IMP(5.2.x): add tests and default_config

I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh
2024-11-25 06:54:29 +01:00 · 2020-10-29 11:18:31 +01:00 · 2020-10-29 11:18:31 +01:00 · 774af39a34
commit 774af39a34
parent e288835381
25 changed files with 284 additions and 56 deletions
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."

 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the root login boolean for ssh
+OPTIONS='PermitRootLogin=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."

 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the empty password boolean for ssh
+OPTIONS='PermitEmptyPasswords=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."

 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the permit user env boolean for ssh
+OPTIONS='PermitUserEnvironment=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."

 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the ciphers
+OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
-        crit "SSHD_TIMEOUT is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
-        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."

 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for ssh
+OPTIONS='Protocol=2'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."

 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the forwarding boolean for ssh
+OPTIONS='X11Forwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."

 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the max auth tries for ssh
+OPTIONS='MaxAuthTries=4'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."

 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,14 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the rhosts boolean for ssh
+OPTIONS='IgnoreRhosts=yes'
+EOF
+}
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."

 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the hostbase boolean for ssh
+OPTIONS='HostbasedAuthentication=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/tests/hardening/5.2.10_disable_root_login.sh
+++ b/tests/hardening/5.2.10_disable_root_login.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^PermitRootLogin[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -6,5 +6,16 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^PermitEmptyPasswords[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/tests/hardening/5.2.12_disable_sshd_setenv.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^PermitUserEnvironment[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.13_sshd_ciphers.sh
+++ b/tests/hardening/5.2.13_sshd_ciphers.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^Ciphers[[:space:]]*chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/tests/hardening/5.2.16_sshd_idle_timeout.sh
@ -1,10 +1,22 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^ClientAliveInterval[[:space:]]*300 is present in /etc/ssh/sshd_config"
+    register_test contain "[ OK ] ^ClientAliveCountMax[[:space:]]*0 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/tests/hardening/5.2.17_sshd_login_grace_time.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^LoginGraceTime[[:space:]]*60 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.18_sshd_limit_access.sh
+++ b/tests/hardening/5.2.18_sshd_limit_access.sh
@ -1,10 +1,24 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.19_ssh_banner.sh
+++ b/tests/hardening/5.2.19_ssh_banner.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^Banner[[:space:]]* is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.4_sshd_protocol.sh
+++ b/tests/hardening/5.2.4_sshd_protocol.sh
@ -6,5 +6,17 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^Protocol[[:space:]]*2 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
 }
--- a/tests/hardening/5.2.5_sshd_loglevel.sh
+++ b/tests/hardening/5.2.5_sshd_loglevel.sh
@ -1,12 +1,16 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    
-    describe Fix state
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true

--- a/tests/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/tests/hardening/5.2.6_disable_x11_forwarding.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^X11Forwarding[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/tests/hardening/5.2.7_sshd_maxauthtries.sh
@ -1,10 +1,21 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
+    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^MaxAuthTries[[:space:]]*4 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -6,5 +6,16 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all}
 }
--- a/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -6,5 +6,16 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^HostbasedAuthentication[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }