Damcava35/deb12 scripts 4 (#287)

* fix: ipv6 may be enabled on a single interface

* feat: add new checks for debian12

systemd_timesyncd_is_enabled_and_running.sh	-> 2.3.2.2
rpcbind_is_disabled.sh				-> 2.1.12
ftp_client_not_installed.sh			-> 2.2.6
chrony_with_chrony_user.sh			-> 2.3.3.2
ipv6_is_enabled.sh				-> 3.1.1

---------

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>

bin/hardening/chrony_with_chrony_user.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure chrony is running as user _chrony (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure chrony is running as user _chrony"
+FILE='/etc/chrony/chrony.conf'
+CHRONY_USER="_chrony"
+USER_PATTERN="^user"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    CHRONY_USER_VALID=1
+
+    if ! $SUDO_CMD pgrep -u "$CHRONY_USER" chronyd; then
+        crit "chrony is not running as $CHRONY_USER"
+    else
+        ok "chrony is running as $CHRONY_USER"
+        CHRONY_USER_VALID=0
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$CHRONY_USER_VALID" -ne 0 ]; then
+        does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+        if [ "$FNRET" -eq 0 ]; then
+            sed -i '/'$USER_PATTERN'/d' "$FILE"
+        fi
+
+        add_end_of_file "$FILE" "user $CHRONY_USER"
+        info "$FILE modified, please restart the service"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_nfs_rpc.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 
-PACKAGES='rpcbind nfs-kernel-server'
+PACKAGES='nfs-kernel-server'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/ftp_client_not_installed.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ftp client is not installed (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure ftp client is not installed"
+PACKAGE='ftp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        # var will be reused in 'apply'
+        PACKAGE_INSTALLED=0
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is not installed"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PACKAGE_INSTALLED" -eq 0 ]; then
+        info "Removing $PACKAGE"
+        apt remove -y "$PACKAGE"
+        apt purge -y "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ipv6_is_enabled.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure IPv6 status is identified (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure IPv6 status is identified"
+IPV6_ENABLED=""
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ] && [ "$IPV6_ENABLED" -eq 0 ]; then
+        ok "ipv6 is enabled"
+    elif [ "$FNRET" -eq 0 ] && [ "$IPV6_ENABLED" -eq 1 ]; then
+        crit "ipv6 is enabled"
+    elif [ "$FNRET" -eq 1 ] && [ "$IPV6_ENABLED" -eq 1 ]; then
+        ok "ipv6 is disabled"
+    elif [ "$FNRET" -eq 1 ] && [ "$IPV6_ENABLED" -eq 0 ]; then
+        crit "ipv6 is disabled"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    info "Enable or disable manually IPv6 in accordance with system requirements and local site policy"
+}
+
+create_config() {
+    cat <<EOF
+# shellcheck disable=2034
+status=audit
+# if ipv6 is supposed to be enabled -> IPV6_ENABLED=0
+# if ipv6 is supposed to be disabled -> IPV6_ENABLED=1
+IPV6_ENABLED=0
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/rpcbind_is_disabled.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure rpcbind services are not in use (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure rpcbind services are not in use."
+PACKAGE='rpcbind'
+SERVICE="rpcbind.service"
+SOCKET="rpcbind.socket"
+
+# 2 scenario here:
+# - rcpbind is a dependency for another package -> disable the service, disable the socket
+# - rpcbind is not a dependency for another package -> remove the package
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+    PACKAGE_IS_DEPENDENCY=1
+    SERVICE_ENABLED=1
+    SOCKET_ENABLED=1
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        PACKAGE_INSTALLED=0 # 0 means true in bash
+    fi
+
+    is_pkg_a_dependency "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        PACKAGE_IS_DEPENDENCY=0
+    fi
+
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" = 0 ]; then
+        SERVICE_ENABLED=0
+    fi
+
+    is_socket_enabled "$SOCKET"
+    if [ "$FNRET" = 0 ]; then
+        SOCKET_ENABLED=0
+    fi
+
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency"
+
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        local active
+        active=1
+        if [ "$SERVICE_ENABLED" -eq 0 ]; then
+            active=0
+            crit "$SERVICE is enabled" && active=0
+        fi
+
+        if [ "$SOCKET_ENABLED" -eq 0 ]; then
+            active=0
+            crit "$SOCKET_ENABLED is enabled"
+        fi
+
+        if [ "$active" -eq 1 ]; then
+            ok "$PACKAGE is not used"
+        fi
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency, removing it"
+        apt_remove "$PACKAGE" -y
+        apt-get autoremove -y
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        if [ "$SERVICE_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SERVICE"
+            systemctl stop "$SERVICE"
+            systemctl mask "$SERVICE"
+        fi
+
+        if [ "$SOCKET_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SOCKET"
+            systemctl stop "$SOCKET"
+            systemctl mask "$SOCKET"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/systemd_timesyncd_is_enabled_and_running.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure systemd-timesyncd is enabled and running (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure systemd-timesyncd is enabled and running."
+PACKAGE="systemd-timesyncd"
+SERVICE="systemd-timesyncd.service"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    TIMESYNCD_INSTALLED=0
+    TIMESYNCD_ENABLED=0
+    TIMESYNCD_RUNNING=0
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_INSTALLED=1
+        crit "$PACKAGE is not installed"
+    fi
+    # no package, no need to check further
+    return
+
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_ENABLED=1
+        crit "$SERVICE is not enabled"
+    fi
+
+    is_service_active "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_RUNNING=1
+        crit "$SERVICE is not running"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    if [ "$TIMESYNCD_INSTALLED" -eq 1 ]; then
+        warn "Please install $PACKAGE manually to ensure only one time synchronization system is installed"
+    fi
+
+    if [ "$TIMESYNCD_ENABLED" -eq 1 ]; then
+        info "Enabling $SERVICE service"
+        manage_service "enable" "$SERVICE"
+    fi
+
+    if [ "$TIMESYNCD_RUNNING" -eq 1 ]; then
+        info "Starting $SERVICE service"
+        manage_service "start" "$SERVICE"
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

