCOMMON_PROTOCOL_DISABLED=1
                            fi
                        fi
                        # Then additional modprobe configuration files
                        if [ -d ${ROOTDIR}etc/modprobe.d ]; then
                            DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
                            if [ -n "${DATA}" ]; then
                                UNCOMMON_PROTOCOL_DISABLED=1
                                for F in ${DATA}; do
                                    LogText "Result: found ${P} module disabled via ${F}"
                                done
                            fi
                        fi
-Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
+                        if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then
-Report "arpwatch_running=${ARPWATCH_RUNNING}"
+                            ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system"
                            Report "uncommon_network_protocol_enabled=${P}"
                            FOUND_UNCOMMON_PROTOCOL_ENABLED=1
                        fi
                    fi
                done
            ;;
            *)
                LogText "This test has no routine yet for this operating system."
                Debug "No routine implemented yet for this operating system to check for available network protocols"
            ;;
        esac
        if [ ${TESTED} -eq 1 ]; then
            if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then
                Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
            else
                Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
            fi
        fi
        unset DATA F FOUND TESTED UNCOMMON_PROTOCOLS
    fi
 #
 #################################################################################
 #
 WaitForKeyPress
--- a/include/tests_php
+++ b/include/tests_php
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -29,29 +29,86 @@
    # Possible locations of php.ini
    PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
-                ${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \
+                ${ROOTDIR}etc/php/php.ini \
-                ${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \
+                ${ROOTDIR}etc/php5.5/php.ini \
-                ${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
+                ${ROOTDIR}etc/php5.6/php.ini \
-                ${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
+                ${ROOTDIR}etc/php7.0/php.ini \
-                ${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \
+                ${ROOTDIR}etc/php7.1/php.ini \
-                ${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \
+                ${ROOTDIR}etc/php7.2/php.ini \
-                ${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
+                ${ROOTDIR}etc/php7.3/php.ini \
                ${ROOTDIR}etc/php7.4/php.ini \
                ${ROOTDIR}etc/php/cgi-php5/php.ini \
                ${ROOTDIR}etc/php/cli-php5/php.ini \
                ${ROOTDIR}etc/php/apache2-php5/php.ini \
                ${ROOTDIR}etc/php/apache2-php5.5/php.ini \
                ${ROOTDIR}etc/php/apache2-php5.6/php.ini \
                ${ROOTDIR}etc/php/apache2-php7.0/php.ini \
                ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
                ${ROOTDIR}etc/php/apache2-php7.2/php.ini \
                ${ROOTDIR}etc/php/apache2-php7.3/php.ini \
                ${ROOTDIR}etc/php/apache2-php7.4/php.ini \
                ${ROOTDIR}etc/php/cgi-php5.5/php.ini \
                ${ROOTDIR}etc/php/cgi-php5.6/php.ini \
                ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
                ${ROOTDIR}etc/php/cgi-php7.1/php.ini \
                ${ROOTDIR}etc/php/cgi-php7.2/php.ini \
                ${ROOTDIR}etc/php/cgi-php7.3/php.ini \
                ${ROOTDIR}etc/php/cgi-php7.4/php.ini \
                ${ROOTDIR}etc/php/cli-php5.5/php.ini \
                ${ROOTDIR}etc/php/cli-php5.6/php.ini \
                ${ROOTDIR}etc/php/cli-php7.0/php.ini \
                ${ROOTDIR}etc/php/cli-php7.1/php.ini \
                ${ROOTDIR}etc/php/cli-php7.2/php.ini \
                ${ROOTDIR}etc/php/cli-php7.3/php.ini \
                ${ROOTDIR}etc/php/cli-php7.4/php.ini \
                ${ROOTDIR}etc/php/embed-php5.5/php.ini \
                ${ROOTDIR}etc/php/embed-php5.6/php.ini \
                ${ROOTDIR}etc/php/embed-php7.0/php.ini \
                ${ROOTDIR}etc/php/embed-php7.1/php.ini \
                ${ROOTDIR}etc/php/embed-php7.2/php.ini \
                ${ROOTDIR}etc/php/embed-php7.3/php.ini \
                ${ROOTDIR}etc/php/embed-php7.4/php.ini \
                ${ROOTDIR}etc/php/fpm-php7.4/php.ini \
                ${ROOTDIR}etc/php/fpm-php7.3/php.ini \
                ${ROOTDIR}etc/php/fpm-php7.2/php.ini \
                ${ROOTDIR}etc/php/fpm-php7.1/php.ini \
                ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
                ${ROOTDIR}etc/php/fpm-php5.5/php.ini \
                ${ROOTDIR}etc/php/fpm-php5.6/php.ini \
                ${ROOTDIR}etc/php5/cgi/php.ini \
                ${ROOTDIR}etc/php5/cli/php.ini \
-                ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
+                ${ROOTDIR}etc/php5/cli-php5.4/php.ini \
                ${ROOTDIR}etc/php5/cli-php5.5/php.ini \
                ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
                ${ROOTDIR}etc/php5/apache2/php.ini \
                ${ROOTDIR}etc/php5/fpm/php.ini \
                ${ROOTDIR}private/etc/php.ini \
-                ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.0/apache2/php.ini \
-                ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.1/apache2/php.ini \
-                ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.2/apache2/php.ini \
                ${ROOTDIR}etc/php/7.3/apache2/php.ini \
                ${ROOTDIR}etc/php/7.4/apache2/php.ini \
                ${ROOTDIR}etc/php/7.0/cli/php.ini \
                ${ROOTDIR}etc/php/7.0/fpm/php.ini \
                ${ROOTDIR}etc/php/7.1/cli/php.ini \
                ${ROOTDIR}etc/php/7.1/fpm/php.ini \
                ${ROOTDIR}etc/php/7.2/cli/php.ini \
                ${ROOTDIR}etc/php/7.2/fpm/php.ini \
                ${ROOTDIR}etc/php/7.3/cli/php.ini \
                ${ROOTDIR}etc/php/7.3/fpm/php.ini \
                ${ROOTDIR}etc/php/7.4/cli/php.ini \
                ${ROOTDIR}etc/php/7.4/fpm/php.ini \
                ${ROOTDIR}var/www/conf/php.ini \
-                ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
+                ${ROOTDIR}usr/local/etc/php.ini \
                ${ROOTDIR}usr/local/lib/php.ini \
                ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
                ${ROOTDIR}usr/local/php54/lib/php.ini \
                ${ROOTDIR}usr/local/php56/lib/php.ini \
                ${ROOTDIR}usr/local/php70/lib/php.ini \
                ${ROOTDIR}usr/local/php71/lib/php.ini \
                ${ROOTDIR}usr/local/php72/lib/php.ini \
                ${ROOTDIR}usr/local/php73/lib/php.ini \
                ${ROOTDIR}usr/local/php74/lib/php.ini \
                ${ROOTDIR}usr/local/zend/etc/php.ini \
                ${ROOTDIR}usr/pkg/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@ -59,6 +116,9 @@
                ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
                ${ROOTDIR}opt/alt/php44/etc/php.ini \
                ${ROOTDIR}opt/alt/php51/etc/php.ini \
                ${ROOTDIR}opt/alt/php52/etc/php.ini \
@ -68,21 +128,44 @@
                ${ROOTDIR}opt/alt/php56/etc/php.ini \
                ${ROOTDIR}opt/alt/php70/etc/php.ini \
                ${ROOTDIR}opt/alt/php71/etc/php.ini \
                ${ROOTDIR}opt/alt/php72/etc/php.ini \
                ${ROOTDIR}opt/alt/php73/etc/php.ini \
                ${ROOTDIR}opt/alt/php74/etc/php.ini \
                ${ROOTDIR}etc/opt/remi/php56/php.ini \
                ${ROOTDIR}etc/opt/remi/php70/php.ini \
                ${ROOTDIR}etc/opt/remi/php71/php.ini \
-                ${ROOTDIR}etc/opt/remi/php72/php.ini"
+                ${ROOTDIR}etc/opt/remi/php72/php.ini \
                ${ROOTDIR}etc/opt/remi/php73/php.ini \
                ${ROOTDIR}etc/opt/remi/php74/php.ini"
    # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
    PHPINILOCS="${PHPINILOCS} \
                ${ROOTDIR}etc/php-5.6.ini \
                ${ROOTDIR}etc/php-7.0.ini \
                ${ROOTDIR}etc/php-7.1.ini \
                ${ROOTDIR}etc/php-7.2.ini \
                ${ROOTDIR}etc/php-7.3.ini \
                ${ROOTDIR}etc/php-7.4.ini"
    PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
                ${ROOTDIR}etc/php/7.0/cli/conf.d \
                ${ROOTDIR}etc/php/7.1/cli/conf.d \
                ${ROOTDIR}etc/php/7.2/cli/conf.d \
                ${ROOTDIR}etc/php/7.3/cli/conf.d \
                ${ROOTDIR}etc/php/7.4/cli/conf.d \
                ${ROOTDIR}etc/php/7.0/fpm/conf.d \
                ${ROOTDIR}etc/php/7.1/fpm/conf.d \
                ${ROOTDIR}etc/php/7.2/fpm/conf.d \
                ${ROOTDIR}etc/php/7.3/fpm/conf.d \
                ${ROOTDIR}etc/php/7.4/fpm/conf.d \
                ${ROOTDIR}etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
                ${ROOTDIR}opt/alt/php44/etc/php.d.all \
                ${ROOTDIR}opt/alt/php51/etc/php.d.all \
                ${ROOTDIR}opt/alt/php52/etc/php.d.all \
@ -91,7 +174,24 @@
                ${ROOTDIR}opt/alt/php55/etc/php.d.all \
                ${ROOTDIR}opt/alt/php56/etc/php.d.all \
                ${ROOTDIR}opt/alt/php70/etc/php.d.all \
-                ${ROOTDIR}opt/alt/php71/etc/php.d.all"
+                ${ROOTDIR}opt/alt/php71/etc/php.d.all \
                ${ROOTDIR}opt/alt/php72/etc/php.d.all \
                ${ROOTDIR}opt/alt/php73/etc/php.d.all \
                ${ROOTDIR}opt/alt/php74/etc/php.d.all \
                ${ROOTDIR}usr/local/lib/php.conf.d \
                ${ROOTDIR}usr/local/php70/lib/php.conf.d \
                ${ROOTDIR}usr/local/php71/lib/php.conf.d \
                ${ROOTDIR}usr/local/php72/lib/php.conf.d \
                ${ROOTDIR}usr/local/php73/lib/php.conf.d \
                ${ROOTDIR}usr/local/php74/lib/php.conf.d"
    # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
    PHPINIDIRS="${PHPINIDIRS} \
                ${ROOTDIR}etc/php-5.6 \
                ${ROOTDIR}etc/php-7.0 \
                ${ROOTDIR}etc/php-7.1 \
                ${ROOTDIR}etc/php-7.2 \
                ${ROOTDIR}etc/php-7.3 \
                ${ROOTDIR}etc/php-7.4"
 #
 #################################################################################
 #
@ -130,7 +230,7 @@
            fi
        done
-        if [ ! -z "${PHPINIFILE}" ]; then
+        if [ -n "${PHPINIFILE}" ]; then
            Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
            LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
@ -138,14 +238,14 @@
            Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
            LogText "Result: no php.ini file found"
        fi
-        unset DIR; unset FILE; unset FIND
+        unset DIR FILE FIND
    fi
 #
 #################################################################################
 #
    # Test        : PHP-2320
    # Description : Check php disable functions option
-    if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
@ -170,7 +270,7 @@
        if [ ${FOUND} -eq 0 ]; then
            LogText "Result: all PHP functions can be executed"
            Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
+            ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions"
            LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
            AddHP 0 1
        else
@ -185,7 +285,7 @@
    # Test        : PHP-2368
    # Description : Check php register_globals option
    # Notes       : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
-    if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
+    if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
        if [ -f "${PHPINIFILE}" ]; then
            FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
            if [ -z "${FIND}" ]; then
@ -206,10 +306,10 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking PHP register_globals option"
        FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
+            ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
-            ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
+            ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off"
            LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
            AddHP 1 2
        else
@ -226,11 +326,17 @@
    # Description : Check PHP expose_php option
    # Background  : When this option is turned on, PHP will show its version number in the HTTP headers
    # Notes       : TODO - Extend test to check all PHP files
-    if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        for FILE in ${PHPINI_ALLFILES}; do
            # Don't look at this setting in cli configuration
            case "${FILE}" in
                */cli/*)
                    continue
                    ;;
            esac
            LogText "Test: Checking file ${FILE}"
            FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
            if HasData "${FIND}"; then
@ -242,7 +348,7 @@
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
-            ReportSuggestion ${TEST_NO} "Turn off PHP information exposure" "expose_php = Off" "-"
+            ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-"
            Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
            AddHP 1 3
        else
@ -257,15 +363,15 @@
    # Test        : PHP-2374
    # Description : Check PHP enable_dl option
    # Notes       : Extend test to check all PHP files
-    if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking PHP enable_dl option"
        FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
            Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
-            ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
+            ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
            AddHP 0 1
        else
            Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
@ -279,15 +385,15 @@
    # Test        : PHP-2376
    # Description : Check PHP allow_url_fopen option
    # Notes       : Extend test to check all PHP files YYY
-    if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking PHP allow_url_fopen option"
        FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
        if [ -z "${FIND}" ]; then
            Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
-            LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
+            LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
-            ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
+            ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
            AddHP 0 1
        else
            Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
@ -302,15 +408,15 @@
    # Test        : PHP-2378
    # Description : Check PHP allow_url_include option
    # Notes       : Extend test to check all PHP files YYY
-    if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking PHP allow_url_include option"
        FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
        if [ -z "${FIND}" ]; then
            Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
-            Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
+            Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
-            ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
+            ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
            AddHP 0 1
        else
            Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
@ -324,7 +430,7 @@
    # - test disabled for time being, as newer suhosin7 work is not stable enough -
    # Test        : PHP-2379
    # Description : Check PHP suhosin extension status
-    #if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    #if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    #Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
    #if [ ${SKIPTEST} -eq 0 ]; then
@ -356,14 +462,14 @@
    #    fi
    #    # Check Suhosin for PHP 7
-    #    if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
+    #    if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
    #        LogText "Test: Check Suhosin for PHP 7 is not enabled"
    #        LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
-    #        ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
+    #        ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7"
    #        Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
    #        Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
    #        AddHP 0 1
-    #    elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
+    #    elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
    #        LogText "Test: Check Suhosin for PHP 7 is not enabled"
    #        LogText "Result: Suhosin for PHP 7 is not enabled"
    #        Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
@ -373,7 +479,7 @@
    #        if [ ${FOUND} -eq 0 ]; then
    #            LogText "Result: Suhosin extension is not enabled"
    #            Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
-    #            ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension"
+    #            ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension"
    #            LogText "suhosin extension is not enabled"
    #            AddHP 0 1
    #        else
@ -389,7 +495,7 @@
    #        else
    #            LogText "Result: Suhosin simulation mode is active"
    #            Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED
-    #            ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode"
+    #            ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode"
    #            LogText "suhosin simulation mode is active"
    #            AddHP 0 1
    #        fi
@ -397,6 +503,42 @@
    #fi
 #
 #################################################################################
 #
    # Test        : PHP-2382
    # Description : Check listen option
    # Background  : https://github.com/CISOfy/lynis/issues/837
    if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        for FILE in ${PHPINI_ALLFILES}; do
            # Don't look at this setting in cli configuration
            case "${FILE}" in
                */cli/*)
                    continue
                    ;;
            esac
            LogText "Test: Checking file ${FILE}"
            FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
            if HasData "${FIND}"; then
                LogText "Result: found listen on just a port number"
                LogText "Data: ${FIND}"
                LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
                FOUND=1
            fi
        done
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
            #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
            AddHP 1 3
        else
            Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
            AddHP 2 2
        fi
    fi
 #
 #################################################################################
 #
 WaitForKeyPress
--- a/include/tests_ports_packages
+++ b/include/tests_ports_packages
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -26,6 +26,7 @@
    PACKAGE_MGR_PKG=0
    PACKAGE_AUDIT_TOOL=""
    PACKAGE_AUDIT_TOOL_FOUND=0
    PACMANCONF="${ROOTDIR}etc/pacman.conf"
    INSTALLED_PACKAGES=""
 #
 #################################################################################
@ -37,7 +38,7 @@
    # Test        : PKGS-7301
    # Description : Query FreeBSD pkg
    if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg"
+    Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD pkg"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(pkg -N 2>&1; echo $?)
