diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh
index 08fc071..072a833 100755
--- a/bin/hardening/4.1.1.1_audit_log_storage.sh
+++ b/bin/hardening/4.1.1.1_audit_log_storage.sh
@@ -39,7 +39,6 @@ apply () {
     does_file_exist $FILE
     if [ $FNRET != 0 ]; then
         warn "$FILE does not exist, creating it"
-        mkdir -p /etc/audit
         touch $FILE
     else
         ok "$FILE exists"
diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
index 8818652..428237d 100755
--- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
@@ -44,7 +44,6 @@ apply () {
     does_file_exist $FILE
     if [ $FNRET != 0 ]; then
         warn "$FILE does not exist, creating it"
-        mkdir -p /etc/audit/auditd.conf
         touch $FILE
     else
         ok "$FILE exists"
diff --git a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh
index 40f2c3c..dcb3f59 100755
--- a/bin/hardening/4.1.1.3_keep_all_audit_logs.sh
+++ b/bin/hardening/4.1.1.3_keep_all_audit_logs.sh
@@ -44,7 +44,6 @@ apply () {
     does_file_exist $FILE
     if [ $FNRET != 0 ]; then
         warn "$FILE does not exist, creating it"
-        mkdir -p /etc/audit
         touch $FILE
     else
         ok "$FILE exists"
diff --git a/tests/docker/Dockerfile.debian10 b/tests/docker/Dockerfile.debian10
index 658e6b0..e58320a 100644
--- a/tests/docker/Dockerfile.debian10
+++ b/tests/docker/Dockerfile.debian10
@@ -2,7 +2,7 @@ FROM debian:buster
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 
diff --git a/tests/docker/Dockerfile.debian8 b/tests/docker/Dockerfile.debian8
index 5361d8f..c9f35f3 100644
--- a/tests/docker/Dockerfile.debian8
+++ b/tests/docker/Dockerfile.debian8
@@ -2,7 +2,7 @@ FROM debian:jessie
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 
diff --git a/tests/docker/Dockerfile.debian9 b/tests/docker/Dockerfile.debian9
index 70a7fed..42b8809 100644
--- a/tests/docker/Dockerfile.debian9
+++ b/tests/docker/Dockerfile.debian9
@@ -2,7 +2,7 @@ FROM debian:stretch
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/