From 37b4f5982e81bcaed83161d1a8e86f1c104782f9 Mon Sep 17 00:00:00 2001
From: damien cavagnini <damien.cavagnini@corp.ovh.com>
Date: Fri, 8 Aug 2025 16:12:00 +0200
Subject: [PATCH] feat: add debian12 scripts

- sudo_re_authenticate.sh 	-> 5.2.5
- pam_pwhistory_enabled.sh 	-> 5.3.2.4
- pam_faillock_enabled.sh	-> 5.3.2.2
This is an updated version of enable_lockout_failed_password.sh (renamed)

- pam_unix_enabled.sh  		-> 5.3.2.1
- password_failed_lockout.sh 	-> 5.3.3.1.1
- password_unlock_time.sh 	-> 5.3.3.1.2
- password_root_unlock.sh 	-> 5.3.3.1.3
---
 .../enable_lockout_failed_password.sh         |  96 ---------------
 bin/hardening/pam_faillock_enabled.sh         |  90 ++++++++++++++
 bin/hardening/pam_pwhistory_enabled.sh        |  77 ++++++++++++
 bin/hardening/pam_unix_enabled.sh             |  72 ++++++++++++
 bin/hardening/password_failed_lockout.sh      |  99 ++++++++++++++++
 bin/hardening/password_root_unlock.sh         | 110 ++++++++++++++++++
 bin/hardening/password_unlock_time.sh         | 105 +++++++++++++++++
 bin/hardening/sudo_re_authenticate.sh         |  73 ++++++++++++
 .../enable_lockout_failed_password.sh         |  19 ---
 tests/hardening/pam_faillock_enabled.sh       |  30 +++++
 tests/hardening/pam_pwhistory_enabled.sh      |  29 +++++
 tests/hardening/pam_unix_enabled.sh           |  30 +++++
 tests/hardening/password_failed_lockout.sh    |  26 +++++
 tests/hardening/password_root_unlock.sh       |  26 +++++
 tests/hardening/password_unlock_time.sh       |  26 +++++
 tests/hardening/sudo_re_authenticate.sh       |  20 ++++
 .../5.3.2_enable_lockout_failed_password.sh   |   2 +-
 17 files changed, 814 insertions(+), 116 deletions(-)
 delete mode 100755 bin/hardening/enable_lockout_failed_password.sh
 create mode 100755 bin/hardening/pam_faillock_enabled.sh
 create mode 100755 bin/hardening/pam_pwhistory_enabled.sh
 create mode 100755 bin/hardening/pam_unix_enabled.sh
 create mode 100755 bin/hardening/password_failed_lockout.sh
 create mode 100755 bin/hardening/password_root_unlock.sh
 create mode 100755 bin/hardening/password_unlock_time.sh
 create mode 100755 bin/hardening/sudo_re_authenticate.sh
 delete mode 100644 tests/hardening/enable_lockout_failed_password.sh
 create mode 100644 tests/hardening/pam_faillock_enabled.sh
 create mode 100644 tests/hardening/pam_pwhistory_enabled.sh
 create mode 100644 tests/hardening/pam_unix_enabled.sh
 create mode 100644 tests/hardening/password_failed_lockout.sh
 create mode 100644 tests/hardening/password_root_unlock.sh
 create mode 100644 tests/hardening/password_unlock_time.sh
 create mode 100644 tests/hardening/sudo_re_authenticate.sh

diff --git a/bin/hardening/enable_lockout_failed_password.sh b/bin/hardening/enable_lockout_failed_password.sh
deleted file mode 100755
index fb256d4..0000000
--- a/bin/hardening/enable_lockout_failed_password.sh
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening
-#
-
-#
-# Ensure lockout for failed password attempts is configured (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=3
-# shellcheck disable=2034
-DESCRIPTION="Set lockout for failed password attemps."
