a

2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="cramfs"                              # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+l_mpath="/lib/modules/**/kernel/$l_mtype"
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="freevxfs"                            # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="hfs"                                 # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+l_mpath="/lib/modules/**/kernel/$l_mtype"
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="hfsplus"                             # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+l_mpath="/lib/modules/**/kernel/$l_mtype"
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="jffs2"                               # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+l_mpath="/lib/modules/**/kernel/$l_mtype"
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="squashfs"                            # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(
+		grep -P --
+		"(^\h*install|\b$l_mname)\b" <<<"$l_loadable"
+	)"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="udf"                                 # set module name
+l_mtype="fs"                                  # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="usb-storage"                         # set module name
+l_mtype="drivers"                             # set module type
+l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf"
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+	exit 0
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if grep -q -E '^[^#]*\s/tmp\s' /etc/fstab; then
+	if grep -E '^[^#]*\s/tmp\s' /etc/fstab | grep -vq 'nodev'; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+if grep -q -E '^[^#]*\s/tmp\s' /etc/fstab; then
+	# If such a line exists, check if it contains the nosuid  flag
+	if grep -E '^[^#]*\s/tmp\s' /etc/fstab | grep -vq 'nosuid'; then
+		# If /var exists and does NOT contain nosuid, exit with 1 (error)
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/dev/shm"
+flag="nodev"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/dev/shm"
+flag="nosuid"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/dev/shm"
+flag="noexec"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/home"
+flag="nodev"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if grep -q -E '^[^#]*\s/home\s' /etc/fstab; then
+	if grep -E '^[^#]*\s/home\s' /etc/fstab | grep -vq 'nosuid'; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+if grep -q -E '^[^#]*\s/var\s' /etc/fstab; then
+	# If such a line exists, check if it contains the nodev flag
+	if grep -E '^[^#]*\s/var\s' /etc/fstab | grep -vq 'nodev'; then
+		# If /var exists and does NOT contain nodev, exit with 1 (error)
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+if grep -q -E '^[^#]*\s/var\s' /etc/fstab; then
+	# If such a line exists, check if it contains the nosuid  flag
+	if grep -E '^[^#]*\s/var\s' /etc/fstab | grep -vq 'nosuid'; then
+		# If /var exists and does NOT contain nosuid, exit with 1 (error)
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/tmp"
+flag="nodev"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/tmp"
+flag="nosuid"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/tmp"
+flag="noexec"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log"
+flag="nodev"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log"
+flag="nosuid"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log"
+flag="noexec"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log/audit"
+flag="nodev"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log/audit"
+flag="nosuid"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+directory="/var/log/audit"
+flag="noexec"
+FSTAB_FILE="/etc/fstab"
+
+if [[ ! -f "$FSTAB_FILE" ]]; then
+	echo "Error: $FSTAB_FILE does not exist."
+	exit 0
+fi
+
+if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then
+	if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then
+		exit 1
+	fi
+fi
+
+exit 0
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Define the paths to check for grub.cfg
+UBUNTU_GRUB_PATH="/boot/grub/grub.cfg"
+REDHAT_GRUB_PATH="/boot/grub2/grub.cfg"
+
+# Function to check permissions
+check_permissions() {
+	local file_path="$1"
+	if [ -f "$file_path" ]; then
+		# Get the file's permissions in octal format
+		permissions=$(stat -c "%a" "$file_path")
+		if [ "$permissions" -eq 600 ]; then
+			echo "Permissions for $file_path are correct (600)."
+			exit 0
+		else
+			echo "Permissions for $file_path are incorrect ($permissions)."
+			exit 1
+		fi
+	fi
+}
+
+# Check for Ubuntu path
+check_permissions "$UBUNTU_GRUB_PATH"
+
+# Check for Red Hat path
+check_permissions "$REDHAT_GRUB_PATH"
+
+# If neither file is found, exit with an error
+echo "grub.cfg file not found in the expected locations."
+exit 1
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+kernel_parameter="kernel.randomize_va_space"
+kernel_value="2"
+
+current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null)
+
+if [ $? -ne 0 ]; then
+	echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved."
+	exit 1
+fi
+
+if [ "$current_value" == "$kernel_value" ]; then
+	echo "Kernel parameter $kernel_parameter is set to $kernel_value"
+	exit 0
+else
+	echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)"
+	exit 1
+fi
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+kernel_parameter="kernel.yama.ptrace_scope"
+kernel_value="1"
+current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null)
+
+if [ $? -ne 0 ]; then
+	echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved."
