fixup! IMP(4.5): rename to 1.6.1.2 improve test

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #
 
 set -e # One error, it's over
@@ -24,12 +24,19 @@ audit () {
     else
         ok "$PACKAGE is installed"
     fi
+
+    ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
     for line in $RESULT; do
         if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
             crit "$line is not configured"
+            ERROR=1
         fi
     done
+    if [ $ERROR = 0 ]; then
+        ok "$PACKAGE is configured"
+    
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -40,6 +47,7 @@ apply () {
     else
         ok "$PACKAGE is installed"
     fi
+    
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
     for line in $RESULT; do
@@ -49,9 +57,11 @@ apply () {
         fi
     done
     if [ $ERROR = 1 ]; then
-        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\/"
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
-    fi
         $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
 }
 
 # This function will check config parameters required

tests/hardening/1.6.2.1_enable_apparmor.sh

@@ -9,6 +9,13 @@ test_audit() {
         # shellcheck disable=2154
         run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        # TODO fill comprehensive tests
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is configured"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
     fi
 }