chore: drop debian 10 and below support (#264)

Currently, the only LTS Debian are 11 and 12
We only support CIS for LTS debian

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>

.github/workflows/functionnal-tests.yml

@@ -4,13 +4,6 @@ on:
   - pull_request
   - push
 jobs:
-  functionnal-tests-docker-debian10:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-      - name: Run the tests debian10
-        run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 10/11/12 Hardening
+cis-hardening - CIS Debian 11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening
 
 # DESCRIPTION
 
-Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 10/11/12 Hardening
+# :lock: CIS Debian 11/12 Hardening
 
 
 <p align="center">
@@ -13,7 +13,7 @@
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian10` or `debian11`.
+With `target` being like `debian11` or `debian12`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -254,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
         echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
     fi
 else
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+    if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
         echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
         if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
             echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
@@ -319,10 +319,7 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
-        # shellcheck disable=SC2001
-        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/acc_logindefs_sha512.sh

@@ -59,17 +59,9 @@ check_config() {
     :
 }
 
-# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
-# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
-# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
-        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
-    else
-        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
-        CONF_LINE="ENCRYPT_METHOD SHA512"
-    fi
+    CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+    CONF_LINE="ENCRYPT_METHOD YESCRYPT"
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_pam_sha512.sh

@@ -49,11 +49,7 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
-            else
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
-            fi
+            add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
         fi
     fi
 }
@@ -67,11 +63,7 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
-    else
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
-    fi
+    CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_shadow_sha512.sh

@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # yescrypt: Check password against $y$<salt>$<base64>
-        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
+        elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
             pw_found+="$user "
             ok "User $user has suitable yescrypt hashed password."
         # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@@ -46,11 +46,7 @@ audit() {
             ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
-                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
-            else
-                crit "User $user has a password that is not sha512crypt hashed."
-            fi
+            crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
         fi
     done
     if [[ -z "$users_reviewed" ]]; then

bin/hardening/check_distribution.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure that the distribution version is debian and that the version is 9 or 10
+# Ensure that the distribution version is debian and supported
 #
 
 set -e # One error, it's over
@@ -22,7 +22,7 @@ audit() {
     if [ "$DISTRIBUTION" != "debian" ]; then
         crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
     else
-        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is too recent and is not yet supported."
         elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

bin/hardening/enable_lockout_failed_password.sh

@@ -59,23 +59,14 @@ apply() {
         ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
         warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        if [ 10 -ge "$DEB_MAJ_VER" ]; then
-            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-        else
-            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-        fi
+        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
     fi
     does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
     else
         warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        if [ 10 -ge "$DEB_MAJ_VER" ]; then
-            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
-        else
-            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
-        fi
-
+        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
     fi
 }
 

bin/hardening/record_mac_edit.sh

@@ -17,64 +17,48 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
 
-AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
-FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
-FILE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy")
+AUDIT_FILE='/etc/audit/audit.rules'
+ADDITIONAL_PATH="/etc/audit/rules.d"
+FILE_TO_WRITE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        IFS=$d_IFS
+    MISSING_PARAMS=()
+    index=0
+    # use find here in order to simplify test usage with sudo using secaudit user
+    FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE"
+    for i in "${!AUDIT_PARAMS[@]}"; do
+        debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH"
         SEARCH_RES=0
         for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            IFS=$c_IFS
+            does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}"
             if [ "$FNRET" != 0 ]; then
-                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+                debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED"
             else
-                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         done
         if [ "$SEARCH_RES" = 0 ]; then
-            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
+            crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH"
+            MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}"
+            index=$((index + 1))
         fi
     done
-    IFS=$d_IFS
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
-        IFS=$d_IFS
-        SEARCH_RES=0
-        for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
-            IFS=$c_IFS
-            if [ "$FNRET" != 0 ]; then
-                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
-            else
-                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
-                SEARCH_RES=1
-            fi
-        done
-        if [ "$SEARCH_RES" = 0 ]; then
-            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
-            add_end_of_file "$FILE" "$AUDIT_VALUE"
-            eval "$(pkill -HUP -P 1 auditd)"
-        fi
+    audit
+    changes=0
+    for i in "${!MISSING_PARAMS[@]}"; do
+        info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it"
+        add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}"
+        changes=1
     done
-    IFS=$d_IFS
+
+    [ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)"
 }
 
 # This function will check config parameters required

bin/hardening/ssh_cry_kex.sh

@@ -73,14 +73,7 @@ apply() {
 }
 
 create_config() {
-    set +u
-    debug "Debian version : $DEB_MAJ_VER "
-    if [[ "$DEB_MAJ_VER" -le 7 ]]; then
-        KEX='diffie-hellman-group-exchange-sha256'
-    else
-        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
-    fi
-    set -u
+    KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     cat <<EOF
 status=audit
 # Put your KexAlgorithms

bin/hardening/ssh_cry_rekey.sh

@@ -30,11 +30,7 @@ audit() {
         crit "Cannot get Debian version. Aborting..."
         return
     fi
-    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
-        set -u
-        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
-        return
-    fi
+
     set -u
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then

debian/changelog

@@ -1,3 +1,12 @@
+cis-hardening (4.1-5) unstable; urgency=medium
+
+  * drop debian10 and below support
+  * fix: ipv6_is_enabled (#251)
+  * fix: record_mac_edit.sh (#195)
+  * add --set-version to manage multiple cis versions in the future
+
+ -- Damien Cavagnini <damien.cavagnini@ovhcloud.com>  Fri, 04 Jul 2025 10:27:18 +0200
+
 cis-hardening (4.1-4) unstable; urgency=medium
 