+	exit 1
+fi
+
+if [ "$current_value" == "$kernel_value" ]; then
+	echo "Kernel parameter $kernel_parameter is set to $kernel_value"
+	exit 0
+else
+	echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)"
+	exit 1
+fi
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+PATTERN='rsyncd?\.service|rsyncd\.socket'
+
+# DebUntu rsync.service
+# rhel rsyncd.service und rsyncd.socket
+services=$(systemctl list-unit-files | grep -oE $PATTERN)
+for service in $services;
+do
+	if systemctl is-enabled $service 1>/dev/null 2>/dev/null; then
+		exit 1
+	fi
+done
+
+exit 0
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Define the files to check
+FILES=("/etc/cron.allow" "/etc/cron.deny")
+
+# Function to check a file
+check_file() {
+	local file=$1
+
+	# Check if the file exists
+	if [ ! -e "$file" ]; then
+		echo "File $file does not exist. Ignoring."
+		return 0
+	fi
+
+	# Get the file permissions in numeric format
+	local permissions=$(stat -c "%a" "$file")
+	local owner=$(stat -c "%U" "$file")
+	local group=$(stat -c "%G" "$file")
+
+	# Check if the file permissions are 0640 or more restrictive
+	if [ "$permissions" -gt 640 ]; then
+		echo "File $file permissions are not 0640 or more restrictive."
+		return 1
+	fi
+
+	# Check if the owner is root and group is root
+	if [ "$owner" != "root" ] || [ "$group" != "root" ]; then
+		echo "File $file owner or group is not root."
+		return 1
+	fi
+
+	return 0
+}
+
+# Check each file
+for file in "${FILES[@]}"; do
+	if ! check_file "$file"; then
+		exit 1
+	fi
+done
+
+# If all checks pass, exit with status 0
+exit 0
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Define the files to check
+FILES=("/etc/at.allow" "/etc/at.deny")
+
+check_file() {
+	local file=$1
+
+	# Check if the file exists
+	if [ ! -e "$file" ]; then
+		echo "File $file does not exist. Ignoring."
+		return 0
+	fi
+
+	# Get the file permissions in numeric format
+	local permissions=$(stat -c "%a" "$file")
+	local owner=$(stat -c "%U" "$file")
+	local group=$(stat -c "%G" "$file")
+
+	# Check if the file permissions are 0640 or more restrictive
+	if [ "$permissions" -gt 640 ]; then
+		echo "File $file permissions are not 0640 or more restrictive."
+		return 1
+	fi
+
+	# Check if the owner is root and group is root
+	if [ "$owner" != "root" ] || [ "$group" != "root" ]; then
+		echo "File $file owner or group is not root."
+		return 1
+	fi
+
+	return 0
+}
+
+# Check each file
+for file in "${FILES[@]}"; do
+	if ! check_file "$file"; then
+		exit 1
+	fi
+done
+
+# If all checks pass, exit with status 0
+exit 0
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+l_output="" l_output2=""
+module_chk() {
+	# Check how module will be loaded
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+	# Check is the module currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+	# Check if the module is deny listed
+	if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
+	l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)"; done | sort -u)
+	for l_mname in $l_dname; do
+		module_chk
+	done
+fi
+# Report results. If no failures output in l_output2, we pass
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **"
+	if [ -z "$l_output" ]; then
+		echo -e "\n - System has no wireless NICs installed"
+	else
+		echo -e "\n$l_output\n"
+	fi
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+	exit 1
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="dccp"                                # set module name
+l_mtype="net"                                 # set module type
+#replaced in original script to avoid wildcard
+l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null)
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="tipc"                                # set module name
+l_mtype="net"                                 # set module type
+#replaced in original script to avoid wildcard
+l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null)
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="rds"                                 # set module name
+l_mtype="net"                                 # set module type
+#replaced in original script to avoid wildcard
+l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null)
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+fi
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables
+l_mname="sctp"                                # set module name
+l_mtype="net"                                 # set module type
+#replaced in original script to avoid wildcard
+l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null)
+#replaced in original script to avoid globstar operator
+l_mpath=$(find /lib/modules/ -type d -name $l_mtype)
+l_mpname="$(tr '-' '_' <<<"$l_mname")"
+l_mndir="$(tr '-' '/' <<<"$l_mname")"
+module_loadable_chk() {
+	# Check if the module is currently loadable