-
-PACKAGE='libpam-modules-bin'
-PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so'
-PATTERN_ACCOUNT='pam_((tally[2]?)|(faillock))\.so'
-FILE_AUTH='/etc/pam.d/common-auth'
-FILE_ACCOUNT='/etc/pam.d/common-account'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file "$FILE_AUTH" "$PATTERN_AUTH"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN_AUTH is present in $FILE_AUTH"
-        else
-            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
-        fi
-        does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
-        else
-            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
-        fi
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install "$PACKAGE"
-    fi
-    does_pattern_exist_in_file "$FILE_AUTH" "$PATTERN_AUTH"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PATTERN_AUTH is present in $FILE_AUTH"
-    else
-        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-    fi
-    does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
-    else
-        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
diff --git a/bin/hardening/pam_faillock_enabled.sh b/bin/hardening/pam_faillock_enabled.sh
new file mode 100755
index 0000000..34fc15c
--- /dev/null
+++ b/bin/hardening/pam_faillock_enabled.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure pam_faillock module is enabled (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure pam_faillock module is enabled"
+
+PAM_FILES="/etc/pam.d/common-auth /etc/pam.d/common-account"
+PAM_PATTERN="^[^#].*pam_faillock.so"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PAM_VALID=0
+
+    for PAM_FILE in $PAM_FILES; do
+        if grep "$PAM_PATTERN" "$PAM_FILE" >/dev/null 2>&1; then
+            info "pam_faillock found in $PAM_FILE"
+        else
+            crit "pam_faillock not found in $PAM_FILE"
+            PAM_VALID=1
+        fi
+    done
+
+    if [ "$PAM_VALID" -eq 0 ]; then
+        ok "pam_faillock is enabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PAM_VALID" -ne 0 ]; then
+        # check if already present in an pam-auth-update profile
+        # if not
+        # - add in a profile
+        # then in all cases : pam-auth-update --enable {PROFILE_NAME}
+        if ! grep "$PAM_PATTERN" /usr/share/pam-configs/*; then
+            pam_update_profile="faillock faillock_notify"
+            arr=('Name: Enable pam_faillock to deny access' 'Default: yes' 'Priority: 0' 'Auth-Type: Primary' 'Auth:' '   [default=die] pam_faillock.so authfail')
+            printf '%s\n' "${arr[@]}" >/usr/share/pam-configs/failock
+
+            arr=('Name: Notify of failed login attempts and reset count upon success' 'Default: yes' 'Priority: 1024' 'Auth-Type: Primary' 'Auth:' '    requisite         pam_faillock.so preauth' 'Account-Type: Primary' 'Account:' '   required pam_faillock.so')
+            printf '%s\n' "${arr[@]}" >/usr/share/pam-configs/faillock_notify
+
+        else
+            pam_update_profile="$(grep -l "$PAM_PATTERN" /usr/share/pam-configs/* | paste -s)"
+        fi
+
+        info "Applying 'pam-auth-update' to enable pam_faillock.so"
+        for profile in $pam_update_profile; do
+            DEBIAN_FRONTEND='noninteractive' pam-auth-update --force --enable "$profile"
+        done
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/pam_pwhistory_enabled.sh b/bin/hardening/pam_pwhistory_enabled.sh
new file mode 100755
index 0000000..c590584
--- /dev/null
+++ b/bin/hardening/pam_pwhistory_enabled.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure pam_pwhistory module is enabled (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure pam_pwhistory module is enabled "
+
+PAM_FILE="/etc/pam.d/common-password"