cisharden.sudoers

@@ -26,6 +26,7 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /usr/sbin/modprobe -n -v*,\
                         /usr/sbin/apparmor_status,\
                         /usr/bin/ss *,\
-                        /bin/ss *
+                        /bin/ss *,\
+                        /usr/bin/pgrep *
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

debian/control

@@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch, coreutils, iproute2
+Depends: ${misc:Depends}, patch, coreutils, iproute2, procps
 Description: Suite of configurable scripts to audit or harden a Debian.
  Modular Debian security hardening scripts based on cisecurity.org
  ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

lib/utils.sh

@@ -53,21 +53,28 @@ set_sysctl_param() {
 #
 
 is_ipv6_enabled() {
-    local SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
-
     does_sysctl_param_exists "net.ipv6"
     local ENABLE=1
     if [ "$FNRET" = 0 ]; then
-        for SYSCTL_VALUES in $SYSCTL_PARAMS; do
-            SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
-            SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
-            debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
-            has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
-            if [ "$FNRET" != 0 ]; then
-                # we don't want to fail because ipv6 is enabled
-                # it's just an info that some scripts are going to use to decide what to do
-                info "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
-                ENABLE=0
+        # we can not rely only on sysctl net.ipv6.conf.all.disable_ipv6=1, as some interfaces may be enabled or disabled individually
+        # ex:
+        # net.ipv6.conf.all.disable_ipv6=0
+        # net.ipv6.conf.eth0.disable_ipv6=1
+        # or
+        # net.ipv6.conf.all.disable_ipv6=1
+        # net.ipv6.conf.eth0.disable_ipv6=0
+        #
+        # we don't want to use 'sysctl -a', as failure to read keys will create stderr output (even if redirected to /dev/null), that will mess with tests
+        # so we list interfaces instead...and while we are there, check their value as sysctl would do
+        for iface in /proc/sys/net/ipv6/conf/*; do
+            ifname=$(basename "$iface")
+            if [ "$ifname" != "default" ] && [ "$ifname" != "all" ]; then
+                value=$(cat "$iface"/disable_ipv6)
+                # if only one interface has ipv6, this is enough to consider it enabled
+                if [ "$value" -eq 0 ]; then
+                    ENABLE=0
+                    debug "$ifname has ipv6 enabled"
+                fi
             fi
         done
     fi
@@ -334,6 +341,27 @@ is_service_enabled() {
     fi
 }
 