+	l_loadable="$(modprobe -n -v "$l_mname")"
+	[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")"
+	if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
+	fi
+}
+module_loaded_chk() {
+	# Check if the module is currently loaded
+	if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
+		l_output="$l_output\n - module: \"$l_mname\" is not loaded"
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
+	fi
+}
+module_deny_chk() {
+	# Check if the module is deny listed
+	l_dl="y"
+	if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then
+		l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\""
+	else
+		l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
+	fi
+}
+# Check if the module exists on the system
+for l_mdir in $l_mpath; do
+	if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
+		l_output3="$l_output3\n - \"$l_mdir\""
+		[ "$l_dl" != "y" ] && module_deny_chk
+		if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
+			module_loadable_chk
+			module_loaded_chk
+		fi
+	else
+		l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\""
+	fi
+done
+# Report results. If no failures output in l_output2, we pass
+[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3"
+if [ -z "$l_output2" ]; then
+	echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+else
+	echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+	[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+fi
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.ip_forward" "net.ipv6.conf.all.forwarding")
+kernel_values=("0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+	fi
+done
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+kernel_parameter="net.ipv4.tcp_syncookies"
+kernel_value="1"
+current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null)
+
+if [ $? -ne 0 ]; then
+	echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved."
+	exit 1
+fi
+
+if [ "$current_value" == "$kernel_value" ]; then
+	echo "Kernel parameter $kernel_parameter is set to $kernel_value"
+	exit 0
+else
+	echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)"
+	exit 1
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv6.conf.all.accept_ra" "net.ipv6.conf.default.accept_ra")
+kernel_values=("0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.all.send_redirects" "net.ipv4.conf.default.send_redirects")
+kernel_values=("0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+kernel_parameter="net.ipv4.icmp_ignore_bogus_error_responses"
+kernel_value="1"
+current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null)
+
+if [ $? -ne 0 ]; then
+	echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved."
+	exit 1
+fi
+
+if [ "$current_value" == "$kernel_value" ]; then
+	echo "Kernel parameter $kernel_parameter is set to $kernel_value"
+	exit 0
+else
+	echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)"
+	exit 1
+fi
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+kernel_parameter="net.ipv4.icmp_echo_ignore_broadcasts"
+kernel_value="1"
+
+current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null)
+
+if [ $? -ne 0 ]; then
+	echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved."
+	exit 1
+fi
+
+if [ "$current_value" == "$kernel_value" ]; then
+	echo "Kernel parameter $kernel_parameter is set to $kernel_value"
+	exit 0
+else
+	echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)"
+	exit 1
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.all.accept_redirects" "net.ipv4.conf.default.accept_redirects" "net.ipv6.conf.all.accept_redirects" "net.ipv6.conf.default.accept_redirects")
+kernel_values=("0" "0" "0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.default.secure_redirects" "net.ipv4.conf.all.secure_redirects")
+kernel_values=("0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.all.rp_filter" "net.ipv4.conf.default.rp_filter")
+kernel_values=("1" "1")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.all.accept_source_route" "net.ipv4.conf.default.accept_source_route" "net.ipv6.conf.all.accept_source_route" "net.ipv6.conf.default.accept_source_route")
+kernel_values=("0" "0" "0" "0")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+kernel_parameters=("net.ipv4.conf.all.log_martians" "net.ipv4.conf.default.log_martians")
+kernel_values=("1" "1")
+len=${#kernel_parameters[@]}
+for ((i = 0; i < len; i++)); do
+	param=${kernel_parameters[$i]}
+	value=${kernel_values[$i]}
+	current_value=$(sysctl -n "$param" 2>/dev/null)
+
+	# Check if sysctl command was successful
+	if [ $? -ne 0 ]; then
+		echo "Error: Kernel parameter $param does not exist or could not be retrieved."
+		exit 1
+	fi
+
+	# Check if the current value matches the expected value
+	if [ "$current_value" == "$value" ]; then
+		echo "Kernel parameter $param is set correctly to $value."
+	else
+		echo "Kernel parameter $param is not set to $value (current value: $current_value)."
+		exit 1
+	fi
+done
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+parameter_sshd_t=maxauthtries
+parameter_sshd_config=MaxAuthTries
+desired_value=4
+
+if ! command -v sshd &>/dev/null; then
+	echo "sshd command could not be found"
+	exit 0
+fi
+
+# Check using sshd -T output
+actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
+
+if [ -z "$actual_value" ]; then
+	if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
+		actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
+	else
+		echo "$parameter_sshd_config not set in sshd_config, using default"
+		exit 1
+	fi
+fi
+
+if [ "$actual_value" -le "$desired_value" ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+parameter_sshd_t=permitemptypasswords
+parameter_sshd_config=PermitEmptyPasswords
+desired_value=no
+
+if ! command -v sshd &>/dev/null; then
+	echo "sshd command could not be found"
+	exit 0
+fi
+
+# Check using sshd -T output
+actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
+
+if [ -z "$actual_value" ]; then
+	if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
+		actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
+	else
+		echo "$parameter_sshd_config not set in sshd_config, using default"
+		exit 1
+	fi
+fi
+
+if [ "$actual_value" = "$desired_value" ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+parameter_sshd_t=permitrootlogin
+parameter_sshd_config=PermitRootLogin
+desired_value=no
+
+if ! command -v sshd &>/dev/null; then
+	echo "sshd command could not be found"
+	exit 0
+fi
+
+# Check using sshd -T output
+actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
+
+if [ -z "$actual_value" ]; then
+	if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
+		actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
+	else
+
+		exit 1
+	fi
+fi
+
+if [ "$actual_value" = "$desired_value" ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+parameter_sshd_t=permituserenvironment
+parameter_sshd_config=PermitUserEnvironment
+desired_value=no
+
+if ! command -v sshd &>/dev/null; then
+	echo "sshd command could not be found"
+	exit 0
+fi
+
+# Check using sshd -T output
+actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
+
+if [ -z "$actual_value" ]; then
+	if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
+		actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
+	else
+		exit 1
+	fi
+fi
+
+if [ "$actual_value" = "$desired_value" ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+parameter_sshd_t=usepam
+parameter_sshd_config=UsePAM
+desired_value=yes
+
+if ! command -v sshd &>/dev/null; then
+	echo "sshd command could not be found"
+	exit 0
+fi
+
+# Check using sshd -T output
+actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
+
+if [ -z "$actual_value" ]; then
+	if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
+		actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
+	else
+
+		exit 1
+	fi
+fi
+
+if [ "$actual_value" = "$desired_value" ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+pmask="0133"
+maxperm="$(printf '%o' $((0777 & ~$pmask)))"
+
+find -L /etc/ssh -type f 2>/dev/null | while IFS= read -r file; do
+	if ssh-keygen -lf "$file" &>/dev/null && file "$file" | grep -qi 'OpenSSH.*public key'; then
+		read -r mode owner group < <(stat -Lc '%#a %U %G' "$file")
+		[ $((mode & pmask)) -gt 0 ] && exit 1
+		[ "$owner" != "root" ] && exit 1
+		[ "$group" != "root" ] && exit 1
+	fi
+done
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Simplified pattern
+pattern="Defaults use_pty"
+
+# Check if the pattern exists in /etc/sudoers
+if grep -E "^\s*Defaults\s+use_pty" /etc/sudoers >/dev/null; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+PATTERN="^\h*Defaults\h+([^#]+,\h*)?logfile\h*=\h*(\"|\')?\H+(\"|\')?(,\h*\H+\h*)*\h*(#.*)?$"
+FILES='/etc/sudoers*'
+
+if grep -rPsi "$PATTERN" $FILES >/dev/null 2>&1; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+timeout=$(grep -roP "timestamp_timeout=\K[0-9]*" /etc/sudoers* | grep -v "/etc/sudoers.bak")
+
+if [ -n "$timeout" ]; then
+	timeout=$(echo "$timeout" | grep -oP "[0-9]+$")
+fi
+
+if [ -z "$timeout" ]; then
+	timeout=$(sudo -V | grep -oP "(?<=Authentication timestamp timeout: )\d+")
+fi
+
+if [ -z "$timeout" ]; then
+	timeout=0
+fi
+
+timeout=${timeout:-0}
+
+if [ "$timeout" -le 15 ] && [ "$timeout" -gt 0 ]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+faillock_conf="/etc/security/faillock.conf"
+expected_value=5
+if grep -Pq '^\s*#?\s*deny\s*=\s*([0-9]+)' "$faillock_conf"; then
+	current_value=$(grep -Eo '^\s*#?\s*deny\s*=\s*([0-9]+)' "$faillock_conf" | awk -F'=' '{print $2}' | tr -d ' ')
+else
+	echo "ERROR: deny is not set in $faillock_conf."