+PAM_PATTERN="^[^#].*pam_pwhistory.so"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PAM_VALID=1
+
+    if grep "$PAM_PATTERN" "$PAM_FILE" >/dev/null 2>&1; then
+        ok "pam_pwhistory is enabled"
+        PAM_VALID=0
+    else
+        crit "pam_pwhistory is not enabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PAM_VALID" -ne 0 ]; then
+        # check if already present in an pam-auth-update profile
+        # if not
+        # - add in a profile
+        # then in all cases : pam-auth-update --enable {PROFILE_NAME}
+        if ! grep "$PAM_PATTERN" /usr/share/pam-configs/*; then
+            pam_update_profile=pwhistory
+            arr=('Name: pwhistory password history checking' 'Default: yes' 'Priority: 1024' 'Password-Type: Primary' 'Password:' '   requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok')
+            printf '%s\n' "${arr[@]}" >/usr/share/pam-configs/"$pam_update_profile"
+        else
+            pam_update_profile="$(grep -l "$PAM_PATTERN" /usr/share/pam-configs/* | head -n1)"
+        fi
+        info "Applying 'pam-auth-update' to enable pw_history.so"
+        DEBIAN_FRONTEND='noninteractive' pam-auth-update --force --enable "$pam_update_profile"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/pam_unix_enabled.sh b/bin/hardening/pam_unix_enabled.sh
new file mode 100755
index 0000000..469341a
--- /dev/null
+++ b/bin/hardening/pam_unix_enabled.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure pam_unix module is enabled (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure pam_unix module is enabled"
+
+PAM_FILES="/etc/pam.d/common-auth /etc/pam.d/common-account /etc/pam.d/common-session /etc/pam.d/common-password"
+PAM_PATTERN="^[^#].*pam_unix.so"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PAM_VALID=0
+
+    for PAM_FILE in $PAM_FILES; do
+        if grep "$PAM_PATTERN" "$PAM_FILE" >/dev/null 2>&1; then
+            info "pam_unix found in $PAM_FILE"
+        else
+            crit "pam_unix not found in $PAM_FILE"
+            PAM_VALID=1
+        fi
+    done
+
+    if [ "$PAM_VALID" -eq 0 ]; then
+        ok "pam_unix is enabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PAM_VALID" -ne 0 ]; then
+        info "Applying 'pam-auth-update' to enable pam_unix.so"
+        DEBIAN_FRONTEND='noninteractive' pam-auth-update --force --enable unix
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/password_failed_lockout.sh b/bin/hardening/password_failed_lockout.sh
new file mode 100755
index 0000000..8e8b7db
--- /dev/null
+++ b/bin/hardening/password_failed_lockout.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure password failed attempts lockout is configured (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure password failed attempts lockout is configured"
+
+MAX_ATTEMPT=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    PASSWORD_LOCKOUT=0
+    LOCKOUT_IN_PAM=1
+
+    # we want it to be set expliciteley, to avoid a default value changing from one version to another
+    if ! grep -Pi -- "^\h*deny\h*=\h*[1-$MAX_ATTEMPT]\b" /etc/security/faillock.conf; then
+        crit "password lockout is misconfigured in /etc/security/faillock.conf"
+        PASSWORD_LOCKOUT=1
+    else
+        info "password lockout is correctly configured in /etc/security/faillock.conf"
+    fi
+
+    for file in /usr/share/pam-configs/*; do
+        if grep -Pi -- "^\h*auth\h+(requisite|required|sufficient)\h+pam_faillock\.so\h+([^#\n\r]+\h+)?deny\h*=\h*[0-9]+\b" "$file" >/dev/null 2>&1; then
+            LOCKOUT_IN_PAM=0
+            break
+        fi
+    done
+
+    if [ "$LOCKOUT_IN_PAM" -eq 0 ]; then
+        # configuration in pam is going to override the one in /etc/security/faillock.conf