+is_socket_enabled() {
+    local SOCKET=$1
+
+    # if running in a container, it does not make much sense to test for systemd / service
+    # the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices
+    # currently, did not find a unified way to manage all cases, so we check this only for systemctl usage
+    is_systemctl_running
+    if [ "$FNRET" -eq 1 ]; then
+        debug "host was not started using '/sbin/init', systemd should not be available"
+        FNRET=1
+        return
+    fi
+    if $SUDO_CMD systemctl -t socket is-enabled "$SOCKET" >/dev/null; then
+        debug "Socket $SOCKET is enabled"
+        FNRET=0
+    else
+        debug "Socket $SOCKET is disabled"
+        FNRET=1
+    fi
+}
+
 #
 # Kernel Options checks
 #

tests/docker/Dockerfile.debian11

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian12

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/hardening/chrony_with_chrony_user.sh

@@ -0,0 +1,29 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe prepare failing test
+    apt install -y chrony
+    echo "user root" >>/etc/chrony/chrony.conf
+    /usr/sbin/chronyd -Ux
+
+    describe On purpose failing test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    pkill chronyd
+    /usr/sbin/chronyd -Ux
+
+    describe resolved test
+    register_test retvalshouldbe 0
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    pkill chronyd
+    apt remove chrony -y
+
+}

tests/hardening/ftp_client_not_installed.sh

@@ -0,0 +1,21 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Prepare on purpose failed test
+    apt install -y ftp
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}

tests/hardening/ipv6_is_enabled.sh

@@ -0,0 +1,65 @@
+# shellcheck shell=bash
+# run-shellcheck
+is_ipv6_enabled() {
+
+    CURRENT_IPV6_ENABLED=1
+    if sysctl net.ipv6 >/dev/null 2>&1; then
+        for iface in /proc/sys/net/ipv6/conf/*; do
+            ifname=$(basename "$iface")
+            if [ "$ifname" != "default" ] && [ "$ifname" != "all" ]; then
+                value=$(cat "$iface"/disable_ipv6)
+                # if only one interface has ipv6, this is enough to consider it enabled
+                if [ "$value" -eq 0 ]; then
+                    CURRENT_IPV6_ENABLED=0
+                    break
+                fi
+            fi
+        done
+    fi
+}
+
+test_audit() {
+    # shellcheck disable=2154
+    "${CIS_CHECKS_DIR}/${script}.sh" --create-config-files-only
+
+    is_ipv6_enabled
+    if [ "$CURRENT_IPV6_ENABLED" -eq 0 ]; then
+        describe prepare failing test
+        # shellcheck disable=2154
+        sed -i '/^IPV6_ENABLED/s/=.*$/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+        describe Running failed test
+        register_test retvalshouldbe 1
+        # shellcheck disable=2154
+        run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+        describe fix situation
+        # shellcheck disable=2154
+        sed -i '/^IPV6_ENABLED/s/=.*$/=0/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+        describe Running successful test
+        register_test retvalshouldbe 0
+        # shellcheck disable=2154
+        run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    else
+        describe prepare failing test
+        # shellcheck disable=2154
+        sed -i '/^IPV6_ENABLED/s/=.*$/=0/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+        describe Running failed test
+        register_test retvalshouldbe 1
+        # shellcheck disable=2154
+        run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+        describe fix situation
+        sed -i '/^IPV6_ENABLED/s/=.*$/=1/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+        describe Running successful test
+        register_test retvalshouldbe 0
+        # shellcheck disable=2154
+        run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    fi
+
+}

tests/hardening/rpcbind_is_disabled.sh

@@ -0,0 +1,36 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Prepare on purpose failed test
+    apt install -y rpcbind
+    # running on a container, will can only test the package installation, not the service management
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare test package dependencies
+    # try to install a package that depends on 'rpcbind'
+    apt install -y rstatd
+    # running on a container, we can only test the package installation, not the service management
+
+    describe Running successfull test
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean installation
+    apt remove -y rpcbind rstatd
+    apt autoremove -y
+
+}

tests/hardening/systemd_timesyncd_is_enabled_and_running.sh

@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Ensure package is installed
+
+    # install dependencies
+    apt update
+    apt install -y systemd-timesyncd
+
+    # not much to test here, we are running in a container, we wont check service state
+    describe Checking blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    apt remove -y systemd-timesyncd
+    apt autoremove -y
+
+}