+	exit 1
+fi
+if ((current_value <= expected_value)); then
+	exit 0
+else
+	echo "ERROR: deny=$current_value is higher than $expected_value"
+	exit 1
+fi
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+faillock_conf="/etc/security/faillock.conf"
+expected_value=900
+value="unlock_time"
+regex_pattern="^\s*#*\s*${value}\s*=\s*[0-9]+"
+
+if grep -Eq "$regex_pattern" "$faillock_conf"; then
+	current_value=$(grep -E "$regex_pattern" "$faillock_conf" | head -n 1 | sed -E "s/.*=\s*([0-9]+)/\1/" | tr -d ' ')
+	if [[ $current_value =~ ^# ]]; then
+		echo "ERROR: The line is commented out"
+		exit 1
+	fi
+	if ((current_value < expected_value)); then
+		echo "ERROR: unlock_time = $current_value < $expected_value"
+		exit 1
+	else
+		exit 0
+	fi
+else
+	echo "ERROR: No such line found for unlock_time in $faillock_conf"
+	exit 1
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+faillock_conf="/etc/security/faillock.conf"
+limit_value=60
+
+if grep -Eq "^\s*even_deny_root\s*" "$faillock_conf"; then
+	echo "Test passed: even_deny_root is correctly enabled."
+else
+	echo "ERROR: even_deny_root is missing or commented out."
+	exit 1
+fi
+
+if grep -Eq "^\s*root_unlock_time\s*=\s*[0-9]+\s*" "$faillock_conf"; then
+	current_value=$(grep -Eo "^\s*root_unlock_time\s*=\s*[0-9]+" "$faillock_conf" | awk -F'=' '{print $2}' | tr -d ' ')
+	if ((current_value >= limit_value)); then
+		echo "Test passed: root_unlock_time=$current_value is correctly set."
+	else
+		echo "ERROR: root_unlock_time=$current_value is less than $limit_value."
+		exit 1
+	fi
+else
+	echo "ERROR: root_unlock_time is missing or commented out."
+	exit 1
+fi
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Configuration file to check
+FILE="/etc/security/pwquality.conf"
+# Pattern to search for
+PATTERN="difok"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\b" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of difok using grep and sed
+	VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 2
+		if [ "$VALUE" -lt 2 ]; then
+			echo "The value of $PATTERN ($VALUE) is less than 2."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (>= 2)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Configuration file to check
+FILE="/etc/security/pwquality.conf"
+# Pattern to search for
+PATTERN="minlen"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\b" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of minlen using grep and sed
+	VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 14
+		if [ "$VALUE" -lt 14 ]; then
+			echo "The value of $PATTERN ($VALUE) is less than 14."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (>= 14)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Configuration file to check
+FILE="/etc/security/pwquality.conf"
+# Pattern to search for
+PATTERN="maxrepeat"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of maxrepeat using grep and sed
+	VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 3
+		if [ "$VALUE" -gt 3 ] || [ "$VALUE" -eq 0 ]; then
+			echo "The value of $PATTERN ($VALUE) is greather than 3 or equal to 0."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (<3 und >0)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Configuration file to check
+FILE="/etc/security/pwquality.conf"
+# Pattern to search for
+PATTERN="maxsequence"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of maxsequence using grep and sed
+	VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 3
+		if [ "$VALUE" -gt 3 ] || [ "$VALUE" -eq 0 ]; then
+			echo "The value of $PATTERN ($VALUE) is greather than 3 or equal to 0."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (<3 und >0)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Configuration file to check
+FILE="/etc/security/pwquality.conf"
+# Pattern to search for
+PATTERN="dictcheck"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of dictcheck using grep and sed
+	VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 1
+		if [ "$VALUE" -ne 1 ] || [ "$VALUE" -eq 0 ]; then
+			echo "The value of $PATTERN ($VALUE) is not the best or egal to 0. Updating to $R_VALUE."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (dictcheck = 1)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+files_to_check=$(awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*)
+if [[ -z $files_to_check ]]; then
+	echo "file was not  found"
+else
+	for file in "$files_to_check"; do
+		if grep -Eq "pam_pwhistory\.so.*use_authtok" "$file"; then
+			exit 0
+		else
+			exit 1
+		fi
+	done
+	exit 1
+fi
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+files_to_check=$(grep -El 'pam_unix\.so\s+([^#\s]+\s+)?nullok\b' /usr/share/pam-configs/*)
+if [[ -z "$files_to_check" ]]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+files_to_check=$(grep -Elz "Password-Type:.*\n.*pam_unix\.so" /usr/share/pam-configs/*)
+if [ -z "$files_to_check" ]; then
+        echo "No relevant files found."
+        exit 0
+fi
+
+for file in $files_to_check; do
+        if ! grep -Eq "pam_unix\.so.*use_authtok" "$file"; then
+                exit 1
+        fi
+done
+exit 0
+
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Configuration file to check
+FILE="/etc/login.defs"
+# Pattern to search for
+PATTERN="PASS_MAX_DAYS"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of PASS_MAX_DAYS using grep and sed
+	VALUE=$(grep -E "^#?\s*$PATTERN\s+[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 365
+		if [ "$VALUE" -gt 365 ] || [ "$VALUE" -eq 0 ]; then
+			echo "The value of $PATTERN ($VALUE) is greather than 365 or egal to 0."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (<=365)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Configuration file to check
+FILE="/etc/login.defs"
+# Pattern to search for
+PATTERN="PASS_MIN_DAYS"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of PASS_MIN_DAYS using grep and sed
+	VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=?\s*[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 0
+		if [ "$VALUE" -le 0 ]; then
+			echo "The value of $PATTERN ($VALUE) is less than 0 or egal to 0."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (>=0)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Configuration file to check
+FILE="/etc/login.defs"
+# Pattern to search for
+PATTERN="PASS_WARN_AGE"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+	grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	# Extract the value of PASS_WARN_AGE using grep and sed
+	VALUE=$(grep -E "^#?\s*$PATTERN\s+[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/')
+
+	# If the value was found and it's a valid number
+	if [[ -n "$VALUE" ]]; then
+		# Compare the extracted value with 7
+		if [ "$VALUE" -lt 7 ]; then
+			echo "The value of $PATTERN ($VALUE) is less than 7 ."
+			exit 1
+		else
+			echo "The value of $PATTERN ($VALUE) is valid (>=7)."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+else
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# Configuration file to check
+FILE="/etc/login.defs"
+# Pattern to search for
+PATTERN="ENCRYPT_METHOD"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+# Search for the pattern, whether it's commented or not
+grep -Eq "^#?\s*$PATTERN\s+\S+$" "$FILE"
+FOUND=$?
+
+# If the pattern is found
+if [ $FOUND -eq 0 ]; then
+	# Check if the pattern is commented
+
+	grep -Eq "^#\s*$PATTERN\s+\S+$" "$FILE"
+	COMMENTED=$?
+
+	if [ $COMMENTED -eq 0 ]; then
+		echo "Pattern $PATTERN is commented."
+		exit 1
+	fi
+
+	line=$(grep -E "^\s*$PATTERN\s+\S+$" "$FILE")
+	if [ -n "$line" ]; then
+		word=$(echo "$line" | awk '{print $2}')
+	fi
+
+	if [[ -n "$word" ]]; then
+		# Compare the extracted word with SHA512 UND YESCRYPT
+		VALUE1="SHA512"
+		VALUE2="YESCRYPT"
+
+		if [ "$word" != "$VALUE1" ] && [ "$word" != "$VALUE2" ]; then
+			echo "The value of $PATTERN ($word) is not good."
+			exit 1
+		else
+			echo "The value of $PATTERN ($word) is valid (equal to SHA512 or YESCRYPT). No changes needed."
+			exit 0
+		fi
+	else
+		echo "No valid value for $PATTERN found."
+		exit 1
+	fi
+
+else
+
+	echo "Pattern $PATTERN not found."
+	exit 1
+fi
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+expected_inactive_days=45
+
+if useradd -D | grep -Eq '^\s*INACTIVE\s*=\s*'$expected_inactive_days'\b'; then
+	echo "Default inactivity period is correct."
+else
+	echo "Default inactivity period is incorrect."
+	exit 1
+fi
+
+while IFS=: read -r username password lastchg min max warn inactive_days expire; do
+	if [[ -z "$inactive_days" || "$inactive_days" == " " ]]; then
+		continue
+	fi
+
+	if [[ "$inactive_days" -gt $expected_inactive_days ]]; then
+		echo "User $username exceeds policy."