        if [ "${FIND}" = "0" ]; then
@ -88,7 +89,7 @@
    # Test        : PKGS-7303
    # Description : Query brew package manager
    FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
-    if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
@ -158,7 +159,7 @@
 #
    # Test        : PKGS-7308
    # Description : RPM package based systems
-    if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -191,7 +192,7 @@
 #
    # Test        : PKGS-7310
    # Description : pacman package based systems
-    if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -222,12 +223,12 @@
 #
    # Test        : PKGS-7312
    # Description : Check for available package updates when pacman package is used
-    if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            FIND=$(checkupdates)
            for I in ${FIND}; do
                LogText "Result: update available for ${I}"
@ -251,8 +252,7 @@
 #
    # Test        : PKGS-7314
    # Description : Check pacman.conf options
-    PACMANCONF="/etc/pacman.conf"
+    if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    if [ ! -z "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -315,7 +315,7 @@
 #
    # Test        : PKGS-7322
    # Description : Discover vulnerable packages with arch-audit
-    if [ ! -z "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
+    if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
    Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking arch-audit output for vulnerable packages"
@ -338,14 +338,14 @@
 #
    # Test        : PKGS-7328
    # Description : Check installed packages with Zypper
-    if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
        PACKAGE_AUDIT_TOOL_FOUND=1
        PACKAGE_AUDIT_TOOL="zypper"
-        FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
+        FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            for PKG in ${FIND}; do
                COUNT=$((COUNT + 1))
                LogText "Installed package: ${PKG}"
@ -362,19 +362,19 @@
 #
    # Test        : PKGS-7330
    # Description : Check vulnerable packages with Zypper
-    if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
+        FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: No security updates found with Zypper"
            Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
        else
            Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
            LogText "Result: Zypper found one or more installed packages which are vulnerable."
-            ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
+            ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed"
            # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
-            FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
+            FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
            LogText "List of vulnerable packages/version:"
            for PKG in ${FIND}; do
                VULNERABLE_PACKAGES_FOUND=1
@ -487,7 +487,7 @@
                COUNT=$((COUNT + 1))
                LogText "Found unpurged package: ${J}"
            done
-            ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
+            ReportSuggestion "${TEST_NO}" "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
        fi
    else
        LogText "Result: dpkg can NOT be found on this system, test skipped"
@ -510,7 +510,7 @@
            else
                Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
                LogText "Result: found ${FIND} unused distfiles"
-                ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
+                ReportSuggestion "${TEST_NO}" "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
            fi
        fi
    fi
@ -520,7 +520,7 @@
    # Test        : PKGS-7350
    # Description : Use Dandified YUM to gather installed packages
    # Notes       : Possible replacement for YUM in the long term
-    if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -546,13 +546,13 @@
 #
    # Test        : PKGS-7352
    # Description : Use Dandified YUM to detect security updates
-    if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check for security updates
        LogText "Action: checking updateinfo for security updates"
        FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            VULNERABLE_PACKAGES_FOUND=1
            LogText "Result: found vulnerable packages, upgrade of system needed."
            for PKG in ${FIND}; do
@ -561,7 +561,7 @@
                # Decrease hardening points for every found vulnerable package
                AddHP 1 2
            done
-            ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
+            ReportWarning "${TEST_NO}" "Found one or more vulnerable packages. Run: dnf upgrade"
            Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
        else
            LogText "Result: no security updates found"
@ -574,20 +574,20 @@
 #
    # Test        : PKGS-7354
    # Description : Perform integrity tests for package database
-    if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if repoquery plugin is available
        FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Action: checking integrity of package database"
            FIND=$(${DNFBINARY} -q repoquery --duplicated)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found unexpected result on repoquery --duplicated"
                ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
            fi
            FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found unexpected result on repoquery --unsatisfied"
                ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
            fi
@ -600,17 +600,17 @@
 #
    # Test        : PKGS-7366
    # Description : Checking if debsecan is installed and enabled on Debian systems
-    if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${DEBSECANBINARY}" ]; then
+        if [ -n "${DEBSECANBINARY}" ]; then
            LogText "Result: debsecan utility is installed"
            Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
            PACKAGE_AUDIT_TOOL_FOUND=1
            PACKAGE_AUDIT_TOOL="debsecan"
            FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: cron job is configured for debsecan"
                Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
                AddHP 3 3
@ -618,13 +618,13 @@
                LogText "Result: no cron job is configured for debsecan"
                Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
                AddHP 1 3
-                ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
+                ReportSuggestion "${TEST_NO}" "Check debsecan cron job and ensure it is enabled"
            fi
        else
            LogText "Result: debsecan is not installed."
            Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
            AddHP 0 2
-            ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
+            ReportSuggestion "${TEST_NO}" "Install debsecan to check for vulnerabilities on installed packages."
        fi
    fi
 #
@ -633,10 +633,10 @@
    # Test        : PKGS-7370
    # Description : Checking debsums installation status and presence in cron job
    # Note        : Run this only when it is a DPKG based system
-    if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${DEBSUMSBINARY}" ]; then
+        if [ -n "${DEBSUMSBINARY}" ]; then
            LogText "Result: debsums utility is installed"
            Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
            AddHP 1 1
@ -650,12 +650,12 @@
                LogText "Result: Cron job is not configured for debsums utility."
                Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
                AddHP 1 3
-                ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
+                ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job."
            fi
        else
            LogText "Result: debsums utility is not installed."
            AddHP 0 2
-            ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
+            ReportSuggestion "${TEST_NO}" "Install debsums utility for the verification of packages with known good database."
        fi
    fi
 #
@ -702,7 +702,7 @@
                else
                    Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
                    LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
-                    ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
+                    ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
                    LogText "List of vulnerable packages/version:"
                    for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
                        VULNERABLE_PACKAGES_FOUND=1
@ -728,7 +728,7 @@
    # Description : Check for vulnerable FreeBSD packages (with pkg)
    # Notes       : Related vulnerability file is /var/db/pkg/vuln.xml
    # TODO        : Run this in any jail
-    if [ ! -z "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
+    if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
    Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -746,7 +746,7 @@
                Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
                AddHP 10 10
            elif [ $? -eq 1 ]; then
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    VULNERABLE_PACKAGES_FOUND=1
                    Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
                    for ITEM in ${FIND}; do
@ -755,7 +755,7 @@
                        LogText "Vulnerable package: ${ITEM}"
                        AddHP 1 2
                    done
-                    ReportWarning ${TEST_NO} "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
+                    ReportWarning "${TEST_NO}" "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
                else
                    LogText "Result: found an exit code greater than zero, yet no output"
                fi
@ -786,8 +786,8 @@
        else
            Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
            LogText "Result: Portaudit found one or more installed packages which are vulnerable."
-            ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
+            ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
-            ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
+            ReportSuggestion "${TEST_NO}" "Update your system with portupgrade or other tools"
            LogText "List of vulnerable packages/version:"
            for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
                VULNERABLE_PACKAGES_FOUND=1
@ -804,7 +804,7 @@
    # Test        : PKGS-7383
    # Description : Check for YUM package Update management
    # Notes       : Skip if DNF is used as package manager
-    if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: YUM package update management"
@ -812,7 +812,7 @@
        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
            LogText "Result: YUM package update management failed"
            Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "YUM is not properly configured or registered for this platform (no repolist found)"
+            ReportWarning "${TEST_NO}" "YUM is not properly configured or registered for this platform (no repolist found)"
        else
            LogText "Result: YUM repository available (${FIND})"
            Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN
@ -823,7 +823,7 @@
 #
    # Test        : PKGS-7384
    # Description : Search for YUM utils package
-    if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
    if [ ${SKIPTEST} -eq 0 ]; then
        # package-cleanup tool can be found in different locations
@ -838,8 +838,8 @@
            else
                LogText "Result: One or more duplicate packages found"
                Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
+                ReportWarning "${TEST_NO}" "Found one or more duplicate packages installed"
-                ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
+                ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve duplicate package problems"
            fi
            # Check for package database problems
@ -851,13 +851,13 @@
            else
                LogText "Result: One or more problems found in package database"
                Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "Found one or more problems in the package database"
+                ReportWarning "${TEST_NO}" "Found one or more problems in the package database"
-                ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
+                ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve package problems"
            fi
        else
            Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: YUM utils package not found"
-            ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
+            ReportSuggestion "${TEST_NO}" "Install package 'yum-utils' for better consistency checking of the package database"
        fi
    fi
 #
@ -879,8 +879,7 @@
        if [ ${DO_TEST} -eq 0 ]; then
            FileExists ${ROOTDIR}usr/share/yum-cli/cli.py
            if [ ${FILE_FOUND} -eq 1 ]; then
-                SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"
+                if SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"; then
                if [ ${ITEM_FOUND} -eq 1 ]; then
                    DO_TEST=1
                    LogText "Result: found built-in security in yum"
                else
@ -892,8 +891,7 @@
        if [ ${DO_TEST} -eq 0 ]; then
            FileExists ${ROOTDIR}etc/yum/pluginconf.d/security.conf
            if [ ${FILE_FOUND} -eq 1 ]; then
-                SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"
+                if SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"; then
                if [ ${ITEM_FOUND} -eq 1 ]; then
                    DO_TEST=1
                    LogText "Result: found enabled plugin"
                else
@ -905,7 +903,7 @@
        # Check if it's installed as package (this is old style)
        if [ ${DO_TEST} -eq 0 ]; then
            FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: found yum-plugin-security package"
                DO_TEST=1
            fi
@ -929,13 +927,12 @@
                    LogText "Vulnerable package: ${I}"
                    AddHP 1 2
                done
-                ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
+                ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
                ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
            fi
        else
            LogText "Result: yum-security package not found"
            Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
+            ReportSuggestion "${TEST_NO}" "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
        fi
    fi
 #
@ -946,7 +943,7 @@
    if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${PYTHONBINARY}" ]; then
+        if [ -n "${PYTHONBINARY}" ]; then
            LogText "Test: checking enabled repositories"
            REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
            if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
@ -968,15 +965,15 @@
        FOUND=0
        FileExists ${ROOTDIR}etc/yum.conf
        if [ ${FILE_FOUND} -eq 1 ]; then
-            SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
+            if SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
-            SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
+            if SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
            if [ ${FOUND} -eq 1 ]; then
                LogText "Result: GPG check is enabled"
                Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
                AddHP 3 3
            else
                Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
-                ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
+                ReportWarning "${TEST_NO}" "No GPG signing option found in yum.conf"
                AddHP 2 3
            fi
        fi
@ -985,16 +982,26 @@
 #################################################################################
 #
    # Test        : PKGS-7388
-    # Description : Check security repository in Debian/ubuntu apt sources.list file
+    # Description : Check security repository in Debian/Ubuntu apt sources.list file
-    if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    PREQS_MET="NO"
-    Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file"
+    if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
        case "${LINUX_VERSION}" in
            "Debian" | "Linux Mint" | "Ubuntu")
                PREQS_MET="YES"
            ;;
            *)
                LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository"
            ;;
        esac
    fi
    Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in apt sources.list file"
    if [ $SKIPTEST -eq 0 ]; then
        FOUND=0
        if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
            if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
                LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
-                FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
+                FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    FOUND=1
                    Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
                    LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
@ -1006,8 +1013,8 @@
            fi
            if [ -d /etc/apt/sources.list.d ]; then
                LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
-                FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
+                FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    FOUND=1
                    Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
                    LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
@ -1022,7 +1029,7 @@
                AddHP 3 3
            else
                Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
-                ReportWarning ${TEST_NO} "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
+                ReportWarning "${TEST_NO}" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
                AddHP 0 3
            fi
        else
@ -1046,8 +1053,8 @@
        else
            LogText "Result: package database is most likely NOT consistent"
            Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "apt-get check returned a non successful exit code."
+            ReportWarning "${TEST_NO}" "apt-get check returned a non successful exit code."
-            ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
+            ReportSuggestion "${TEST_NO}" "Run apt-get to perform a manual package database consistency check."
        fi
    fi
 #
@ -1055,7 +1062,8 @@
 #
    # Test        : PKGS-7392
    # Description : Check Debian/Ubuntu vulnerable packages
-    if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    # Note        : Skip for zypper-based systems
    if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
    if [ ${SKIPTEST} -eq 0 ]; then
        VULNERABLE_PACKAGES_FOUND=0
@ -1082,7 +1090,7 @@
            # Check if we get the proper line back and amount of security patches available
            if [ -z "${FIND}" ]; then
                LogText "Result: did not find security updates line"
-                ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
+                ReportSuggestion "${TEST_NO}" "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
                ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
            else
                if [ "${FIND}" = "0" ]; then
@ -1102,7 +1110,7 @@
        # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
        # Show packages which would be upgraded and match 'security' in repository name
        FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            VULNERABLE_PACKAGES_FOUND=1
            SCAN_PERFORMED=1
            LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
@ -1115,8 +1123,8 @@
        fi
        if [ ${SCAN_PERFORMED} -eq 1 ]; then
            if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
-                ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
+                ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
-                ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
+                ReportSuggestion "${TEST_NO}" "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
                Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
            else
                Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
@ -1175,7 +1183,7 @@
            fi
        else
            LogText "Result: glsa-check tool not found"
-            ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
+            ReportSuggestion "${TEST_NO}" "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
        fi
    fi
 #
@ -1207,7 +1215,7 @@
        else
            LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
            Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
-            ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
+            ReportSuggestion "${TEST_NO}" "Install package apt-show-versions for patch management purposes"
        fi
    fi
@ -1221,7 +1229,7 @@
        LogText "Test: checking for package audit tool"
        if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
            Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
-            ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
+            ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages"
            LogText "Result: no package audit tool found"
        else
            Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
@ -1247,31 +1255,119 @@
    Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        KERNELS=0
-        if [ ! -z "${RPMBINARY}" ]; then
+        TESTED=0
-            LogText "Test: Checking how many kernel packages are installed"
+        LogText "Test: Checking how many kernel packages are installed"
        if [ "${DPKGBINARY}" ]; then
            TESTED=1
            KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
            KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
            if [ ${KERNELS} -eq 0 ]; then
                LogText "Result: found no kernels from dpkg -l output, which is unexpected"
            elif [ ${KERNELS} -gt 5 ]; then
                LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
                ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove"
            else
                LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
            fi
        fi
        if [ "${RPMBINARY}" ]; then
            TESTED=1
            KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
            if [ ${KERNELS} -eq 0 ]; then
                LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
                ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
            elif [ ${KERNELS} -gt 5 ]; then
                LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
                ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
                AddHP 4 5
            else
-                LogText "Result: found ${KERNELS} on the system, which is fine"
+                LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
                AddHP 1 1
            fi
        fi
        if [ "${ZYPPERBINARY}" ]; then
            TESTED=1
            KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
            if [ ${KERNELS} -eq 0 ]; then
                LogText "Result: found no kernels from zypper output, which is unexpected."
                ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
            elif [ ${KERNELS} -gt 3 ]; then
                LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
                ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
            else
                LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
            fi
        fi
        if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
            ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager"
        fi
        Report "installed_kernel_packages=${KERNELS}"
    fi
 #
 #################################################################################
 #
    # Test        : PKGS-7420
    # Description : Detect toolkit to automatically download and apply upgrades
    Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades"
    if [ ${SKIPTEST} -eq 0 ]; then
        UNATTENDED_UPGRADES_TOOLKIT=0
        UNATTENDED_UPGRADES_TOOL=""
        UNATTENDED_UPGRADES_OPTION_AVAILABLE=0
-if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
+        case "${OS}" in
            "Linux")
                case "${LINUX_VERSION}" in
                    "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu")
-Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
+                        UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
-Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
+                        # Test available tools for Linux
-Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
+                        if [ -f "${ROOTDIR}bin/auter" ]; then
                            UNATTENDED_UPGRADES_TOOL="auter"
                            UNATTENDED_UPGRADES_TOOLKIT=1
                            LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
                            Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
                        fi
                        if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
                            UNATTENDED_UPGRADES_TOOL="yum-cron"
                            UNATTENDED_UPGRADES_TOOLKIT=1
                            LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
                            Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
                        fi
                        if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
                            UNATTENDED_UPGRADES_TOOL="dnf-automatic"
                            UNATTENDED_UPGRADES_TOOLKIT=1
                            LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
                            Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
                        fi
                        if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
                            UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
                            UNATTENDED_UPGRADES_TOOLKIT=1
                            LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
                            Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
                        fi
                    ;;
                esac
            ;;
        esac
        if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
            if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then
                AddHP 5 5
                Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
            else
                AddHP 1 5
                Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOT_FOUND}" --color YELLOW
                LogText "Result: no toolkit for automatic updates discovered"
                ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
            fi
        fi
        Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}"
    fi
 #
 #################################################################################
 #
 WaitForKeyPress
--- a/include/tests_printers_spoolers
+++ b/include/tests_printers_spoolers
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -55,7 +55,7 @@
                LogText "Result: chkprintcap did NOT gave any warnings"
            else
                Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
-                ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
+                ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file"
                LogText "Output from chkprintcap: ${FIND}"
                LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file"
            fi
@ -69,8 +69,7 @@
    Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking cupsd status"
-        IsRunning cupsd
+        if IsRunning "cupsd"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
            LogText "Result: cups daemon running"
            CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
@ -118,49 +117,60 @@
        LogText "Test: Checking CUPS configuration file permissions"
        FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
        LogText "Result: found ${FIND}"
-        if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
+        case "${FIND}" in
-            Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
+            r[w-]-[r-][w-]---- )
-            AddHP 1 1
+                Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
-        else
+                AddHP 1 1
-            Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
+                ;;
-            ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
+            * )
-            AddHP 1 2
+                Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
-        fi
+                ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict."
                AddHP 1 2
                ;;
        esac
    fi
 #
 #################################################################################
 #
    # Test        : PRNT-2308
    # Description : Check CUPS daemon network configuration
    # Notes       : Listen and SSLListen can be used
    if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # Checking network addresses
        LogText "Test: Checking CUPS daemon listening network addresses"
-        FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
+        FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
        COUNT=0
        for ITEM in ${FIND}; do
-            LogText "Found network address: ${ITEM}"
+            LogText "Result: found network address: ${ITEM}"
            COUNT=$((COUNT + 1))
            FOUND=1
        done
-        # Check if daemon is only running on localhost
+        # Search for Port statement
        FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
        if [ -n "${FIND}" ]; then
            LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
            FOUND=1
        fi
        # Check if daemon might be running on localhost
        if [ ${FOUND} -eq 0 ]; then
-            LogText "Result: no listen statement found in CUPS configuration file"
+            LogText "Result: CUPS does not look to be listening on a network port"
        elif [ ${COUNT} -eq 1 ]; then
            if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
                LogText "Result: CUPS daemon only running on localhost"
                AddHP 2 2
            else
                LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
-                ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
+                ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network"
                AddHP 1 2
            fi
        else
            LogText "Result: CUPS daemon is running on several network addresses"
-            ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
+            ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses"
            AddHP 1 2
        fi
@ -188,8 +198,7 @@
    Register --test-no PRNT-2314 --weight L --network NO --category security --description "Check lpd status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking lpd status"
-        IsRunning lpd
+        if IsRunning "lpd"; then
        if [ ${RUNNING} -eq 1 ]; then
            Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
            LogText "Result: lp daemon running"
            LPD_RUNNING=1; PRINTING_DAEMON="lp"
@ -211,7 +220,7 @@
        FileIsReadable ${QDAEMON_CONFIG_FILE}
        if [ ${CANREAD} -eq 1 ]; then
            FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
                Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
                QDAEMON_CONFIG_ENABLED=1
@ -231,8 +240,7 @@
    Register --test-no PRNT-2418 --os AIX --weight L --network NO --category security --description "Checking qdaemon printer spooler status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking qdaemon status"
-        IsRunning qdaemon
+        if IsRunning "qdaemon"; then
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: qdaemon daemon running"
            Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
            QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
@ -240,7 +248,7 @@
            if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
                LogText "Result: qdaemon daemon not running"
                Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
-                ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
+                ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs"
            else
                LogText "Result: qdaemon daemon not running"
                Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
@ -267,7 +275,7 @@
                done
                LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
                Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
+                ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
                LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
            else
                LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
@ -279,7 +287,7 @@
 #################################################################################
 #
-if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
+if [ -n "${PRINTING_DAEMON}" ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
 WaitForKeyPress
--- a/include/tests_scheduling
+++ b/include/tests_scheduling
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -38,7 +38,6 @@
        FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
        if IsEmpty "${FIND}"; then
            LogText "Result: no cron daemon found"
            AddHP 3 3
        else
            LogText "Result: cron daemon running"
            CROND_RUNNING=1
@ -61,6 +60,7 @@
        CRONTAB_FILE="${ROOTDIR}etc/crontab"
        if [ -f ${CRONTAB_FILE} ]; then
            ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
            if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
            if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
            FindCronJob ${CRONTAB_FILE}
@ -85,6 +85,8 @@
                        for FILE in ${FIND}; do
                            if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
                            if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
                            FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
                            if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
                            FindCronJob ${FILE}
                            if HasData "${sCRONJOBS}"; then
                                for K in ${sCRONJOBS}; do
@ -115,11 +117,13 @@
                        LogText "Result: no files found in ${I}"
                    else
                        LogText "Result: found one or more files in ${I}. Analyzing files.."
-                        for J in ${FIND}; do
+                        for FILE in ${FIND}; do
-                            if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
+                            if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
-                            if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
+                            if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
-                            LogText "Result: Found cronjob (${I}): ${J}"
+                            FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
-                            Report "cronjob[]=${J}"
+                            if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
                            LogText "Result: Found cronjob (${I}): ${FILE}"
                            Report "cronjob[]=${FILE}"
                        done
                        LogText "Result: done with analyzing files in ${I}"
                    fi
@ -137,21 +141,23 @@
            FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
            for I in ${FIND}; do
                if FileIsReadable ${I}; then
                    ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
                    FindCronJob ${I}
-                    for J in ${sCRONJOBS}; do
+                    for FILE in ${sCRONJOBS}; do
-                        LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
+                        LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
                        Report "cronjob[]=${I}"
                    done
                fi
            done
        else
-            if [ -d /var/spool/cron ]; then
+            if [ -d ${ROOTDIR}var/spool/cron ]; then
-                FIND=$(find /var/spool/cron -type f -print)
+                FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
                for I in ${FIND}; do
                    if FileIsReadable ${I}; then
                        ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
                        FindCronJob ${I}
-                        for J in ${sCRONJOBS}; do
+                        for FILE in ${sCRONJOBS}; do
-                            LogText "Found cronjob (/var/spool/cron): ${I} (${J})"
+                            LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
                            LogText "cronjob[]=${I}"
                        done
                    fi
@ -164,7 +170,7 @@
            if [ -f /etc/anacrontab ]; then
                LogText "Test: checking anacrontab"
                sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
-                if [ ! -z "${sANACRONJOBS}" ]; then
+                if [ -n "${sANACRONJOBS}" ]; then
                    Report "scheduler[]=anacron"
                    for I in ${sANACRONJOBS}; do
                        LogText "Found anacron job (/etc/anacrontab): ${I}"
@ -177,12 +183,12 @@
        # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
        if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
            ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
-            Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
+            Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED
        elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
            ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
-            Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
+            Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED
        else
-            Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN
+            Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN
        fi
    fi
@ -195,7 +201,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking atd status"
        FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: at daemon active"
            Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
            ATD_RUNNING=1
@ -298,6 +304,12 @@
 #################################################################################
 #
 if [ -z "${LYNIS_CRONJOB}" ]; then
    LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)"
 else
    LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})"
 fi
 WaitForKeyPress
 #
--- a/include/tests_shells
+++ b/include/tests_shells
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -31,9 +31,10 @@
    # Files (interactive login shells):     /etc/profile $HOME/.bash_profile
    #                                       $HOME/.bash_login $HOME/.profile
    # Files (interactive non-login shells): $HOME/.bash_rc
-
+    #
    # csh/tcsh
    # Files: /etc/csh.cshrc /etc/csh.login
    #
    # zsh
    # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
    #        /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
@ -60,7 +61,7 @@
            LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
            LogText "Output ${ROOTDIR}etc/ttys:"
            LogText "${FIND}"
-            ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
+            ReportWarning "${TEST_NO}" "Found unprotected console in ${ROOTDIR}etc/ttys"
            LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
        fi
    fi
@ -68,8 +69,8 @@
 #################################################################################
 #
    # Test        : SHLL-6211
-    # Description : which shells are available according /etc/shells
+    # Description : Determine available shell according /etc/shells
-    Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
+    Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for ${ROOTDIR}etc/shells"
        if [ -f ${ROOTDIR}etc/shells ]; then
@ -98,25 +99,23 @@
 #################################################################################
 #
    # Test        : SHLL-6220
-    # Description : check for idle session killing tools or settings
+    # Description : Check for idle session killing tools or settings
-    Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells"
+    Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings"
    if [ ${SKIPTEST} -eq 0 ]; then
        IDLE_TIMEOUT_METHOD=""
        IDLE_TIMEOUT_READONLY=""
        LogText "Test: Search for session timeout tools or settings in shell"
-        IsRunning timeoutd
+        if IsRunning "timeoutd"; then
        if [ ${RUNNING} -eq 1 ]; then
            IDLE_TIMEOUT=1
-            LogText "Result: found timeoutd process to kill idle sesions"
+            LogText "Result: found timeoutd process to kill idle sessions"
            IDLE_TIMEOUT_METHOD="timeout-daemon"
        fi
-        IsRunning autolog
+        if IsRunning "autolog"; then
        if [ ${RUNNING} -eq 1 ]; then
            IDLE_TIMEOUT=1
-            LogText "Result: found autolog process to kill idle sesions"
+            LogText "Result: found autolog process to kill idle sessions"
-            Report="session_timeout_method[]=autolog"
+            Report "session_timeout_method[]=autolog"
            IDLE_TIMEOUT_METHOD="autolog"
        fi
@ -125,7 +124,7 @@
            FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
            # Determine if the value is exported (with export, readonly, or typeset)
            FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                N=0; IDLE_TIMEOUT=1
                for I in ${FIND}; do
                    LogText "Output: ${I}"
@ -142,7 +141,7 @@
                LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
            fi
-            if [ ! -z "${FIND2}" ]; then
+            if [ -n "${FIND2}" ]; then
                N=0;
                for I in ${FIND2}; do
                    LogText "Output: ${I}"
@ -166,12 +165,12 @@
        if [ -d ${ROOTDIR}etc/profile.d ]; then
            FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                # Determine if we can find a TMOUT value
                FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
                # Determine if the value is exported (with export, readonly, or typeset)
                FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    N=0; IDLE_TIMEOUT=1
                    for I in ${FIND}; do
                        LogText "Output: ${I}"
@ -188,7 +187,7 @@
                    LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
                fi
                # Check for readonly
-                if [ ! -z "${FIND2}" ]; then
+                if [ -n "${FIND2}" ]; then
                    N=0;
                    for I in ${FIND2}; do
                        LogText "Output: ${I}"
@ -211,10 +210,10 @@
            LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
        fi
-        if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
+        if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then
            Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
        fi
-        if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
+        if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then
            Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
        fi
@ -283,4 +282,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - http://cisofy.com
--- a/include/tests_snmp
+++ b/include/tests_snmp
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -35,9 +35,7 @@
    Register --test-no SNMP-3302 --weight L --network NO --category security --description "Check for running SNMP daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for a SNMP daemon"
-        # Check running processes
+        if IsRunning "snmpd"; then
        IsRunning snmpd
        if [ ${RUNNING} -eq 1 ]; then
            SNMP_DAEMON_RUNNING=1
            LogText "Result: SNMP daemon is running"
            Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN
@ -74,7 +72,7 @@
 #
    # Test        : SNMP-3306
    # Description : Determine SNMP communities
-    if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
    if [ ${SKIPTEST} -eq 0 ]; then
        WARN=0
@ -95,7 +93,7 @@
            AddHP 2 2
        else
            Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
-            ReportWarning ${TEST_NO} "Found easy guessable SNMP community string"
+            ReportWarning "${TEST_NO}" "Found easy guessable SNMP community string"
        fi
    fi
 #
@ -106,4 +104,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com
--- a/include/tests_squid
+++ b/include/tests_squid
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -43,7 +43,7 @@
        FOUND=0
        # Check running processes
        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            SQUID_DAEMON_RUNNING=1
            LogText "Result: Squid daemon is running"
            Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
@ -86,10 +86,10 @@
 #
    # Test        : SQD-3606
    # Description : Check Squid version
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
    if [ ${SKIPTEST} -eq 0 ]; then
-        if [ ! -z "${SQUIDBINARY}" ]; then
+        if [ -n "${SQUIDBINARY}" ]; then
            LogText "Result: Squid binary found (${SQUIDBINARY})"
            # Skip check if a setuid/setgid bit is found
            FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
@ -110,8 +110,8 @@
 #
    # Test        : SQD-3610
    # Description : Check Squid configuration options
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
+    Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
        FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
@ -126,17 +126,17 @@
 #################################################################################
 #
    # Test        : SQD-3613
-    # Description : Check Squid configuration options
+    # Description : Check Squid configuration file permissions
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
        FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
            Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
+            ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
-            ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
+            ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
            AddHP 0 2
        else
            LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
@ -147,7 +147,7 @@
 #
 #################################################################################
 #
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
        Display --indent 4 --text "- Checking Squid access control"
    fi
 #
@ -155,7 +155,7 @@
 #
    # Test        : SQD-3614
    # Description : Check Squid authentication
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check auth_param option for authentication methods"
@ -176,7 +176,7 @@
 #
    # Test        : SQD-3616
    # Description : Check external Squid authentication
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check external_acl_type option for external authentication helpers"
@ -222,7 +222,7 @@
 #################################################################################
 #
    # Test        : SQD-3624
-    # Description : Check unsecure ports in Safe_ports list
+    # Description : Check insecure ports in Safe_ports list
    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
    if [ ${SKIPTEST} -eq 0 ]; then
@ -231,13 +231,13 @@
        if IsEmpty "${FIND}"; then
            LogText "Result: no Safe_ports found"
            Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
+            ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports"
        else
            LogText "Result: checking ACL safe ports"
            FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
            if IsEmpty "${FIND2}"; then
                Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
+                ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
                AddHP 0 1
            else
                LogText "Result: Safe_ports found"
@ -256,7 +256,7 @@
                    AddHP 1 1
                else
                    Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
-                    ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
+                    ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
                    AddHP 0 1
                fi
            done
@ -265,7 +265,7 @@
 #
 #################################################################################
 #
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
        Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
    fi
 #
@ -273,7 +273,7 @@
 #
    # Test        : SQD-3630 [T]
    # Description : Check reply_body_max_size value
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking option reply_body_max_size"
@ -282,7 +282,7 @@
            LogText "Result: option reply_body_max_size not configured"
            Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
            AddHP 1 2
-            ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
+            ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests."
