Merge pull request #31 from StrangeRanger/dev

Refine README documentation

Author: StrangeRanger

auditing/Lynis Installer/README.md

@@ -14,22 +14,29 @@ Downloads [Lynis](https://github.com/CISOfy/lynis), a security auditing tool for
 
 ## Usage
 
-Run the installer from the repository root:
+From the repository root:
 
 ```bash
 ./auditing/Lynis\ Installer/lynis-installer.bash
 ```
 
+OR from the script directory:
+
+```bash
+./lynis-installer.bash
+```
+
 ## After Installation
 
 To run a Lynis system audit:
 
 ```bash
 cd ~/lynis
+clear
 sudo ./lynis audit system
 ```
 
-Review the Lynis output before applying any hardening changes. Lynis findings are recommendations, not a replacement for understanding the system's role and access requirements.
+Before applying hardening changes, review the Lynis output carefully. Treat its findings as recommendations, not as a replacement for understanding your system’s security posture.
 
 ## Tested On
 

hardening/Nginx WAF/README.md

@@ -5,13 +5,11 @@
 
 Installs and configures ModSecurity with the OWASP Core Rule Set for Nginx.
 
-This script builds software from source, installs packages, writes Nginx configuration, enables ModSecurity, tests the Nginx configuration, and restarts Nginx.
-
 ## Requirements
 
 - Bash 4.0 or newer
 - Root privileges
-- Nginx installed and available in `PATH`
+- Nginx 1.24.0 or newer, installed and available in `PATH`
 - A Debian/Ubuntu-style system with `apt-get` and `dpkg`
 - Internet access
 
@@ -79,7 +77,6 @@ The script also creates or reuses build directories in the current working direc
 
 ## Safety Notes
 
-- Run this in a test environment before using it on a production web server.
 - Review local Nginx packaging conventions before running it on systems with custom Nginx builds.
 - The OWASP Core Rule Set can block legitimate traffic until tuned for the application.
 - Existing local changes in reused `ModSecurity`, `ModSecurity-nginx`, or CRS clone directories may affect the run.

hardening/Root Locker/README.md

@@ -1,6 +1,6 @@
 # Root Locker
 
-Locks the root account to prevent direct root login.
+Locks the root account password to prevent password-based root logins.
 
 > [!NOTE]
 > This does not remove administrative access for users who already have valid sudo privileges. Users may still be able to gain a root shell through tools such as `sudo su` or `sudo -i`.
@@ -13,16 +13,17 @@ Locks the root account to prevent direct root login.
 
 ## Usage
 
-Run the script from the repository root:
+From the repository root:
 
 ```bash
 sudo ./hardening/Root\ Locker/root-locker.bash
 ```
 
-## Safety Notes
+OR from the script directory:
 
-- Confirm that at least one non-root user has working sudo access before running this script.
-- Do not run this on a system where direct root login is the only available administrative access path.
+```bash
+sudo ./root-locker.bash
+```
 
 ## Verify
 
@@ -32,6 +33,8 @@ Check the root account state with:
 sudo passwd -S root
 ```
 
+The second field in the output shows the account status. `L` means the password is locked.
+
 You can also confirm sudo access from a non-root administrative account:
 
 ```bash

hardening/SSHD Hardening/README.md

@@ -2,7 +2,7 @@
 
 Hardens the OpenSSH server configuration using settings aligned with Lynis recommendations.
 
-> [!NOTE]
+> [!CAUTION]
 > This script modifies the system SSH daemon configuration. Treat it as a high-risk change on remote systems because an invalid or overly restrictive SSH configuration can lock you out.
 
 ## Requirements
@@ -15,12 +15,18 @@ Hardens the OpenSSH server configuration using settings aligned with Lynis recom
 
 ## Usage
 
-Run the script from the repository root:
+From the repository root:
 
 ```bash
 sudo ./hardening/SSHD\ Hardening/harden-sshd.bash
 ```
 
+OR from the script directory:
+
+```bash
+sudo ./harden-sshd.bash
+```
+
 ## Changes Made
 
 The script updates supported settings in `/etc/ssh/sshd_config` when those settings are already present in the file:
@@ -59,7 +65,6 @@ If `/etc/ssh/sshd_config.bak` already exists, the script asks whether to overwri
 ## Safety Notes
 
 - Keep your current SSH session open while testing a new login.
-- Make sure you have console, provider, or other recovery access before running this on a remote system.
 - Review whether agent forwarding, TCP forwarding, X11 forwarding, and session limits are compatible with your use case.
 
 ## Verify

hardening/UFW Cloudflare/README.md

@@ -15,12 +15,18 @@ Use this script for hosts where public web traffic should reach the origin serve
 
 ## Usage
 
-Run the script from the repository root:
+From the repository root:
 
 ```bash
 sudo ./hardening/UFW\ Cloudflare/ufw-cloudflare.bash
 ```
 
+OR from the script directory:
+
+```bash
+sudo ./ufw-cloudflare.bash
+```
+
 ## Execution Summary
 
 - Reads existing UFW rules marked with the `Cloudflare IP` comment.
@@ -50,7 +56,6 @@ The temporary backup is removed during normal cleanup.
 
 ## Safety Notes
 
-- Make sure you have recovery access before running it on a remote system.
 - Direct origin access may remain possible through other open ports or non-UFW firewall layers.
 
 ## Verify