+		exit 1
+	fi
+done </etc/shadow
+exit 0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+root_gid=$(getent group root | cut -d: -f3)
+
+if [[ "$root_gid" != "0" ]]; then
+    echo "Error: The root group does not have GID 0."
+    exit 1
+fi
+
+other_groups=$(getent group | awk -F: '$3 == 0 && $1 != "root" {print $1}')
+
+if [[ -n "$other_groups" ]]; then
+    echo "Error: The following groups also have GID 0: $other_groups"
+    exit 1
+fi
+
+exit 0
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+source /root/.bashrc
+current_umask=$(umask)
+
+if [[ "$current_umask" == "0027" ]]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+l_valid_shells=$(grep -v "nologin" /etc/shells | sed -r '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|')
+
+if grep -qE '^\s*UID_MIN\s+([0-9]+)' /etc/login.defs; then
+	uid_min=$(grep -oP '^\s*UID_MIN\s+\K[0-9]+' /etc/login.defs)
+else
+	printf "ERROR: UID_MIN not found in /etc/login.defs.\n"
+	exit 1
+fi
+while IFS=: read -r username _ uid _ _ _ shell; do
+	if [[ -n "$uid" && "$uid" =~ ^[0-9]+$ ]]; then
+		if echo "$username" | grep -qE "^(root|halt|sync|shutdown|nfsnobody)$" &&
+			{ [ "$uid" -lt "$uid_min" ] || [ "$uid" -eq 65534 ]; } &&
+			echo "$shell" | grep -qE "^($l_valid_shells)$"; then
+			exit 1
+		fi
+	fi
+done </etc/passwd
+exit 0
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//p' | paste -s -d '|' - ))$"
+while IFS= read -r user; do
+    passwd -S "$user" | awk '$2 !~ /^L/ {print "Account: \"" $1 "\" does not have a valid login shell and is not locked"}'
+done < <(awk -v pat="$valid_shells" -F: '($1 != "root" && $(NF) !~ pat) {print $1}' /etc/passwd)
+
+exit 0
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Define the word to search for
+PATTERN="nologin"
+FILE="/etc/shells"
+
+# Check if the configuration file exists
+if [ ! -f "$FILE" ]; then
+	echo "File $FILE not found."
+	exit 1
+fi
+
+grep -q -E "$PATTERN" "$FILE" >/dev/null
+FOUND=$?
+
+if [ $FOUND -eq 0 ]; then
+
+	echo "The line containing '$PATTERN' is in the File $FILE."
+	exit 1
+else
+	echo "$PATTERN is not in the File or not Found"
+	exit 0
+
+fi
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+tmout=$(grep 'typeset -xr TMOUT=900' -- /etc/bashrc /etc/profile /etc/profile.d/*.sh 2>/dev/null)
+if [[ -n "$tmout" ]]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+for file in /etc/profile.d/*.sh; do
+	if grep -P '^\s*umask\s+0027' "$file" &>/dev/null; then
+		exit 0
+	fi
+done
+
+exit 1
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+config_file="/etc/aide/aide.conf"
+pattern=("/sbin/auditctl" "/sbin/auditd" "/sbin/ausearch" "/sbin/aureport" "/sbin/autrace" "/sbin/augenrules")
+if [ ! -f "$config_file" ]; then
+	exit 0
+fi
+
+for line in "${pattern[@]}"; do
+	regex_pattern="^\s*#*\s*${line}\b"
+	if ! grep -Eq "$regex_pattern" "$config_file"; then
+		exit 1
+	fi
+done
+exit 0
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Path to the auditd configuration file
+AUDITD_CONF="/etc/audit/auditd.conf"
+
+# Check if the file exists
+if [[ -f "$AUDITD_CONF" ]]; then
+	# Use grep to search for the pattern
+	if grep -qE "^max_log_file[[:space:]]*=[[:space:]]*[0-9]+" "$AUDITD_CONF"; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "File $AUDITD_CONF does not exist."
+	exit 1
+fi
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Path to the auditd configuration file
+AUDITD_CONF="/etc/audit/auditd.conf"
+
+# Check if the file exists
+if [[ -f "$AUDITD_CONF" ]]; then
+	# Use grep to search for the exact line
+	if grep -q "^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs" "$AUDITD_CONF"; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "File $AUDITD_CONF does not exist."
+	exit 1
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+on_disk=$(awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk" ]]; then
+	exit 0
+else
+	echo "ERROR: Audit rules are NOT correctly set."