        else
            LogText "Result: option reply_body_max_size configured"
            LogText "Output: ${FIND}"
@ -293,7 +293,7 @@
 #
 #################################################################################
 #
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
        Display --indent 4 --text "- Checking Squid general options"
    fi
 #
@ -301,7 +301,7 @@
 #
    # Test        : SQD-3680
    # Description : Check httpd_suppress_version_string
-    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
@ -309,7 +309,7 @@
            LogText "Result: option httpd_suppress_version_string not configured"
            Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
            AddHP 1 2
-            ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
+            ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
        else
            LogText "Result: option httpd_suppress_version_string configured"
            LogText "Output: ${FIND}"
@ -325,4 +325,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com
--- a/include/tests_ssh
+++ b/include/tests_ssh
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -27,6 +27,7 @@
    SSH_DAEMON_PORT=""
    SSH_DAEMON_RUNNING=0
    SSH_DAEMON_OPTIONS_FILE=""
    OPENSSHD_RUNNING=0
    OPENSSHD_VERSION=0
    OPENSSHD_VERSION_MAJOR=0
    OPENSSHD_VERSION_MINOR=0
@ -42,8 +43,8 @@
    Register --test-no SSH-7402 --weight L --network NO --category security --description "Check for running SSH daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Searching for a SSH daemon"
-        IsRunning sshd
+        if IsRunning "sshd"; then
-        if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
+            OPENSSHD_RUNNING=1
            SSH_DAEMON_RUNNING=1
            Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
            # Store settings in a temporary file
@ -51,6 +52,9 @@
            SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
            # Use a non-existing user, to ensure that systems that have a Match block configured, will be evaluated as well
            ${SSHDBINARY} -T -C user=doesnotexist,host=none,addr=none 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
        elif PortIsListening "TCP" 22; then
            Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
            SSH_DAEMON_RUNNING=1
        else
            Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
@ -60,7 +64,7 @@
 #
    # Test        : SSH-7404
    # Description : Determine SSH daemon configuration file location
-    if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${OPENSSHD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH daemon file location"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
@ -95,15 +99,15 @@
 #
    # Test        : SSH-7406
    # Description : Check OpenSSH version
-    if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${OPENSSHD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version"
    if [ ${SKIPTEST} -eq 0 ]; then
-        OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',')
+        OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],')
        LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
-        if [ ! -z ${OPENSSHD_VERSION} ]; then
+        if [ -n "${OPENSSHD_VERSION}" ]; then
-            OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}')
+            OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
            LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
-            OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}')
+            OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
            LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}"
        fi
    fi
@ -113,7 +117,7 @@
    # Test        : SSH-7408
    # Description : Check SSH specific defined options
    # Notes       : Instead of parsing the configuration file, we query the SSH daemon itself
-    if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a \( ${OPENSSHD_VERSION_MAJOR} -gt 5 -o ${OPENSSHD_VERSION_MAJOR} -eq 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 \) ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
@ -137,9 +141,9 @@
                IgnoreRhosts:YES,,NO:=\
                LoginGraceTime:120,240,480:<\
                LogLevel:VERBOSE,INFO,:=\
-                MaxAuthTries:2,4,6:<\
+                MaxAuthTries:3,6,999:<\
                MaxSessions:2,4,8:<\
-                PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
+                PermitRootLogin:(FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
                PermitUserEnvironment:NO,,YES:=\
                PermitTunnel:NO,,YES:=\
                Port:,,22:!\
@ -147,7 +151,6 @@
                StrictModes:YES,,NO:=\
                TCPKeepAlive:NO,,YES:=\
                UseDNS:NO,,YES:=\
                VerifyReverseMapping:YES,,NO:=\
                X11Forwarding:NO,,YES:=\
                AllowAgentForwarding:NO,,YES:="
@ -185,7 +188,7 @@
                FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
                LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
-                if [ ! -z "${FOUNDVALUE}" ]; then
+                if [ -n "${FOUNDVALUE}" ]; then
                    LogText "Result: Option ${OPTIONNAME} found"
                    LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
@ -197,7 +200,7 @@
                        elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
                            RESULT="WEAK"
                        else
-                            if [ ! -z "${EXPECTEDVALUE}" ]; then
+                            if [ -n "${EXPECTEDVALUE}" ]; then
                                LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
                                FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
                                if [ $? -eq 0 ]; then
@ -207,7 +210,7 @@
                                    LogText "Result: not found"
                                fi
                            fi
-                            if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
+                            if [ -n "${MEDIUMSCOREDVALUE}" ]; then
                                LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
                                FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
                                if [ $? -eq 0 ]; then
@ -258,31 +261,31 @@
                fi
                if [ "${RESULT}" = "GOOD" ]; then
-                    LogText "Result: SSH option ${OPTIONNAME} is configured very well"
+                    LogText "Result: OpenSSH option ${OPTIONNAME} is configured very well"
-                    Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
+                    Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
                    AddHP 3 3
                elif [ "${RESULT}" = "MIDSCORED" ]; then
-                    LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
+                    LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably"
-                    ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
+                    ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
                    ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
-                    Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
+                    Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
                    AddHP 1 3
                elif [ "${RESULT}" = "WEAK" ]; then
-                    LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
+                    LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
-                    ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
+                    ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
                    ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
-                    Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
+                    Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
                    AddHP 0 3
                elif [ "${RESULT}" = "UNKNOWN" ]; then
-                    LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
+                    LogText "Result: Value of OpenSSH option ${OPTIONNAME} is unknown (not defined)"
-                    Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
+                    Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
                    Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
                else
                    LogText "Result: Option ${OPTIONNAME} not found in output"
-                    Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
+                    Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
                fi
            else
-                if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
+                if IsVerbose; then Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
            fi
        done
    fi
@ -290,32 +293,32 @@
 #################################################################################
 #
    # Test        : SSH-7440
-    # Description : AllowUsers / AllowGroups
+    # Description : OpenSSH - AllowUsers / AllowGroups
    # Goal        : Check if only a specific amount of users/groups can log in to the system
-    if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups"
+    Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # AllowUsers
        FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: AllowUsers set, with value ${FIND}"
-            Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
+            Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
            FOUND=1
        else
            LogText "Result: AllowUsers is not set"
-            Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
+            Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
        # AllowGroups
        FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: AllowUsers set ${FIND}"
-            Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
+            Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
            FOUND=1
        else
            LogText "Result: AllowGroups is not set"
-            Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
+            Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
        if [ ${FOUND} -eq 1 ]; then
@ -331,6 +334,7 @@
 #
 Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
 Report "openssh_daemon_running=${OPENSSHD_RUNNING}"
 WaitForKeyPress
--- a/include/tests_storage
+++ b/include/tests_storage
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -30,17 +30,17 @@
 #
    # Test        : STRG-1846
    # Description : Check for disabled firewire storage
-    # Explanation : Best option is to use the install function, or else drivers can still be loaded manually
+    # Explanation : Best option is to use the install function, otherwise drivers can still be loaded manually
    Register --test-no STRG-1846 --os Linux --weight L --network NO --category security --description "Check if firewire storage is disabled"
-    if [ ${SKIPTEST} -eq 0 ]; then
+    if [ "${SKIPTEST}" -eq 0 ]; then
        FOUND=0
        LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
-        if [ -d ${ROOTDIR}etc/modprobe.d ]; then
+        if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
            FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
                FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
+                if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
                    FOUND=1
                    LogText "Result: found firewire ohci driver in disabled state"
                fi
@ -48,10 +48,10 @@
                LogText "Result: skipping ${ROOTDIR}etc/modprobe.d, directory found but no files in it"
            fi
        fi
-        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
+        if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
-            FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
+            FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
-            FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
+            FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
-            if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
+            if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
                FOUND=1
                LogText "Result: found firewire ohci driver in disabled state"
            fi
@ -60,7 +60,7 @@
        if [ ${FOUND} -eq 0 ]; then
            LogText "Result: firewire ohci driver is not explicitly disabled"
            Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
-            ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
+            ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
            # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
            AddHP 2 3
        else
@ -77,4 +77,4 @@ WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy, Michael Boelen - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy, Michael Boelen - https://cisofy.com
--- a/include/tests_storage_nfs
+++ b/include/tests_storage_nfs
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -33,7 +33,7 @@
 #
    # Test        : STRG-1902
    # Description : Check rpcinfo
-    if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking rpcinfo registered programs"
@ -48,7 +48,7 @@
 #
    # Test        : STRG-1904
    # Description : Check nfs versions in rpcinfo
-    if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking NFS registered versions"
@ -63,7 +63,7 @@
 #
    # Test        : STRG-1906
    # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
-    if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking NFS registered protocols"
@ -123,7 +123,7 @@
        if [ -f ${ROOTDIR}etc/exports ]; then
            LogText "Result: ${ROOTDIR}etc/exports exists"
            FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                for I in ${FIND}; do
                    I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
                    LogText "Found line: ${I}"
@ -149,7 +149,7 @@
        if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
            Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
-            ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
+            ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
        fi
    fi
 #
@ -161,10 +161,10 @@
    Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
    if [ ${SKIPTEST} -eq 0 ]; then
        sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
-        if [ ! -z "${sFIND}" ]; then
+        if [ -n "${sFIND}" ]; then
            LogText "Result: all client are allowed to access a NFS share in /etc/exports"
            Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
+            ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports"
            AddHP 2 3
        else
            LogText "Result: only some clients are allowed to access a NFS share"
--- a/include/tests_system_integrity
+++ b/include/tests_system_integrity
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -31,7 +31,7 @@
 #################################################################################
 #
    if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
-    Register --test-no SINT-7010 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
+    Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
    if [ ${SKIPTEST} -eq 0 ]; then
        if ${ROOTDIR}usr/bin/csrutil status | ${GREPBINARY} -sq enabled ; then
            Display --indent 2 --text "- System Integrity Protection (status)" --result "${STATUS_OK}" --color GREEN
@ -51,4 +51,4 @@
    WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com
--- a/include/tests_time
+++ b/include/tests_time
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -36,6 +36,7 @@
    NTP_CONFIG_TYPE_EVENTBASED=0
    NTP_CONFIG_TYPE_STARTUP=0
    NTPD_RUNNING=0 # Specific for ntpd
    OPENNTPD_COMMUNICATION=0 # if ntpctl can communicate
    SYSTEMD_NTP_ENABLED=0
 #
 #################################################################################
@ -62,9 +63,8 @@
        for FILE in ${SEARCH_FILES}; do
            if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi
        done
-        if [ ! -z "${CHRONY_CONF_FILE}" ]; then
+        if [ -n "${CHRONY_CONF_FILE}" ]; then
-            IsRunning chronyd
+            if IsRunning "chronyd"; then
            if [ ${RUNNING} -eq 1 ]; then
                FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
                Display --indent 2 --text "- NTP daemon found: chronyd" --result "${STATUS_FOUND}" --color GREEN
            else
@ -75,15 +75,41 @@
        fi
        # Check time daemon (eg DragonFly BSD)
-        IsRunning dntpd
+        if IsRunning "dntpd"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
            Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN
        fi
-        # Check running processes
+        # Check for OpenNTPD, ntpctl comes with a "regular" install
-        FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
+        if [ -n "${NTPCTLBINARY}" ]; then
-        if [ ! -z "${FIND}" ]; then
+            # In contrast to timectl, "synchronised: yes" is not grepped.
            # Reason: openntpd syncs only if large time corrections are not required or -s is passed.
            #         This might be not intended by the administrator (-s is NOT the default!)
            FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
            # Status code 0 is when communication over the socket is successfull
            if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
                FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
                LogText "result: found openntpd (method: ntpctl)"
                OPENNTPD_COMMUNICATION=1
            elif [ -n "${FIND}" ] ; then
                # Reasons for ntpctl to fail might be someone spawned a new process thus overwriting the socket,
                # then ended it, but another openntpd process is still running
                FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
                LogText "result: found openntpd (method: ps)"
            else
                LogText "result: running openntpd not found, but ntpctl is instaalled"
            fi
            if [ "${NTP_DAEMON}" = "openntpd" ]; then
                Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN
            fi
        fi
        # Check running processes (ntpd from ntp.org)
        # As checking by process name is ambigiouse (openntpd has the same process name),
        # this check will be skipped if openntpd has been found.
        FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep")
        if [ "${NTP_DAEMON}" != "openntpd" ] && [  -n "${FIND}" ]; then
            FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
            NTP_DAEMON="ntpd"
            LogText "Result: found running NTP daemon in process list"
@ -91,77 +117,60 @@
        fi
        # Check time daemon (eg NetBSD)
-        IsRunning timed
+        if IsRunning "timed"; then
        if [ ${RUNNING} -eq 1 ]; then
            FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
            Display --indent 2 --text "- NTP daemon found: timed" --result "${STATUS_FOUND}" --color GREEN
        fi
        # Check timedate daemon (systemd)
-        if [ ! -z "${TIMEDATECTL}" ]; then
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
-            FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
+        if [  -n "${FIND}" ]; then
-            if [ ! -z "${FIND}" ]; then
+            FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
-                # Check for systemd-timesyncd
+            Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
-                if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
+            LogText "Result: Found running systemd-timesyncd in process list"
                    LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
                    FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
                    Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
                    SYSTEMD_NTP_ENABLED=1
                else
                    LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist"
                fi
            else
                LogText "Result: time sychronization not performed according timedatectl command"
            fi
        else
            LogText "Result: timedatectl command not available on this system"
        fi
        # Check crontab for OpenBSD/FreeBSD
        # Check anacrontab for Linux
        CRONTAB_FILES="/etc/anacrontab /etc/crontab"
        # Regex for matching multiple time synchronisation binaries
        # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases
        CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
        for I in ${CRONTAB_FILES}; do
            if [ -f ${I} ]; then
-                LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
+                LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
-                FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
+                FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
-                if [ ! -z "${FIND}" ]; then
+                if [ -n "${FIND}" ]; then
                    FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
                    Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
-                    LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
+                    LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}"
                else
                    #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
-                    LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
+                    LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}"
                fi
            else
                LogText "Result: crontab file ${I} not found"
            fi
        done
-        # Don't run check in cron job directory on Solaris
+        # Notes: only test for normal files. File /etc/cron.d/FIFO on solaris is a special file and test may hang
-        # /etc/cron.d/FIFO is a special file and test get stuck at this file
+        # Linux systems may have a .placeholder file
        FOUND_IN_CRON=0
        # Check cron jobs
        for I in ${CRON_DIRS}; do
-            if [ -d ${I} ]; then
+            for J in "${I}"/*; do  # iterate over folders in a safe way
-                if FileIsReadable ${I}; then
+                # Check: regular file, readable and not called .placeholder
-                    FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
+                FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
-                    if [ ! -z "${FIND}" ]; then
+                if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
-                        for J in ${FIND}; do
+                    LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
-                            LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
+                    FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
-                            FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
+                    if [ -n "${FIND}" ]; then
-                            if [ ! -z "${FIND2}" ]; then
+                        FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
-                                LogText "Positive match found: ${FIND2}"
+                        LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
                                FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
                            fi
                        done
                    else
                        LogText "Result: ${I} is empty, skipping search in directory"
                    fi
                else
                    LogText "Result: could not search in directory due to permissions"
                fi
-            fi
+            done
        done
        if [ ${FOUND_IN_CRON} -eq 1 ]; then
@ -186,13 +195,13 @@
        if [ -f /etc/rc.conf ]; then
            LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
            FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                LogText "Result: ntpdate is enabled in rc.conf"
                FOUND=1
                NTP_CONFIG_TYPE_STARTUP=1
                # Only show suggestion when ntpdate is enabled, however ntpd is not running
                if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
-                    ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
+                    ReportSuggestion "${TEST_NO}" "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
                fi
            else
                LogText "Result: ntpdate is not enabled in rc.conf"
@ -205,7 +214,7 @@
            else
                Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED
                LogText "Result: Could not find a NTP daemon or client"
-                ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
+                ReportSuggestion "${TEST_NO}" "Use NTP daemon or NTP client to prevent time issues."
