FIX: fix test for CDS

tests/hardening/6.1.13_find_suid_files.sh

@@ -4,7 +4,7 @@ test_audit() {
     # shellcheck disable=2154
     /opt/debian-cis/bin/hardening/"${script}".sh || true
     # shellcheck disable=2016
-    echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
 
     describe Running on blank host
     register_test retvalshouldbe 0

tests/hardening/6.1.14_find_sgid_files.sh

@@ -4,7 +4,7 @@ test_audit() {
     # shellcheck disable=2154
     /opt/debian-cis/bin/hardening/"${script}".sh || true
     # shellcheck disable=2016
-    echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
 
     describe Running on blank host
     register_test retvalshouldbe 0

tests/hardening/6.2.9_users_valid_homedir.sh

@@ -1,25 +1,34 @@
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
+
     describe Running on blank host
     register_test retvalshouldbe 0
+    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    useradd -m testhomeuser
-    chown root:root /home/testhomeuser
+    local test_user="testhomeuser"
 
-    describe Wrong home owner
+    describe Test purposely failing
+    useradd -m $test_user
+    chown root:root /home/$test_user
     register_test retvalshouldbe 1
-    run wronghomeowner /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all 
 
-    echo "EXCEPTIONS=\"/home/testhomeuser:testhomeuser:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
-    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe correcting situation
+    echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg
 
-    describe Added exceptions
+
+    describe Checking resolved state
     register_test retvalshouldbe 0
-    run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup
-    rm -rf /home/testhomeuser
-    userdel -r testhomeuser
+    rm -rf "/home/${test_user:?}"
+    userdel -r $test_user
 }

tests/hardening/99.3.1_acc_shadow_sha512.sh

@@ -3,6 +3,7 @@ test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "There is no password in /etc/shadow"
+    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 

tests/hardening/99.3.2_acc_sudoers_no_all.sh

@@ -1,5 +1,10 @@
 # run-shellcheck
 test_audit() {
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    # shellcheck disable=2016
+    echo 'EXCEPT="$EXCEPT debian"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
+
     describe Running on blank host
     register_test retvalshouldbe 0
     dismiss_count_for_test
@@ -17,7 +22,7 @@ test_audit() {
 
 
     # shellcheck disable=2016
-    echo 'EXCEPT="$EXCEPT jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
     describe Adding jeantestuser to exceptions
     register_test retvalshouldbe 0
     register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"