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+on_disk=$(awk '/^ *-w/ &&(/\/var\/log\/lastlog/  ||/\/var\/run\/faillock/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk" ]]; then
+	exit 0
+else
+	echo "ERROR: Audit rules are NOT correctly set."
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+on_disk=$(awk '/^ *-w/ &&(/\/etc\/selinux/  ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk" ]]; then
+	exit 0
+else
+	echo "ERROR: Audit rules are NOT correctly set."
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "$UID_MIN" ]; then
+	on_disk=$(awk '/^ *-a *always,exit/  &&/ -F *arch=b(32|64)/  &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/)  &&/ -S/  &&(/init_module/  ||/finit_module/  ||/delete_module/  ||/create_module/  ||/query_module/)  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		echo "ERROR: on_disk != loaded"
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'UID_MIN' is unset.\n"
+	exit 1
+fi
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+on_disk=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk" ]]; then
+	exit 0
+else
+	echo "ERROR: Audit rules are NOT correctly set."
+	exit 1
+fi
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | grep -v "/etc/sudoers.bak" | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g')
+
+if [ -n "$SUDO_LOG_FILE" ]; then
+	on_disk=$(grep -E "^\s*-w\s+$SUDO_LOG_FILE\s+-p\s+wa" /etc/audit/rules.d/*.rules)
+	loaded=$(auditctl -l | grep -E "^\s*-w\s+$SUDO_LOG_FILE\s+-p\s+wa")
+	if [[ -n "$on_disk" && -n "$loaded" ]]; then
+		echo "Audit rules are correctly set."
+		exit 0
+	else
+		echo "ERROR: Audit rules are NOT correctly set or loaded."
+		exit 1
+	fi
+else
+	echo "ERROR: Variable 'SUDO_LOG_FILE' is unset or empty."
+	exit 1
+fi
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+on_disk1=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/adjtimex/ ||/settimeofday/ ||/clock_settime/ ) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+on_disk2=$(awk '/^ *-w/ &&/\/etc\/localtime/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk1" && -n "$on_disk2" ]]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+on_disk1=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+on_disk2=$(awk '/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/network/ ||/\/etc\/netplan/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules)
+
+if [[ -n "$on_disk1" && -n "$on_disk2" ]]; then
+	exit 0
+else
+	exit 1
+fi
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+test_failed=0
+for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
+	for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
+		if grep -qr "${PRIVILEGED}" /etc/audit/rules.d; then
+			printf "OK: '${PRIVILEGED}' found in on-disk configuration.\n"
+		else
+			printf "ERROR: '${PRIVILEGED}' not found in on-disk configuration.\n"
+			test_failed=1
+		fi
+	done
+done
+
+RUNNING=$(auditctl -l)
+if [ -n "${RUNNING}" ]; then
+	for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
+		for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
+			if printf -- "${RUNNING}" | grep -q "${PRIVILEGED}"; then
+				printf "OK: '${PRIVILEGED}' found in running configuration.\n"
+			else
+				printf "ERROR: '${PRIVILEGED}' not found in running configuration.\n"
+				test_failed=1
+			fi
+		done
+	done
+else
+	printf "ERROR: No rules found in running configuration.\n"
+	test_failed=1
+fi
+
+# Setze den Exit-Code basierend auf dem Test-Status
+if [ "$test_failed" -eq 0 ]; then
+	exit 0
+else
+	echo "Some checks failed."
+	exit 1
+fi
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
+
+if [ -n "${UID_MIN}" ]; then
+	on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules)
+
+	if [[ -n "$on_disk" ]]; then
+		exit 0
+	else
+		exit 1
+	fi
+else
+	exit 1
+fi
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+rules_file="/etc/audit/rules.d/50-fbPro-hardening.rules"
+
+if grep -qE -- '^\s*-w\s+(\/etc\/group|\/etc\/passwd|\/etc\/gshadow|\/etc\/shadow|\/etc\/security\/opasswd|\/etc\/nsswitch\.conf|\/etc\/pam\.conf|\/etc\/pam\.d)' $rules_file &&
+	grep -qE -- '-p\s+wa' $rules_file &&
+	grep -qE -- '(\s*key=\s*[!-~]*\s*|-\s*k\s*[!-~]*\s*)' $rules_file; then
+	exit 0
+else
+	echo "ERROR: Audit rules are NOT correctly set."
+	exit 1
+fi
--- a/Show More
+++ b/Show More