                AddHP 0 2
            fi
        else
@ -219,14 +228,14 @@
 #
    # Test        : TIME-3106
    # Description : Check status of systemd time synchronization
-    if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a -n "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check the status of time synchronization via timedatectl"
        FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
        if [ -z "${FIND}" ]; then
            LogText "Result: time not synchronized via NTP"
-            ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
+            ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
        fi
    fi
 #
@ -234,7 +243,7 @@
 #
    # Test        : TIME-3112
    # Description : Check for valid associations from ntpq peers list
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking for NTP association ID's from ntpq peers list"
@ -244,7 +253,7 @@
            LogText "Result: Found one or more association ID's"
        else
            Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED
-            ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
+            ReportSuggestion "${TEST_NO}" "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
        fi
    fi
 #
@ -252,7 +261,7 @@
 #
    # Test        : TIME-3116
    # Description : Check for stratum 16 peers
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
@ -279,7 +288,7 @@
            else
                Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
                LogText "Result: Found ${COUNT} high stratum (16) peers)"
-                ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
+                ReportSuggestion "${TEST_NO}" "Check ntpq peers output for stratum 16 peers"
            fi
        fi
    fi
@ -290,7 +299,7 @@
    # Description : Check unreliable peers from peer list
    # Notes       : Items with # are too far away (network distance)
    #               Items with - are not chosen due clustering algorithm
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking unreliable ntp peers"
@ -305,7 +314,7 @@
                LogText "Unreliable peer: ${I}"
                Report "ntp_unreliable_peer[]=${I}"
            done
-            ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
+            ReportSuggestion "${TEST_NO}" "Check ntpq peers output for unreliable ntp peers and correct/replace them"
        fi
    fi
 #
@ -313,13 +322,13 @@
 #
    # Test        : TIME-3124
    # Description : Check selected time source
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking selected time source"
        FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
        FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
-        if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
+        if [ -z "${FIND}" -a -n "${FIND2}" ]; then
            Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
            FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
            LogText "Result: Found selected time source (value: ${FIND2})"
@ -327,7 +336,7 @@
            Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
            LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
            LogText "Local source: ${FIND}"
-            ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
+            ReportSuggestion "${TEST_NO}" "Check ntpq peers output for selected time source"
        fi
    fi
 #
@ -335,7 +344,7 @@
 #
    # Test        : TIME-3128
    # Description : Check time source candidates
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking preferred time source"
@ -343,7 +352,7 @@
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
            LogText "Result: No other time source candidates found"
-            ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
+            ReportSuggestion "${TEST_NO}" "Check ntpq peers output for time source candidates"
        else
            Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
            LogText "Result: Found one or more candidates to synchronize time with."
@ -358,7 +367,7 @@
 #
    # Test        : TIME-3132
    # Description : Check ntpq falsetickers
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking preferred time source"
@ -374,7 +383,7 @@
                LogText "Falseticker found: ${I}"
                Report "ntp_falseticker[]=${I}"
            done
-            ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
+            ReportSuggestion "${TEST_NO}" "Check ntpq peers output for falsetickers"
        fi
    fi
 #
@ -382,7 +391,7 @@
 #
    # Test        : TIME-3136
    # Description : Check ntpq reported ntp version (Linux)
-    if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
@ -390,7 +399,7 @@
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
            LogText "Result: No NTP version found"
-            ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
+            ReportSuggestion "${TEST_NO}" "Check ntpq output for NTP protocol version"
        else
            Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: Found NTP version ${FIND}"
@ -403,7 +412,7 @@
    # Test        : TIME-3146
    # Description : Check /etc/default/ntpdate (Linux)
    # Notes       : ntpdate-debian binary
-    #if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    #if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    #Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
    #if [ ${SKIPTEST} -eq 0 ]; then
 #
@ -428,7 +437,7 @@
    # Description : Check empty NTP step-tickers
    # Notes       : Mostly applies to Red Hat and clones
    FILE="${ROOTDIR}etc/ntp/step-tickers"
-    if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ "${NTPD_RUNNING}" -eq 1 -a -n "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
@ -441,7 +450,7 @@
            else
                LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
                Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker time synchronization"
+                ReportSuggestion "${TEST_NO}" "Use step-tickers file for quicker time synchronization"
            fi
        else
            LogText "Result: ${FILE} is not empty, which is fine"
@ -458,7 +467,7 @@
            done
            if [ ${FOUND} -eq 1 ]; then
                Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW
-                ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
+                ReportSuggestion "${TEST_NO}" "Some time servers missing in step-tickers file"
                AddHP 3 4
            else
                Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN
@ -479,7 +488,8 @@
    #               Other should preferably have no access, or read-only at max
    FILE_ARRAY="${ROOTDIR}etc/chrony.conf ${ROOTDIR}usr/pkg/etc/chrony.conf \
-        ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf"
+        ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf\
        ${ROOTDIR}etc/ntpd.conf ${ROOTDIR}etc/openntpd/ntpd.conf ${ROOTDIR}usr/local/etc/ntpd.conf"
    Register --test-no TIME-3170 --weight L --network NO --category security --description "Check configuration files"
    if [ ${SKIPTEST} -eq 0 ]; then
@ -490,12 +500,104 @@
                    ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" ""
                fi
                Report "ntp_config_file[]=${FILE}"
                NTP_CONFIG_FOUND=1
            fi
        done
    fi
 #
 #################################################################################
 #
    # Test        : TIME-3180
    # Description : Report if ntpctl cannot communicate with OpenNTPD
    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then
        PREQS_MET="YES"
    else
        PREQS_MET="NO"
    fi
    Register --test-no TIME-3180 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ "${OPENNTPD_COMMUNICATION}" -eq 0 ]; then
            ReportWarning "${TEST_NO}" "OpenNTPD found, but ntpctl cannot communicate with" "${NTPCTLBINARY} -s status" "Restart OpenNTPD"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : TIME-3181
    # Description : Check status of OpenNTPD time synchronisation
    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
        PREQS_MET="YES"
    else
        PREQS_MET="NO"
    fi
    Register --test-no TIME-3181 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} "clock synced" )
        if [ -z "${FIND}" ]; then
            ReportWarning "${TEST_NO}" "OpenNTPD is not synchronising system time" "${NTPCTLBINARY} -s status" "text:Set time manually once or check network connectivity."
        fi
    fi
 #
 #################################################################################
 #
    # Test        : TIME-3182
    # Description : Check OpenNTPD has working peers
    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
        PREQS_MET="YES"
    else
        PREQS_MET="NO"
    fi
    Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Format is "xx/yy peers valid, ..."
        FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
        if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
            ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
        fi
    fi
 #
 #################################################################################
 #
    # Test        : TIME-3185
    # Description : Check systemd-timesyncd synchronized time
    if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
        PREQS_MET="YES"
    else
        PREQS_MET="NO"
    fi
    Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
    SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -e "${SYNCHRONIZED_FILE}" ]; then
           FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
           # Check if last sync was more than 2048 seconds (= the default of systemd) ago
           if [ "${FIND}" -ge 2048 ]; then
               COLOR=RED
               ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently."
           else
               COLOR=GREEN
           fi
           Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}"
           LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago."
        else
           Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED
           ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time"
        fi
    fi
    unset SYNCHRONIZED_FILE
 #
 #################################################################################
 #
    Report "ntp_config_found=${NTP_CONFIG_FOUND}"
    Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
    Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"
--- a/include/tests_tooling
+++ b/include/tests_tooling
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -54,7 +54,7 @@
        # Ansible
        FOUND=0
-        LIST="~/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible"
+        LIST="${HOME}/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible"
        for ITEM in ${LIST}; do if DirectoryExists ${ITEM}; then FOUND=1; break; fi; done
        # Test for files (only if no match was found)
        if [ ${FOUND} -eq 0 ]; then
@ -71,7 +71,7 @@
        fi
        # Cfengine
-        if [ ! -z "${CFAGENTBINARY}" ]; then
+        if [ -n "${CFAGENTBINARY}" ]; then
            LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
            AUTOMATION_TOOL_FOUND=1
            CFENGINE_AGENT_FOUND=1
@ -129,7 +129,7 @@
            fi
        fi
-        if [ ! -z "${PUPPETBINARY}" ]; then
+        if [ -n "${PUPPETBINARY}" ]; then
            LogText "Result: Puppet is installed (${PUPPETBINARY})"
            AUTOMATION_TOOL_FOUND=1
            Report "automation_tool_running[]=puppet-agent"
@ -145,26 +145,36 @@
        fi
        # SaltStack
-        if [ ! -z "${SALTMINIONBINARY}" ]; then
+        if [ -n "${SALTMINIONBINARY}" ]; then
            Display --indent 4 --text "- SaltStack minion" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
            AUTOMATION_TOOL_FOUND=1
-            SALT_MINION_RUNNING=1
+            Report "automation_tool_installed[]=saltstack-minion"
-            Report "automation_tool_running[]=saltstack-minion"
+
-            Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
+            if IsRunning "salt-minion" --user "root salt"; then
                Display --indent 6 --text "- Minion process" --result "${STATUS_RUNNING}" --color GREEN
                LogText "Result: found SaltStack (master)"
                SALT_MINION_RUNNING=1
                Report "automation_tool_running[]=saltstack-minion"
            else
                Display --indent 6 --text "- Minion process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
            fi
        fi
-        if [ ! -z "${SALTMASTERBINARY}" ]; then
+
        if [ -n "${SALTMASTERBINARY}" ]; then
            Display --indent 4 --text "- SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
            LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
            AUTOMATION_TOOL_FOUND=1
-            SALT_MASTER_RUNNING=1
+            Report "automation_tool_installed[]=saltstack-master"
-            Report "automation_tool_running[]=saltstack-minion"
+
-            Display --indent 4 --text "- SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
+            if IsRunning "salt-master" --user "root salt"; then
-        else
+                Display --indent 6 --text "- Master process" --result "${STATUS_RUNNING}" --color GREEN
            if IsRunning "salt-master"; then
                LogText "Result: found SaltStack (master)"
                AUTOMATION_TOOL_FOUND=1
                SALT_MASTER_RUNNING=1
                Report "automation_tool_running[]=saltstack-master"
-                Display --indent 4 --text "- SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
+            else
                Display --indent 6 --text "- Master process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
            fi
        fi
@ -172,7 +182,7 @@
            Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
        else
            Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
-            ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
+            ReportSuggestion "${TEST_NO}" "Determine if automation tools are present for system management"
        fi
    fi
 #
@ -188,7 +198,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        # Fail2ban presence
-        if [ ! -z "${FAIL2BANBINARY}" ]; then
+        if [ -n "${FAIL2BANBINARY}" ]; then
            FAIL2BAN_FOUND=1
            IDS_IPS_TOOL_FOUND=1
            LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
@ -209,10 +219,10 @@
        fi
        # Continue if tooling is available and configuration file found
-        if [ ${FAIL2BAN_FOUND} -eq 1 -a ! -z "${FAIL2BAN_CONFIG}" ]; then
+        if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then
            Report "fail2ban_config=${FAIL2BAN_CONFIG}"
            FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
-            if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
+            if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
        fi
    fi
 #
@ -224,7 +234,7 @@
    Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
-        if [ ! -z "${FIND}" ]; then
+        if [ -n "${FIND}" ]; then
            for F2BSERVICE in ${FIND}; do
                LogText "Result: service '${F2BSERVICE}' enabled"
                Report "fail2ban_enabled_service[]=${F2BSERVICE}"
@ -252,12 +262,12 @@
    #            FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
    #            FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
    #
-    #            if [ ! -z "${FIND}" ]; then
+    #            if [ -n "${FIND}" ]; then
    #                FAIL2BAN_EMAIL=1
    #                LogText "Result: found at least one jail which sends an email alert"
    #            fi
    #
-    #            if [ ! -z "${FIND2}" ]; then
+    #            if [ -n "${FIND2}" ]; then
    #                FAIL2BAN_SILENT=1
    #                LogText "Result: found at least one jail which does NOT send an email alert"
    #            fi
@ -298,9 +308,9 @@
    #
    #            LogText "Checking for fail2ban iptables chains"
    #
-    #            if [ ! -z "${IPTABLESBINARY}" ]; then
+    #            if [ -n "${IPTABLESBINARY}" ]; then
    #                CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
-    #                if [ ! -z "${CHECK_CHAINS}" ]; then
+    #                if [ -n "${CHECK_CHAINS}" ]; then
    #                    LogText "Result: found at least one iptables chain for fail2ban"
    #                    Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
    #                else
@ -349,7 +359,7 @@
    if [ ${SKIPTEST} -eq 0 ]; then
        # Continue if tooling is available and snort is running
-        if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
+        if [ -n "${SNORT_FOUND}" ] || [ -n "${SNORT_RUNNING}" ]; then
            if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
                SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
                if HasData "${SNORT_CONFIG}"; then
@ -365,17 +375,29 @@
 #
    # Test        : TOOL-5160
    # Description : Check for OSSEC
-    Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC analysis daemon"
+    Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
-
+        # Server side
        if IsRunning "ossec-analysisd"; then
            IDS_IPS_TOOL_FOUND=1
            LogText "Result: OSSEC analysis daemon is active"
            Report "ids_ips_tooling[]=ossec"
-            Display --indent 2 --text "- Checking presence of OSSEC" --result "${STATUS_FOUND}" --color GREEN
+            Report "ids_ips_tooling[]=ossec-analysisd"
            LogText "Result: OSSEC analysis daemon is active"
            Display --indent 2 --text "- Checking presence of OSSEC (analysis)" --result "${STATUS_FOUND}" --color GREEN
        else
            LogText "Result: OSSEC analysis daemon not active"
        fi
        # Client side
        if IsRunning "ossec-agentd"; then
            IDS_IPS_TOOL_FOUND=1
            Report "ids_ips_tooling[]=ossec"
            Report "ids_ips_tooling[]=ossec-agentd"
            LogText "Result: OSSEC agent daemon is active"
            Display --indent 2 --text "- Checking presence of OSSEC (agent)" --result "${STATUS_FOUND}" --color GREEN
        else
            LogText "Result: OSSEC agent daemon not active"
        fi
    fi
 #
 #################################################################################
@ -390,7 +412,7 @@
            AddHP 2 2
        else
            Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
-            #ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
+            #ReportSuggestion "${TEST_NO}" "Install and configure automated intrusion detection/prevention tools"