+        crit "password lockout is configured in /usr/share/pam-configs"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PASSWORD_LOCKOUT" -ne 0 ]; then
+        info "update 'deny' parameter in /etc/security/faillock.conf"
+        sed -i '/^[[:space:]]?deny/d' /etc/security/faillock.conf
+        echo "deny = $MAX_ATTEMPT" >>/etc/security/faillock.conf
+    fi
+
+    if [ "$LOCKOUT_IN_PAM" -eq 0 ]; then
+        for file in /usr/share/pam-configs/*; do
+            if grep -Pi -- "^\h*auth\h+(requisite|required|sufficient)\h+pam_faillock\.so\h+([^#\n\r]+\h+)?deny\h*=\h*[0-9]+\b" "$file" >/dev/null 2>&1; then
+                info "Remove 'deny' configuration in $file"
+                sed -E -i 's/deny[[:space:]]?=[[:space:]]?[0-9]+//g' "$file"
+            fi
+        done
+
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# max attempts before locking the account
+MAX_ATTEMPT=5
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/password_root_unlock.sh b/bin/hardening/password_root_unlock.sh
new file mode 100755
index 0000000..fa2f5f9
--- /dev/null
+++ b/bin/hardening/password_root_unlock.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure password failed attempts lockout includes root account (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure password failed attempts lockout includes root account"
+CONF_FILE="/etc/security/faillock.conf"
+MAX_UNLOCK_TIME=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    ROOT_UNLOCK_VALID=1
+    ROOT_UNLOCK_IN_PAM=1
+
+    # we want it to be set expliciteley, to avoid a default value changing from one version to another
+    # if 'even_deny_root' is configured, then unlock_time is the same as others users
+    # this value is then checked by the 'password_unlock_time.sh' check
+    if grep "^[^#]*even_deny_root" "$CONF_FILE"; then
+        ROOT_UNLOCK_VALID=0
+    # if 'even_deny_root' is not set, check for 'root_unlock_time', which implies the former
+    elif grep "^[^#]*root_unlock_time" "$CONF_FILE"; then
+        local current_unlock_time=""
+        current_unlock_time=$(awk -F '=' '/^[^#]*root_unlock_time/ {print $2}' "$CONF_FILE")
+        if [ "$current_unlock_time" -le "$MAX_UNLOCK_TIME" ]; then
+            ROOT_UNLOCK_VALID=0
+        fi
+    fi
+
+    if [ "$ROOT_UNLOCK_VALID" -eq 0 ]; then
+        ok "root password unlock is correctly configured"
+    else
+        crit "root password unlock  is not correctly configured"
+    fi
+
+    for file in /usr/share/pam-configs/*; do
+        if grep -Pi -- '^\h*auth\h+([^#\n\r]+\h+)pam_faillock\.so\h+([^#\n\r]+\h+)?root_unlock_time\b' "$file" >/dev/null 2>&1; then
+            ROOT_UNLOCK_IN_PAM=0
+            break
+        fi
+    done
+
+    if [ "$ROOT_UNLOCK_IN_PAM" -eq 0 ]; then
+        # configuration in pam is going to override the one in /etc/security/faillock.conf
+        crit "password root_unlock_time is configured in /usr/share/pam-configs"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$ROOT_UNLOCK_VALID" -ne 0 ]; then
+        sed -E -i '/^[[:space:]]?root_unlock_time/d' "$CONF_FILE"
+        echo "root_unlock_time = $MAX_UNLOCK_TIME" >>"$CONF_FILE"
+    fi
+
+    if [ "$ROOT_UNLOCK_IN_PAM" -eq 0 ]; then
+        for file in /usr/share/pam-configs/*; do
+            if grep -Pi -- '^\h*auth\h+([^#\n\r]+\h+)pam_faillock\.so\h+([^#\n\r]+\h+)?root_unlock_time\b' "$file" >/dev/null 2>&1; then
+                info "Remove 'unlock_time' configuration in $file"
+                sed -E -i 's/root_unlock_time[[:space:]]?=[[:space:]]?[0-9]+//g' "$file"
+            fi
+        done
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# time in seconds before unlocking account