            AddHP 0 2
        fi
    fi
--- a/include/tests_usb
+++ b/include/tests_usb
@ -39,24 +39,24 @@
 #
    # Test to determine if USBGuard is installed.  If it is, we will limit
    # suggestions from other tests.
-    if [ ! -z "${USBGUARDBINARY}" ]; then
+    if [ -n "${USBGUARDBINARY}" ]; then
        USBGUARD_FOUND=1
    fi
 #
 #################################################################################
 #
-    # Test        : STRG-1840 (future ID: USB-1200)
+    # Test        : USB-1000 (was STRG-1840)
    # Description : Check for disabled USB storage
-    Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
+    Register --test-no USB-1000 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
        if [ -d /etc/modprobe.d ]; then
            FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
                FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
-                if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
+                if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                    FOUND=1
                    LogText "Result: found usb-storage driver in disabled state (blacklisted)"
                fi
@ -66,7 +66,7 @@
        fi
        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
            FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
-            if [ ! -z "${FIND}" ]; then
+            if [ -n "${FIND}" ]; then
                FOUND=1
                LogText "Result: found usb-storage driver in disabled state"
            fi
@ -75,7 +75,7 @@
            LogText "Result: usb-storage driver is not explicitly disabled"
            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
            if [ "${USBGUARD_FOUND}" -eq "0" ]; then
-                ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
+                ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
            fi
            AddHP 2 3
        else
@ -87,46 +87,56 @@
 #
 #################################################################################
 #
-    # Test        : STRG-1842 (future ID: USB-2000)
+    # Test        : USB-2000 (was STRG-1842)
    # Description : Check USB authorizations
-    Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
+    Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking USB devices authorization to connect to the system"
        FOUND=0
-        USBDEVICESPATH="/sys/bus/usb/devices/usb"
+        USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices"
-        for device in "${USBDEVICESPATH}"*; do
+        LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})"
-            if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
+        if [ -d "${USBDEVICESPATH}" ]; then
                if [ $(cat "${device}/authorized_default") -eq 1 ]; then
                    FOUND=1
                    LogText "Test: ${device} is authorized by default"
                    Report "usb_authorized_default_device[]=${device}"
                elif [ $(cat "${device}/authorized") -eq 1 ]; then
                    FOUND=1
                    LogText "Test: ${device} is authorized currently"
                    Report "usb_authorized_device[]=${device}"
                fi
            fi
        done
-        if [ ${FOUND} -eq 1 ]; then
+            LogText "Test: Checking USB devices authorization to connect to the system"
-            LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
+            for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do
-            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
+                if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then
-            # To-Be-Added: create documentation and enable the suggestion
+                    if [ "$(cat "${device}/authorized_default")" = "1" ]; then
-            #if [ ${USBGUARD_FOUND} -eq 0 ]; then
+                        FOUND=1
-            #   ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
+                        LogText "Test: ${device} is authorized by default (authorized_default=1)"
-            #fi
+                        Report "usb_authorized_default_device[]=${device}"
-            AddHP 0 3
+                    fi
                    if [ "$(cat "${device}/authorized")" = "1" ]; then
                        FOUND=1
                        LogText "Test: ${device} is authorized currently (authorized=1)"
                        Report "usb_authorized_device[]=${device}"
                    fi
                else
                    LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default"
                    Report "usb_authorized_default_device[]=${device}"
                    FOUND=1
                fi
            done
            if [ ${FOUND} -eq 1 ]; then
                LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
                Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
                # TODO: create documentation and enable the suggestion
                #if [ ${USBGUARD_FOUND} -eq 0 ]; then
                #   ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft"
                #fi
                AddHP 0 3
            else
                LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
                Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
                AddHP 3 3
            fi
        else
-            LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
+            LogText "Result: devices path does not exist"
            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
            AddHP 3 3
        fi
    fi
 #
 #################################################################################
 #
    # Test        : USB-3000
    # Description : Perform USBGuard check
    Register --test-no USB-3000  --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
@ -137,27 +147,27 @@
            AddHP 1 1
            LogText "Checking USBGuard configuration file"
-            if [ -f /etc/usbguard/usbguard-daemon.conf ]; then
+            if [ -f ${ROOTDIR}etc/usbguard/usbguard-daemon.conf ]; then
-                USBGUARD_CONFIG="/etc/usbguard/usbguard-daemon.conf"
+                USBGUARD_CONFIG="${ROOTDIR}etc/usbguard/usbguard-daemon.conf"
            else
                USBGUARD_CONFIG=""
            fi
-            if [ ! -z "${USBGUARD_CONFIG}" ]; then
+            if [ -n "${USBGUARD_CONFIG}" ]; then
                LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})"
                Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN
                AddHP 1 1
                LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)"
                USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_RESTORE_POLICY}" ]; then
+                if [ -n "${USBGUARD_RESTORE_POLICY}" ]; then
                    LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}"
                    case "${USBGUARD_RESTORE_POLICY}" in
                        "true")
                            Display --indent 6 --text "- Restore controller device state" --result "${USBGUARD_RESTORE_POLICY}" --color YELLOW
                            LogText "  Consider changing RestoreControllerDeviceState to \"false\""
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
+                            # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
                            AddHP 0 1
                            ;;
                        "false")
@ -167,8 +177,8 @@
                        *)
                            LogText "Result: Invalid configuration for RestoreControllerDeviceState"
                            Display --indent 6 --text "- Restore controller device state" --result "Invalid" --color RED
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
+                            # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
                            AddHP 0 1
                            ;;
                    esac
@ -181,25 +191,25 @@
                LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)"
                USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_CONTROLLER_POLICY}" ]; then
+                if [ -n "${USBGUARD_CONTROLLER_POLICY}" ]; then
                    LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}"
                    case "${USBGUARD_CONTROLLER_POLICY}" in
-                        "allow"|"keep")
+                        "allow" | "keep")
                            Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color YELLOW
                            LogText "  Consider changing PresentControllerPolicy to \"apply-policy\", \"block\" or \"reject\""
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
+                            # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
                            AddHP 0 1
                            ;;
-                        "apply-policy"|"block"|"reject")
+                        "apply-policy" | "block" | "reject")
                            Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color GREEN
                            AddHP 1 1
                            ;;
                        *)
                            LogText "Result: Invalid configuration for PresentControllerPolicy"
                            Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "Invalid" --color RED
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
+                            # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
                            AddHP 0 1
                            ;;
                    esac
@ -211,25 +221,25 @@
                LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)"
                USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_DEVICE_POLICY}" ]; then
+                if [ -n "${USBGUARD_DEVICE_POLICY}" ]; then
                    LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}"
                    case "${USBGUARD_DEVICE_POLICY}" in
-                        "allow"|"keep")
+                        "allow" | "keep")
                            Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color YELLOW
                            LogText "  Consider changing PresentDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
+                            # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
                            AddHP 0 1
                            ;;
-                        "apply-policy"|"block"|"reject")
+                        "apply-policy" | "block" | "reject")
                            Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color GREEN
                            AddHP 1 1
                            ;;
                        *)
                            LogText "Result: Invalid configuration for PresentDevicePolicy"
                            Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "Invalid" --color RED
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
+                            # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
                            AddHP 0 1
                            ;;
                    esac
@ -241,25 +251,25 @@
                LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)"
                USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_INSERTED_POLICY}" ]; then
+                if [ -n "${USBGUARD_INSERTED_POLICY}" ]; then
                    LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}"
                    case "${USBGUARD_INSERTED_POLICY}" in
-                        "allow"|"keep")
+                        "allow" | "keep")
                            Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color YELLOW
                            LogText "  Consider changing InsertedDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
+                            # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
                            AddHP 0 1
                            ;;
-                        "apply-policy"|"block"|"reject")
+                        "apply-policy" | "block" | "reject")
                            Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color GREEN
                            AddHP 1 1
                            ;;
                        *)
                            LogText "Result: Invalid configuration for InsertedDevicePolicy"
                            Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "Invalid" --color RED
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
+                            # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
                            AddHP 0 1
                            ;;
                    esac
@ -271,14 +281,14 @@
                LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)"
                USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_DEFAULT_POLICY}" ]; then
+                if [ -n "${USBGUARD_DEFAULT_POLICY}" ]; then
                    LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}"
                    case "${USBGUARD_DEFAULT_POLICY}" in
                        "allow")
                            Display --indent 6 --text "- Rule for devices not in RuleFile" --result "${USBGUARD_DEFAULT_POLICY}" --color YELLOW
                            LogText "  Consider changing ImplicitPolicyTarget to \"block\" or \"reject\""
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
+                            # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
                            AddHP 0 1
                            ;;
                        "block"|"reject")
@ -288,8 +298,8 @@
                        *)
                            LogText "Result: Invalid configuration for ImplicitPolicyTarget"
                            Display --indent 6 --text "- Rule for devices not in RuleFile" --result "Invalid" --color RED
-                            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
+                            # TODO: assign TEST_NO, create documentation, and enable the suggestion
-                            # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
+                            # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
                            AddHP 0 1
                            ;;
                    esac
@ -301,7 +311,7 @@
                LogText "Checking RuleFile"
                USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
-                if [ ! -z "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
+                if [ -n "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
                    LogText "Result: RuleFile found (${USBGUARD_RULES})"
                    Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
                    AddHP 1 1
@ -316,7 +326,7 @@
                    LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
                    Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
                    # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
-                    #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
+                    #ReportSuggestion "${TEST_NO}" "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
                    AddHP 0 1
                fi
@ -324,14 +334,14 @@
                Display --indent 4 --text "- Configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
                LogText "Result: Configuration not found"
                # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
-                #ReportSuggestion ${TEST_NO} "USBGuard configuration file not found, consider reinstalling"
+                #ReportSuggestion "${TEST_NO}" "USBGuard configuration file not found, consider reinstalling"
                AddHP 0 7
            fi
        else
            LogText "Result: USBGuard not found"
            Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_NOT_FOUND}" --color WHITE
            # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
-            #ReportSuggestion ${TEST_NO} "Install USBGuard to allow for fine-grained control of USB authorization"
+            #ReportSuggestion "${TEST_NO}" "Install USBGuard to allow for fine-grained control of USB authorization"
            AddHP 0 8
        fi
--- a/include/tests_virtualization
+++ b/include/tests_virtualization
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -30,7 +30,6 @@
 #    # Description : Checking VMware
 #    Register --test-no VIRT-1920 --weight L --network NO --category security --description "Checking VMware guest status"
 #    if [ ${SKIPTEST} -eq 0 ]; then
 #        # Initialise
 #        VMWARE_GUEST=0
 #        Display --indent 2 --text "- Checking VMware guest status"
 #        # check memory driver file
--- a/include/tests_webservers
+++ b/include/tests_webservers
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -113,9 +113,10 @@
                    Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
                    LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
                else
-                    LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
+                    LogText "Result: File or directory ${APACHE_TESTFILE} does not exist"
                    Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
                    ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
                    LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?"
                fi
            fi
        fi
@ -156,7 +157,7 @@
                done
                # Search Server aliases
                for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
-                    if [ ! -z ${J} ]; then
+                    if [ -n "${J}" ]; then
                        tVHOSTS="${tVHOSTS} ${J}"
                        cVHOSTS=$((cVHOSTS + 1))
                    fi
@ -169,7 +170,7 @@
        # Log all virtual hosts we found
            for J in ${tVHOSTS}; do
-                if [ ! -z ${J} ]; then
+                if [ -n "${J}" ]; then
                    LogText "Virtual host: ${J}"
                    #Report "apache_vhost_name[]=${J}"
                fi
@ -185,10 +186,10 @@
    fi
    # Remove temp files
-    if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
+    if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then
        rm -f ${TMPFILE}
    fi
-    if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+    if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
 #
 #################################################################################
 #
@ -250,14 +251,13 @@
    Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check modules, module
-        CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
+        if CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"; then
        if [ ${ITEM_FOUND} -eq 1 ]; then
            Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
        else
            Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
            AddHP 2 3
-            ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
+            ReportSuggestion "${TEST_NO}" "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
        fi
    fi
 #
@ -270,14 +270,13 @@
    Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check modules, module
-        CheckItem "apache_module" "/mod_(reqtimeout|qos).so"
+        if CheckItem "apache_module" "/mod_(reqtimeout|qos).so"; then
        if [ ${ITEM_FOUND} -eq 1 ]; then
            Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
        else
            Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE
            AddHP 2 3
-            ReportSuggestion ${TEST_NO} "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
+            ReportSuggestion "${TEST_NO}" "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
        fi
    fi
 #
@ -289,14 +288,13 @@
    Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check modules, module
-        CheckItem "apache_module" "/mod_security2.so"
+        if CheckItem "apache_module" "/mod_security2.so"; then
        if [ ${ITEM_FOUND} -eq 1 ]; then
            Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
        else
            Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
            AddHP 2 3
-            ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
+            ReportSuggestion "${TEST_NO}" "Install Apache modsecurity to guard webserver against web application attacks"
        fi
    fi
 #
@ -353,7 +351,7 @@
    # Test        : HTTP-6706
    # Description : Search for includes within nginx configuration file
    # Notes       : Daemon nginx should be running, nginx.conf should be found
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
    if [ ${SKIPTEST} -eq 0 ]; then
        CreateTempFile || ExitFatal
@ -404,7 +402,7 @@
    # Test        : HTTP-6708
    # Description : Check discovered nginx configuration settings for further hardening
    # Notes       : Daemon of nginx should be running, nginx.conf should be found
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: start parsing all discovered nginx options"
@ -422,7 +420,7 @@
                LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
            fi
        done
-        if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
+        if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then
            for I in ${NGINX_CONF_FILES_ADDITIONS}; do
                FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
                if [ ! "${FILENAME}" = "mime.types" ]; then
@ -444,7 +442,7 @@
    # Test        : HTTP-6710
    # Description : Check SSL configuration of nginx
    # Notes       : Daemon of nginx should be running, nginx.conf should be found
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
    if [ ${SKIPTEST} -eq 0 ]; then
        NGINX_SSL_SUGGESTION=0
@ -482,7 +480,7 @@
        else
            LogText "Result: No SSL configuration found"
            Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
-            ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
+            ReportSuggestion "${TEST_NO}" "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
            AddHP 1 5
        fi
        if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
@ -496,7 +494,7 @@
    # Test        : HTTP-6712
    # Description : Check logging configuration of nginx
    # Notes       : Daemon of nginx should be running, nginx.conf should be found
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
    if [ ${SKIPTEST} -eq 0 ]; then
        NGINX_LOG_SUGGESTION=0
@ -522,7 +520,7 @@
        fi
        # Report suggestion
        if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
-            ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
+            ReportSuggestion "${TEST_NO}" "Check your nginx access log for proper functioning"
        fi
    fi
 #
@ -530,7 +528,7 @@
 #
    # Test        : HTTP-6714
    # Description : Check missing error logs in nginx
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
    if [ ${SKIPTEST} -eq 0 ]; then
        NGINX_LOG_SUGGESTION=0
@ -543,7 +541,7 @@
        fi
        # Report suggestion
        if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
-            ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
+            ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements"
        fi
    fi
 #
@ -551,7 +549,7 @@
 #
    # Test        : HTTP-6716
    # Description : Check debug mode on error log in nginx
-    if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
    if [ ${SKIPTEST} -eq 0 ]; then
        NGINX_LOG_SUGGESTION=0
@ -568,7 +566,7 @@
        fi
        # Report suggestion
        if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
-            ReportSuggestion ${TEST_NO} "Check your nginx error_log statements and disable debug mode"
+            ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements and disable debug mode"
        fi
    fi
 #
@ -602,14 +600,14 @@
                LogText "Result: directory ${DIR} not found, skipping search in this directory."
            fi
        done
-        unset DIR; unset FILE; unset FIND
+        unset DIR FILE FIND
    fi
 #
 #################################################################################
 #
    # Remove temp file (double check)
-    if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
+    if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
-    if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+    if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
    WaitForKeyPress
--- a/include/tool_tips
+++ b/include/tool_tips
@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@ -26,16 +26,41 @@
    # Only show tips when enabled
    if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
        LogText "Tool tips: enabled"
        # * Regular security auditing
        #
        # If package is installed, then suggest users to schedule the audit daily
        # How: confirm presence of directory /etc/lynis and check cronjobs
        # * Check for duplicate items between default and custom profile
        #
        # This can be done by marking an item if it overwrites the default profile
        # with the same value.
        #
        # Rationale: default profile should contain have sensible default and
        # custom profile allows customization for the user or system.
        # Suggest usage of plugins if none are enabled
        # Bash completion support
-        if [ ! "${ETC_PATHS}" = "" ]; then
+        #
-            for I in ${ETC_PATHS}; do
+        # Detect if bash is used for active user
-                if [ -d ${I}/bash-completion.d ]; then
+        #if [ -n "${ETC_PATHS}" ]; then
-                    if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
+        #    for I in ${ETC_PATHS}; do
-                        Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
+        #        if [ -d ${I}/bash_completion.d ]; then
-                    fi
+        #            if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
-                fi
+        #                Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
-            done
+        #            fi
-        fi
+        #        fi
        #    done
        #fi
    else
        LogText "Tool tips: enabled"
    fi
--- a/254
+++ b/254
@ -24,26 +24,35 @@
 #
    # In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
    # Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
-    test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
+    if [ "$(uname)" = "SunOS" ]; then
        test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
    fi
 #
 #################################################################################
 #
    # Code quality: don't allow using undefined variables
    # Notes: $_ may be empty on FreeBSD
    set -o nounset
 #
 #################################################################################
 #
    # Program information
    PROGRAM_NAME="Lynis"
    PROGRAM_AUTHOR="CISOfy"
    PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
    PROGRAM_WEBSITE="https://cisofy.com/lynis/"
    # Version details
-    PROGRAM_RELEASE_DATE="2019-02-26"
+    PROGRAM_RELEASE_DATE="2020-10-05"
-    PROGRAM_RELEASE_TIMESTAMP=1548942179
+    PROGRAM_RELEASE_TIMESTAMP=1601896929
-    PROGRAM_RELEASE_TYPE="dev" # dev or final
+    PROGRAM_RELEASE_TYPE="release" # pre-release or release
-    PROGRAM_VERSION="2.7.2"
+    PROGRAM_VERSION="3.0.1"
    # Source, documentation and license
    PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
-    PROGRAM_WEBSITE="https://cisofy.com/lynis/"
+    PROGRAM_PACKAGE="https://packages.cisofy.com/"
-    PROGRAM_COPYRIGHT="2007-2019, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
+    PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
    PROGRAM_COPYRIGHT="2007-2020, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
    PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software."
@ -53,12 +62,6 @@
    REPORT_version_major="1"; REPORT_version_minor="0"
    REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
    DISPLAY_LANG="${LANG}"  # required by function Display to deal with multi-bytes characters.
    # Code quality:
    # Set strict checking for development version for first part of code. After
    # initialization this is checked with strict profile option.
    if [ ${PROGRAM_RELEASE_TYPE} = "dev" ]; then set -u; fi
 #
 #################################################################################
@ -67,57 +70,48 @@
 #
 #################################################################################
 #
    # Check setuid bit
    if [ -u "$0" ]; then echo "The called binary has the set-user-id bit - As this is unusual, execution will be stopped."; exit 1; fi
    # Work directory
    WORKDIR=$(pwd)
    # Test from which directories we can use all functions and tests
-
+    USE_CWD=0
-        INCLUDEDIR=""  # Set default include directory to none
+    if case "$@" in *--usecwd*) true;; *) false;; esac; then
        USE_CWD=1
        INCLUDEDIR="./include"
    else
        INCLUDEDIR=""
        tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include"  # Default paths to check (CWD as last option, in case we run from standalone)
        for I in ${tINCLUDE_TARGETS}; do
            if [ "${I}" = "./include" ]; then
-                if [ -d ${WORKDIR}/include ]; then INCLUDEDIR="${WORKDIR}/include"; fi
+                if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi
            elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then
                INCLUDEDIR=${I}
            fi
        done
    fi
    # Drop out if our include directory can't be found
-        if [ -z "${INCLUDEDIR}" ]; then
+    if [ -z "${INCLUDEDIR}" ]; then
-            printf "%s" "
+        printf "%s" "\nFatal error: can't find include directory\nMake sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
-Fatal error: can't find include directory
+        exit 1
-Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
+    fi
            exit 1
        fi
    # Test for database directory
-
+    if [ ${USE_CWD} -eq 1 ]; then
        DBDIR="./db"
    else
        DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
        for I in ${tDB_TARGETS}; do
            if [ "${I}" = "./db" ]; then
-                if [ -d ${WORKDIR}/db ]; then DBDIR="${WORKDIR}/db"; fi
+                if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi
            elif [ -d ${I} -a -z "${DBDIR}" ]; then
                DBDIR="${I}"
            fi
        done
    # Import translations. First import English to prefill all texts
    if [ ! -f ${DBDIR}/languages/en ]; then
        echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
        exit 1
    else
        . ${DBDIR}/languages/en
    fi
    # Auto detection of language based on locale (first two characters). Set to English when nothing found.
    if [ -x "$(command -v locale 2> /dev/null)" ]; then
        LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$")
    fi
    if [ -z "${LANGUAGE}" ]; then
        #Debug "Result: no (valid) language found, setting to default language (en)"
        LANGUAGE="en"
    fi
 #
 #################################################################################
 #
@ -125,7 +119,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
    # Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead
    if [ -x /usr/xpg4/bin/id ]; then
        MYID=$(/usr/xpg4/bin/id -u 2> /dev/null)
-    elif [ $(uname) = "SunOS" ]; then
+    elif [ "$(uname)" = "SunOS" ]; then
        MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null)
    else
        MYID=$(id -u 2> /dev/null)
@ -134,13 +128,24 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
 #
 #################################################################################
 #
-# Consts (bin paths, text strings, colors)
+# Set basic values and test permissions of the files to include, such as:
 # - consts: bin paths, text strings, colors
 # - functions: function library
 #
 #################################################################################
 #
    # Determine if we are root (UID = 0)
    if [ ${MYID} -eq 0 ]; then
        PRIVILEGED=1
        PENTESTINGMODE=0
    else
        PRIVILEGED=0
        # Set to pentesting mode if scan is without root privileges
        PENTESTINGMODE=1
    fi
    # Perform a basic check for permissions. After including functions, using SafePerms()
-    WARN_ON_FILE_ISSUES=1
+    IGNORE_FILE_PERMISSION_ISSUES=0
    WARN_ON_FILE_ISSUES_ASKED=0
    FILES_TO_CHECK="consts functions"
@ -192,12 +197,8 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
            printf "\n    Option 2) Change ownership of the related files (or full directory).\n\n       Commands (full directory):\n         # cd ..\n         # chown -R 0:0 lynis\n         # cd lynis\n         # ./lynis audit system"
        fi
        printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
-        WARN_ON_FILE_ISSUES_ASKED=1
+        IGNORE_FILE_PERMISSION_ISSUES=1
-        read DUMMY
+        read -r void
    fi
    if [ ${WARN_ON_FILE_ISSUES_ASKED} -eq 1 ]; then
        WARN_ON_FILE_ISSUES=0
    fi
    # Now include files if permissions are correct, or user decided to continue
@ -206,11 +207,54 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
 #
 #################################################################################
 #
 # Language settings
 #
 #################################################################################
 #
    # Auto detection of language based on shell LANG variable. This is required by the Display() function to deal with multi-bytes characters.
    DISPLAY_LANG="${LANG:-}"
    # Extract the short notation of the language (first two characters).
    if [ -x "$(command -v locale 2> /dev/null)" ]; then
        LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
        # Try locale command if shell variable had no value
        if [ -z "${DISPLAY_LANG}" ]; then
            DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
        fi
    else
        LANGUAGE="en"
    fi
    # Set default language: 'en' (English) if no value is set
    if [ -z "${LANGUAGE}" ]; then
        LANGUAGE="en"
    fi
    # Import translations. First import English to prefill all texts
    if [ -f ${DBDIR}/languages/en ]; then
        if SafeFile "${DBDIR}/languages/en"; then
            . ${DBDIR}/languages/en
        else
            ExitFatal "Incorrect ownership or permissions of language file (${DBDIR}/languages/en)"
        fi
    else
        echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
        exit 1
    fi
    # Now that we have determined the language, we unset it from shell
    # Some tools with translated strings are very hard to parse
    unset LANG
 #
 #################################################################################
 #
 # Traps
 #
 #################################################################################
 #
-    trap CleanUp INT
+    trap CleanUp INT TERM
    trap Status USR1
    # Use safe umask for the files we create
    umask 027
@ -224,33 +268,25 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
    SafePerms ${INCLUDEDIR}/parameters
    . ${INCLUDEDIR}/parameters
    # Now determine if we are root (UID = 0)
    if [ ${MYID} -eq 0 ]; then
        PRIVILEGED=1
    else
        Debug "Starting Lynis non-privileged"
        # Implied pentesting mode if not performed by root user
        PENTESTINGMODE=1
    fi
    # Disable logging if no alternative was provided
    if [ ${PRIVILEGED} -eq 0 ]; then
        if [ -z "${LOGFILE}" ]; then
-            # Try creating a log file in temporary directory
+            # Try creating a log file in home directory
-            if [ ! -f /tmp/lynis.log ]; then
+            if [ ! -f "$HOME/lynis.log" ]; then
-                if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
+                if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
-                touch /tmp/lynis.log
+                touch "$HOME/lynis.log"
-                if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi
+                if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi
            else
-                LOGFILE="/tmp/lynis.log"
+                LOGFILE="$HOME/lynis.log"
            fi
        else
            if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
        fi
        if [ -z "${REPORTFILE}" ]; then
-            touch /tmp/lynis-report.dat
+            touch "$HOME/lynis-report.dat"
-            if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
+            if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
-            if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
+            if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
        else
            if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
        fi
@ -399,21 +435,25 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
  ${WHITE}Options:${NORMAL}
-    ${GRAY}--no-log${NORMAL}                          : Don't create a log file
+    ${WHITE}Alternative system audit modes${NORMAL}
-    ${GRAY}--pentest${NORMAL}                         : Non-privileged scan (useful for pentest)
+    ${GRAY}--forensics${NORMAL}                       : Perform forensics on a running or mounted system
-    ${GRAY}--profile ${BROWN}<profile>${NORMAL}               : Scan the system with the given profile file
+    ${GRAY}--pentest${NORMAL}                         : Non-privileged, show points of interest for pentesting
    ${GRAY}--quick (-Q)${NORMAL}                      : Quick mode, don't wait for user input
    ${WHITE}Layout options${NORMAL}
    ${GRAY}--no-colors${NORMAL}                       : Don't use colors in output
    ${GRAY}--quiet (-q)${NORMAL}                      : No output
    ${GRAY}--reverse-colors${NORMAL}                  : Optimize color display for light backgrounds
    ${GRAY}--reverse-colours${NORMAL}                 : Optimize colour display for light backgrounds
    ${WHITE}Misc options${NORMAL}
    ${GRAY}--debug${NORMAL}                           : Debug logging to screen
    ${GRAY}--no-log${NORMAL}                          : Don't create a log file
    ${GRAY}--profile ${BROWN}<profile>${NORMAL}               : Scan the system with the given profile file
    ${GRAY}--view-manpage (--man)${NORMAL}            : View man page
    ${GRAY}--verbose${NORMAL}                         : Show more details on screen
    ${GRAY}--version (-V)${NORMAL}                    : Display version number and quit
    ${GRAY}--wait${NORMAL}                            : Wait between a set of tests
    ${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL}  : Threshold for slow test warning in seconds (default 10)
    ${WHITE}Enterprise options${NORMAL}
    ${GRAY}--plugindir ${BROWN}<path>${NORMAL}                : Define path of available plugins
@ -421,6 +461,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
    More options available. Run '$0 show options', or use the man page.
 "
        if [ ${WRONGOPTION} -eq 1 ]; then
@ -489,6 +530,7 @@ ${NORMAL}
    if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
        FQDN=$(hostname -f 2> /dev/null)
    fi
 #
 #################################################################################
 #
@ -521,8 +563,8 @@ ${NORMAL}
    Report "os_fullname=${OS_FULLNAME}"
    Report "os_version=${OS_VERSION}"
    if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
-    if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
+    if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
-    if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
+    if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
    Report "hostname=${HOSTNAME}"
@ -533,6 +575,7 @@ ${NORMAL}
    fi
    Report "test_category=${TEST_CATEGORY_TO_CHECK}"
    Report "test_group=${TEST_GROUP_TO_CHECK}"
 #
 #################################################################################
 #
@ -595,6 +638,7 @@ ${NORMAL}
        echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
        exit 1
    fi
 #
 #################################################################################
 #
@ -613,9 +657,12 @@ ${NORMAL}
        if [ ${EOL} -eq 1 ]; then
            echo "  End-of-life:               ${WARNING}YES${NORMAL}"
            ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}"
        elif [ ${EOL} -eq 255 ]; then
            # TODO - mark as item where community can provide help
            LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
        fi
-        if [ ! -z "${OS_MODE}" ]; then echo "  Operating system mode:     ${OS_MODE}"; fi
+        if [ -n "${OS_MODE}" ]; then echo "  Operating system mode:     ${OS_MODE}"; fi
        echo "  Kernel version:            ${OS_KERNELVERSION}"
        echo "  Hardware platform:         ${HARDWARE}"
        echo "  Hostname:                  ${HOSTNAME}"
@ -638,9 +685,9 @@ ${NORMAL}
    LogText "Operating system:          ${OS}"
    LogText "Operating system name:     ${OS_NAME}"
    LogText "Operating system version:  ${OS_VERSION}"
-    if [ ! -z "${OS_MODE}" ]; then LogText "Operating system mode:     ${OS_MODE}"; fi
+    if [ -n "${OS_MODE}" ]; then LogText "Operating system mode:     ${OS_MODE}"; fi
    LogText "Kernel version:            ${OS_KERNELVERSION}"
-    if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then
+    if [ -n "${OS_KERNELVERSION_FULL}" ]; then
        LogText "Kernel version (full):     ${OS_KERNELVERSION_FULL}"
    fi
    LogText "Hardware platform:         ${HARDWARE}"
@ -691,7 +738,7 @@ ${NORMAL}
        LogText "Latest stable version      : ${PROGRAM_LV}"
        if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
            # Check if current version is REALLY outdated (10 versions ago)
-            PROGRAM_MINVERSION=$((${PROGRAM_LV} - 10))
+            PROGRAM_MINVERSION=$((PROGRAM_LV - 10))
            LogText "Minimum required version   : ${PROGRAM_MINVERSION}"
            if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
                Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED
@ -728,13 +775,12 @@ ${NORMAL}
    OLD_RELEASE=0
    TIME_DIFFERENCE_CHECK=10368000 # 4 months
-    RELEASE_PLUS_TIMEDIFF=$((${PROGRAM_RELEASE_TIMESTAMP} + ${TIME_DIFFERENCE_CHECK}))
+    RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
    if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
        # Show if release is old, only if we didn't show it with normal update check
        if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
-            ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading"
+            ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
        fi
        UPDATE_AVAILABLE=1
        OLD_RELEASE=1
    fi
@ -780,6 +826,14 @@ ${NORMAL}
 #
 #################################################################################
 #
    # Test if we have a package manager available by testing for a dummy package (should not exist)
    if PackageIsInstalled "__dummy__"; then
        HAS_PACKAGE_MANAGER=1
        LogText "Informational: package manager is used"
    else
        LogText "Informational: no known package manager for this system"
    fi
    # Use hardware detection capabilities
    IsVirtualMachine
    if IsContainer; then
@ -846,15 +900,24 @@ ${NORMAL}
                if [ -f ${PLUGIN_FILE} ]; then
                    FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
                    if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
-                        if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi
+                        if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((N_PLUGIN + 1)); fi
                        # Check if the plugin is enabled in any of the profiles
                        PLUGIN_ENABLED_STATE=0
                        for PROFILE in ${PROFILES}; do
                            LogText "Action: checking plugin status in profile: ${PROFILE}"
                            FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
-                            if [ ! -z "${FIND3}" ]; then
+                            if [ -n "${FIND3}" ]; then
-                                LogText "Result: plugin enabled in profile (${PROFILE})"
+                                FOUND=0
-                                PLUGIN_ENABLED_STATE=1
+                                for I in ${DISABLED_PLUGINS}; do
                                    if [ "${I}" = "${FIND2}" ]; then
                                        FOUND=1
                                        LogText "Result: plugin ${FIND2} is specifically disabled"
                                    fi
                                done
                                if [ ${FOUND} -eq 0 ]; then
                                    LogText "Result: plugin enabled in profile (${PROFILE})"
                                    PLUGIN_ENABLED_STATE=1
                                fi
                            fi
                        done
                        if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
@ -866,7 +929,7 @@ ${NORMAL}
                                if SafePerms ${PLUGINFILE}; then
                                    LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
                                    Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"
-                                    if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((${N_PLUGIN_ENABLED} + 1)); fi
+                                    if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((N_PLUGIN_ENABLED + 1)); fi
                                    Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
                                    if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress "    ["; fi
                                    . ${PLUGINFILE}
@ -934,7 +997,7 @@ ${NORMAL}
            LogText "Info: perform tests from all categories"
            INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
-                           filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \
+                           filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
                           mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                           insecure_services banners scheduling accounting time crypto virtualization containers \
                           mac_frameworks file_integrity tooling malware file_permissions homedirs \
@ -948,7 +1011,7 @@ ${NORMAL}
        for INCLUDE_TEST in ${INCLUDE_TESTS}; do
            INCLUDE_FILE="${INCLUDEDIR}/tests_${INCLUDE_TEST}"
            if [ -f ${INCLUDE_FILE} ]; then
-                if SafePerms ${INCLUDE_FILE}; then
+                if SafeFile ${INCLUDE_FILE}; then
                    . ${INCLUDE_FILE}
                else
                    LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
@ -1035,7 +1098,7 @@ ${NORMAL}
    if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
    # Show tool tips
-    if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
+    if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi
    LogText "================================================================================"
    LogText "Tests performed:     ${CTESTS_PERFORMED}"
@ -1063,7 +1126,12 @@ ${NORMAL}
    LogText "Program ended successfully"
    LogText "================================================================================"
-    if [ -z "${CUSTOM_PROFILE}" ]; then DisplayToolTip "Enhance ${PROGRAM_NAME} audits by adding your settings to custom.prf (see ${DEFAULT_PROFILE} for all settings)"; fi
+    # Tool tips
    if [ ${QUIET} -eq 0 ]; then
        if [ -z "${CUSTOM_PROFILE}" ]; then DisplayToolTip "Enhance ${PROGRAM_NAME} audits by adding your settings to custom.prf (see ${DEFAULT_PROFILE} for all settings)"; fi
    fi
    # Clean exit (Delete PID file)
    if [ ${TOTAL_WARNINGS} -gt 0 ]; then
@ -1081,4 +1149,4 @@ ${NORMAL}
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com
--- a/lynis.8
+++ b/lynis.8
@ -1,4 +1,4 @@
-.TH Lynis 8 "27 Aug 2018" "1.27" "Unix System Administrator's Manual"
+.TH Lynis 8 "14 Feb 2020" "1.32" "Unix System Administrator's Manual"
 .SH "NAME"
@ -41,13 +41,11 @@ When running \fBLynis\fP for the first time, run: lynis audit system
 .SH "COMMANDS"
 .IP "audit \<type\>"
 Perform an audit of the selected type
 .IP "show \<parameter\>"
 Show information, such as configuration and paths
 .IP "update \<parameter\>"
 Perform activities regarding updating
 .IP "upload-only"
 Upload the available report data file
 See HELPERS section for more commands.