+# 0 = never, which can lead to some kind of denial of service
+MAX_UNLOCK_TIME=60
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/password_unlock_time.sh b/bin/hardening/password_unlock_time.sh
new file mode 100755
index 0000000..5a24219
--- /dev/null
+++ b/bin/hardening/password_unlock_time.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure password unlock time is configured (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=2
+# shellcheck disable=2034
+DESCRIPTION="Ensure password unlock time is configured"
+CONF_FILE="/etc/security/faillock.conf"
+MAX_UNLOCK_TIME=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    UNLOCK_TIME_VALID=1
+    UNLOCK_IN_PAM=1
+
+    # we want it to be set expliciteley, to avoid a default value changing from one version to another
+    if grep -E "^[[:space:]]?unlock_time" "$CONF_FILE"; then
+        local current_unlock_time=""
+        current_unlock_time=$(awk -F '=' '/^[[:space:]]?unlock_time/ {print $2}' "$CONF_FILE" | sed 's/\ //g')
+        if [ "$current_unlock_time" -le "$MAX_UNLOCK_TIME" ]; then
+            UNLOCK_TIME_VALID=0
+        fi
+    fi
+
+    if [ "$UNLOCK_TIME_VALID" -eq 0 ]; then
+        ok "password 'unlock_time' is correctly configured"
+    else
+        crit "password 'unlock_time' is not correctly configured"
+    fi
+
+    for file in /usr/share/pam-configs/*; do
+        if grep -Pi -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' "$file" >/dev/null 2>&1; then
+            UNLOCK_IN_PAM=0
+            break
+        fi
+    done
+
+    if [ "$UNLOCK_IN_PAM" -eq 0 ]; then
+        # configuration in pam is going to override the one in /etc/security/faillock.conf
+        crit "password unlock_time is configured in /usr/share/pam-configs"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$UNLOCK_TIME_VALID" -ne 0 ]; then
+        sed -E -i '/^[[:space:]]?unlock_time/d' "$CONF_FILE"
+        echo "unlock_time = $MAX_UNLOCK_TIME" >>"$CONF_FILE"
+    fi
+
+    if [ "$UNLOCK_IN_PAM" -eq 0 ]; then
+        for file in /usr/share/pam-configs/*; do
+            if grep -Pi -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' "$file" >/dev/null 2>&1; then
+                info "Remove 'unlock_time' configuration in $file"
+                sed -E -i 's/unlock_time[[:space:]]?=[[:space:]]?[0-9]+//g' "$file"
+            fi
+        done
+    fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# time in seconds before unlocking account
+# 0 = never, which can lead to some kind of denial of service
+MAX_UNLOCK_TIME=900
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/sudo_re_authenticate.sh b/bin/hardening/sudo_re_authenticate.sh
new file mode 100755
index 0000000..5bbdcfe
--- /dev/null
+++ b/bin/hardening/sudo_re_authenticate.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure re-authentication for privilege escalation is not disabled globally (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure re-authentication for privilege escalation is not disabled globally"
+PARAM="!authenticate"
+
+# This function will be called if the script status is on enabled / audit mode
+# shellcheck disable=2120
+audit() {
+    SUDO_PARAM_IS_VALID=0
+    local sudo_files
+
+    sudo_files="/etc/sudoers $(find /etc/sudoers.d -type f ! -name README | paste -s)"
+    for file in $sudo_files; do
+        if $SUDO_CMD grep "$PARAM" "$file"; then
+            crit "$PARAM present in $file"
+            SUDO_PARAM_IS_VALID=1
+        fi
+    done
+
+    if [ "$SUDO_PARAM_IS_VALID" -ne 0 ]; then
+        ok "'$PARAM' is absent from sudo files"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$SUDO_PARAM_IS_VALID" -ne 0 ]; then
+        # CIS recommends to manage it in an Automated way.