 .SH "SCAN TYPES"
 .IP "audit system"
@ -72,7 +70,10 @@ breaks).
 Display debug information to screen for troubleshooting purposes.
 .TP
 .B \-\-developer
-Display developer information when creating tests.
+Display detailed information useful for developers when creating tests.
 .TP
 .B \-\-forensics
 Perform the audit on a running or mounted system (see \-\-rootdir)
 .TP
 .B \-\-help
 Show available commands and most-used options.
@ -87,9 +88,12 @@ Show the man page. Useful for systems that do not have the man page installed.
 Disable colored output.
 .TP
 .B \-\-no\-log
-Redirect all logging information to /dev/null, prevent sensitive information to
+Redirect all logging information to /dev/null, prevents sensitive information to
 be written to disk.
 .TP
 .B \-\-no\-plugins
 Do not run any of the enabled plugins.
 .TP
 .B \-\-pentest
 Run a non-privileged scan, usually used for penetration testing. Some of the
 tests will be skipped if they require root permissions.
@ -101,7 +105,7 @@ Define location where plugins can be found.
 Provide alternative profile to perform the scan.
 .TP
 .B \-\-quick (\-Q)
-Do a quick scan (don't wait for user input).
+Do a quick scan (default: don't wait for user input).
 .TP
 .B \-\-quiet (\-q)
 Run quietly and do not show anything to the screen. Will also enable quick mode.
@ -112,20 +116,20 @@ Provide an alternative name for report file.
 .B \-\-reverse\-colors
 Optimize screen output for light backgrounds.
 .TP
 .B \-\-skip\-plugins
 Do not run plugins.
 .TP
 .B \-\-tests TEST-IDs
 Only run the specific test(s). When using multiple tests, add quotes around the
 line.
 .TP
 .B \-\-tests\-from\-category "<category>"
 Tests are only performed if they belong to the defined category. Use the command
-'show categories' to determine all valid options.
+\ 'show categories' to determine all valid options.
 .TP
 .B \-\-tests\-from\-group "<group>"
 Similar to \-\-tests\-from\-category. Only perform tests from a particular group.
-Use 'show categories' to determine valid options.
+Use 'show groups' to determine valid options.
 .TP
 .B \-\-use-cwd
 Run from the current working directory.
 .TP
 .B \-\-upload
 Upload data to Lynis Enterprise server (profile option: upload=yes).
@ -155,12 +159,16 @@ file. This speeds up execution and keeps the code clean.
 .IP "audit"
 Run audit on the system or on other targets
-.IP "show"
+.IP "configure \<parameter\>"
-Provide details about Lynis
+Change or add settings to the config file
-.IP "update"
+.IP "generate \<parameter\>"
-Run updater utility
+Generate specific details such as host IDs
 .IP "show \<parameter\>"
 Show information, such as configuration and paths
 .IP "update \<parameter\>"
 Perform activities regarding updating
 .PP
-To use a helper, run Lynis followed by the helper name.
+To use a helper, run 'lynis' followed by the helper name.
 .SH "EXIT CODES"
 Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
@ -178,13 +186,13 @@ Can't open file or directory
 Lynis found 1 or more warnings or configurations errors (with error-on-warnings=yes)
 .SH "BUGS"
-Bugs can be reported via GitHub at https://github.com/CISOfy/lynis
+Bugs can be reported via GitHub at https://github.com/CISOfy/lynis or via support@cisofy.com
 .SH "DOCUMENTATION"
 Supporting documentation can be found via https://cisofy.com/support/
 .SH "LICENSING"
-Lynis is licensed as GPLv3. It was created by Michael Boelen in 2007. Development has been taken over by CISOfy. Plugins may have a different license.
+Lynis is licensed as GPLv3. The tool was created by Michael Boelen in 2007. Since 2013 its development has been taken over by CISOfy under the management of Michael Boelen. Plugins may have a different license.
 .SH "CONTACT INFORMATION"
 Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.
--- a/plugins/custom_plugin.template
+++ b/plugins/custom_plugin.template
@ -72,7 +72,7 @@
            Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
        else
            Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
-            ReportSuggestion ${TEST_NO} "This is a suggestion"
+            ReportSuggestion "${TEST_NO}" "This is a suggestion"
        fi
    fi
 #
--- a/plugins/plugin_pam_phase1
+++ b/plugins/plugin_pam_phase1
@ -6,19 +6,26 @@
 #-----------------------------------------------------
 # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
 # PLUGIN_CATEGORY=authentication
-# PLUGIN_DATE=2017-04-30
+# PLUGIN_DATE=2020-03-21
 # PLUGIN_DESC=PAM
 # PLUGIN_NAME=pam
 # PLUGIN_PACKAGE=all
 # PLUGIN_REQUIRED_TESTS=
-# PLUGIN_VERSION=1.0.2
+# PLUGIN_VERSION=1.0.5
 #-----------------------------------------------------
 #########################################################################
 #
    # Variables
    CREDITS_D_PASSWORD=""
    CREDITS_L_PASSWORD=""
    CREDITS_O_PASSWORD=""
    CREDITS_U_PASSWORD=""
    MAX_PASSWORD_RETRY=""
    MIN_PASSWORD_CLASS=""
    PAM_DIRECTORY="${ROOTDIR}etc/pam.d"
-
+#
 #########################################################################
 #
    # Test        : PLGN-0008
    # Description : Check PAM configuration
    FILE="${ROOTDIR}etc/security/pwquality.conf"
@ -57,8 +64,9 @@
            done
        done
    fi
-
+#
-
+#########################################################################
 #
    # Test        : PLGN-0010
    # Description : Check PAM configuration
    if [ -f ${ROOTDIR}etc/pam.conf -o -d ${PAM_DIRECTORY} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -69,12 +77,12 @@
        if [ -d ${PAM_DIRECTORY} ]; then
            LogText "Result: ${PAM_DIRECTORY} exists"
            if [ ! "${OS}" = "FreeBSD" -a ! "${OS}" = "NetBSD" ]; then
-                FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
+                FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "*.pam-old" -type f -print)
            else
                if [ -f ${PAM_DIRECTORY}/README ]; then
                    LogText "Skipped checking ${OS} ${PAM_DIRECTORY}/README as a PAM file"
                fi
-                FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print | grep -v "README")
+                FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "README" \! -name "*.pam-old" -type f -print)
            fi
            for PAM_FILE in ${FIND_FILES}; do
@ -88,7 +96,7 @@
                        PAM_CONTROL_OPTIONS="-"
                        PAM_MODULE="-"
                        PAM_MODULE_OPTIONS="-"
-                        PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
+                        PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }' | sed 's/^ *-//g')
                        PARSELINE=0
                        case ${PAM_TYPE} in
                            "@include")
@ -263,6 +271,7 @@
                                pam_securetty) ;;
                                pam_securityserver) ;;
                                pam_self) ;;
                                pam_selinux) ;;
                                pam_shells) ;;
                                pam_skey) ;;
                                pam_ssh)
--- a/plugins/plugin_systemd_phase1
+++ b/plugins/plugin_systemd_phase1
@ -1,27 +1,17 @@
 #!/bin/sh
 #########################################################################
 #
 # This component is part of Lynis Enterprise. No parts may be copied,
 # distributed or used without written permission of CISOfy. Users who
 # have an active license are permitted to use this component as part
 # of the service. This software component may only be used in combination
 # with Lynis and Lynis Enterprise.
 #
 # Copyright 2016, CISOfy - https://cisofy.com
 #
 #########################################################################
 #
 #    * DO NOT REMOVE *
 #-----------------------------------------------------
 # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
 # PLUGIN_CATEGORY=essentials
-# PLUGIN_DATE=2017-04-30
+# PLUGIN_DATE=2020-03-23
 # PLUGIN_DESC=Tests related to systemd tooling
 # PLUGIN_NAME=systemd
 # PLUGIN_PACKAGE=community
 # PLUGIN_REQUIRED_TESTS=
-# PLUGIN_VERSION=1.0.2
+# PLUGIN_VERSION=1.0.4
 #-----------------------------------------------------
 #
 #########################################################################
@ -36,7 +26,7 @@
 #
    # Test        : PLGN-3800
    # Description : Gather systemctl exit code
-    if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${SYSTEMCTLBINARY} > /dev/null)
@ -54,17 +44,17 @@
    # Description : Query systemd version and options
    # Notes       : version can also be gathered with systemctl show | grep ^Version=
    #               features with systemctl show | grep ^Features=
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            SYSTEMD_VERSION=${FIND}
            Report "systemd_version=${FIND}"
            LogText "Result: found systemd version ${FIND}"
        fi
-        FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
+        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            Report "systemd_builtin_components=${FIND}"
            LogText "Result: found builtin components list"
        fi
@ -74,11 +64,11 @@
 #
    # Test        : PLGN-3804
    # Description : Gather all systemd unit files
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found systemd unit files via systemctl list-unit-files"
            for I in ${FIND}; do
                LogText "Output: ${I}"
@ -91,11 +81,11 @@
 #
    # Test        : PLGN-3806
    # Description : Gather all failed systemd units
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found systemd unit files via systemctl list-unit-files"
            for I in ${FIND}; do
                LogText "Output: ${I}"
@ -108,11 +98,11 @@
 #
    # Test        : PLGN-3808
    # Description : Gather machine ID
-    if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(cat /etc/machine-id | head -1)
+        FIND=$(cat ${ROOTDIR}etc/machine-id | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            SYSTEMD_MACHINEID="${FIND}"
            LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
        fi
@ -122,11 +112,11 @@
 #
    # Test        : PLGN-3810
    # Description : Query main systemd binaries
-    if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${FINDBINARY}" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            Report "systemd_binaries=${FIND}"
            LogText "Result: found systemd binaries in /usr/lib/systemd"
        else
@ -138,29 +128,29 @@
 #
    # Test        : PLGN-3812
    # Description : Query journal for boot related information
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
        LogText "Output: number of boots listed in journal is ${FIND}"
-        if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
+        if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi
        FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
        LogText "Output: oldest boot date in journal is ${FIND}"
-        if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
+        if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
    fi
 #
 #################################################################################
 #
    # Test        : PLGN-3814
    # Description : Journal integrity
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            Report "journal_contains_errors=1"
            for I in ${FIND}; do
-                LINE=`echo ${I} | sed 's/:space:/ /g'`
+                LINE=$(echo ${I} | sed 's/:space:/ /g')
                LogText "Output (fails): ${LINE}"
            done
          else
@ -173,10 +163,10 @@
 #
    # Test        : PLGN-3816
    # Description : Journal sizing
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
+        FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}')
        Report "journal_disk_size=${FIND}"
        LogText "Result: journals are ${FIND} in size"
    fi
@ -185,10 +175,10 @@
 #
    # Test        : PLGN-3818
    # Description : Journal meta data
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
+        FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
        Report "journal_meta_data=${FIND}"
    fi
 #
@ -196,7 +186,7 @@
 #
    # Test        : PLGN-3820
    # Description : Journal FSS (Forward Secure Sealing) configuration
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ! "${SYSTEMD_MACHINEID}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a -n "${SYSTEMD_MACHINEID}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3820 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for journal FSS configuration" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FILE="/var/log/journal/${SYSTEMD_MACHINEID}/fss"
@ -211,11 +201,11 @@
 #
    # Test        : PLGN-3830
    # Description : Query systemd status
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            Report "systemd_status=${FIND}"
            LogText "Result: found systemd status = ${FIND}"
        fi
@ -228,8 +218,8 @@
    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            for I in ${FIND}; do
                Report "systemd_unit_not_found[]=${I}"
            done
@ -240,11 +230,11 @@
 #
    # Test        : PLGN-3834
    # Description : Gather units from systemd which can not be found
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a -n "${AWKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
+        FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: found one or more services with faulty state"
            for I in ${FIND}; do
                LogText "Result: service seems to be faulty (not-found) ${I}"
@ -261,8 +251,8 @@
    Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if systemd-coredump is used" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        SYSTEMD_COREDUMP_USED=1
-        FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
+        FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            LogText "Result: systemd uses systemd-coredump to handle coredumps"
            Report "systemd_coredump_used=1"
        fi
@ -278,11 +268,11 @@
 #
    # Test        : PLGN-3860
    # Description : Query coredumps from journalctl since Yesterday
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
            Report "journal_coredumps_lastday=1"
            LogText "Result: found recent coredumps"
        else
`@ -98,4 +98,4 @@`


	`================================================================================`	`================================================================================`
	`Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com`	`Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com`