+        # This can easily break the sudoers file, better review it manually
+        info "Please review your sudo rules, and remove '!authenticate' from them"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/tests/hardening/enable_lockout_failed_password.sh b/tests/hardening/enable_lockout_failed_password.sh
deleted file mode 100644
index 5f279e9..0000000
--- a/tests/hardening/enable_lockout_failed_password.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Correcting situation
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" || true
-
-    describe Checking resolved state
-    register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-auth"
-    register_test contain "[ OK ] pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-account"
-    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-}
diff --git a/tests/hardening/pam_faillock_enabled.sh b/tests/hardening/pam_faillock_enabled.sh
new file mode 100644
index 0000000..94b7519
--- /dev/null
+++ b/tests/hardening/pam_faillock_enabled.sh
@@ -0,0 +1,30 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILES=""
+    PAM_FILES="/etc/pam.d/common-auth /etc/pam.d/common-account"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    # shellcheck disable=2086
+    sed -i '/pam_faillock.so/s/^/#/g' $PAM_FILES
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
diff --git a/tests/hardening/pam_pwhistory_enabled.sh b/tests/hardening/pam_pwhistory_enabled.sh
new file mode 100644
index 0000000..b9e2d8b
--- /dev/null
+++ b/tests/hardening/pam_pwhistory_enabled.sh
@@ -0,0 +1,29 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILE=""
+    local PAM_FILE="/etc/pam.d/common-password"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/pam_pwhistory.so/s/^/#/g' "$PAM_FILE"
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
diff --git a/tests/hardening/pam_unix_enabled.sh b/tests/hardening/pam_unix_enabled.sh
new file mode 100644
index 0000000..3cc02c0
--- /dev/null
+++ b/tests/hardening/pam_unix_enabled.sh
@@ -0,0 +1,30 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    local PAM_FILES=""
+    PAM_FILES="/etc/pam.d/common-password"
+
+    # install dependencies
+    apt-get update
+    apt-get install -y libpam-pwquality
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    # shellcheck disable=2086
+    sed -i '/pam_unix.so/s/^/#/g' $PAM_FILES
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}
diff --git a/tests/hardening/password_failed_lockout.sh b/tests/hardening/password_failed_lockout.sh
new file mode 100644
index 0000000..21451e3
--- /dev/null
+++ b/tests/hardening/password_failed_lockout.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/^[^#]*deny/d' /etc/security/faillock.conf
+    echo "auth requisite pam_faillock.so deny=6" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
diff --git a/tests/hardening/password_root_unlock.sh b/tests/hardening/password_root_unlock.sh
new file mode 100644
index 0000000..1150016
--- /dev/null
+++ b/tests/hardening/password_root_unlock.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -i '/^[[:space:]]?root_unlock_time/d' /etc/security/faillock.conf
+    echo "auth pam_faillock.so root_unlock_time=0" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
diff --git a/tests/hardening/password_unlock_time.sh b/tests/hardening/password_unlock_time.sh
new file mode 100644
index 0000000..59615a1
--- /dev/null
+++ b/tests/hardening/password_unlock_time.sh
@@ -0,0 +1,26 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    # prepare to fail
+    describe Prepare on purpose failed test
+    sed -E -i '/^[[:space:]]?unlock_time/d' /etc/security/faillock.conf
+    echo "pam_faillock.so unlock_time=0" >/usr/share/pam-configs/test_cis
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /usr/share/pam-configs/test_cis
+
+}
diff --git a/tests/hardening/sudo_re_authenticate.sh b/tests/hardening/sudo_re_authenticate.sh
new file mode 100644
index 0000000..de37c76
--- /dev/null
+++ b/tests/hardening/sudo_re_authenticate.sh
@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe prepare failing test
+    echo "Defaults !authenticate" >/etc/sudoers.d/sudo_test
+
+    describe Running on blank host
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean test
+    rm -f /etc/sudoers.d/sudo_test
+
+}
diff --git a/versions/ovh_legacy/5.3.2_enable_lockout_failed_password.sh b/versions/ovh_legacy/5.3.2_enable_lockout_failed_password.sh
index 5d36a8c..daee761 120000
--- a/versions/ovh_legacy/5.3.2_enable_lockout_failed_password.sh
+++ b/versions/ovh_legacy/5.3.2_enable_lockout_failed_password.sh
@@ -1 +1 @@
-../../bin/hardening/enable_lockout_failed_password.sh
\ No newline at end of file
+../../bin/hardening/pam_faillock_enabled.sh
\ No newline at end of file