   * allow multiple users in 5.2.18 (#228)

debian/cis-hardening.8

@@ -4,13 +4,13 @@
 .hy
 .SH NAME
 .PP
-cis-hardening - CIS Debian 10/11/12 Hardening
+cis-hardening - CIS Debian 11/12 Hardening
 .SH SYNOPSIS
 .PP
 \f[B]hardening.sh\f[R] RUN_MODE OPTIONS
 .SH DESCRIPTION
 .PP
-Modular Debian 10/11/12 security hardening scripts based on the CIS
+Modular Debian 11/12 security hardening scripts based on the CIS
 (https://www.cisecurity.org) recommendations.
 .PP
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS

debian/control

@@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch
+Depends: ${misc:Depends}, patch, coreutils
 Description: Suite of configurable scripts to audit or harden a Debian.
  Modular Debian security hardening scripts based on cisecurity.org
  ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

debian/rules

@@ -28,6 +28,7 @@ override_dh_install:
 	# (ls | sort -V | xargs -i echo /opt/cis-hardening/etc/conf.d/{} -- without README -- with ../hardening.cfg)
 	cp -R etc $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
 	cp -R lib $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	cp -R versions $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
 	# cleanup git stuff if any
 	find $(CURDIR)/debian/$(PACKAGE) -type f -name .gitignore -delete
 

lib/constants.sh

@@ -57,6 +57,6 @@ get_distribution
 get_debian_major_version
 
 # shellcheck disable=SC2034
-SMALLEST_SUPPORTED_DEBIAN_VERSION=10
+SMALLEST_SUPPORTED_DEBIAN_VERSION=11
 # shellcheck disable=SC2034
 HIGHEST_SUPPORTED_DEBIAN_VERSION=12

lib/utils.sh

@@ -53,7 +53,7 @@ set_sysctl_param() {
 #
 
 is_ipv6_enabled() {
-    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
+    local SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
 
     does_sysctl_param_exists "net.ipv6"
     local ENABLE=1
@@ -64,7 +64,9 @@ is_ipv6_enabled() {
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
-                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+                # we don't want to fail because ipv6 is enabled
+                # it's just an info that some scripts are going to use to decide what to do
+                info "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
                 ENABLE=0
             fi
         done
@@ -570,11 +572,7 @@ get_debian_major_version() {
     DEB_MAJ_VER=""
     does_file_exist /etc/debian_version
     if [ "$FNRET" = 0 ]; then
-        if grep -q "sid" /etc/debian_version; then
-            DEB_MAJ_VER="sid"
-        else
-            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
-        fi
+        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
     else
         # shellcheck disable=2034
         DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)

tests/docker/Dockerfile.debian10

@@ -1,22 +0,0 @@
-FROM debian:buster
-
-LABEL vendor="OVH"
-LABEL project="debian-cis"
-LABEL url="https://github.com/ovh/debian-cis"
-LABEL description="This image is used to run tests"
-
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
-
-COPY --chown=500:500 . /opt/debian-cis/
-
-COPY debian/default /etc/default/cis-hardening
-RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
-
-COPY cisharden.sudoers /etc/sudoers.d/secaudit
-RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
-
-
-ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
-

tests/hardening/acc_logindefs_sha512.sh

@@ -36,35 +36,4 @@ test_audit() {
     register_test contain "is present in /etc/login.defs"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # DEB_MAJ_VER cannot be overwritten here;
-    # therefore we need to trick get_debian_major_version
-    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
-    echo "sid" >/etc/debian_version
-
-    describe Running on blank host as sid
-    register_test retvalshouldbe 0
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    # shellcheck disable=2154
-    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    cp /etc/login.defs /tmp/login.defs.bak
-    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
-
-    describe Fail: wrong hash function configuration as sid
-    register_test retvalshouldbe 1
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Correcting situation as sid
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" || true
-
-    describe Checking resolved state as sid
-    register_test retvalshouldbe 0
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    # Cleanup
-    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
-    unset ORIGINAL_DEB_VER
 }

tests/hardening/acc_pam_sha512.sh

@@ -21,35 +21,6 @@ test_audit() {
     describe Checking resolved state
     register_test retvalshouldbe 0
     register_test contain "is present in /etc/pam.d/common-password"
-    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # DEB_MAJ_VER cannot be overwritten here;
-    # therefore we need to trick get_debian_major_version
-    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
-    echo "sid" >/etc/debian_version
-
-    describe Running on blank host as sid
-    register_test retvalshouldbe 0
-    register_test contain "(sha512|yescrypt)"
-    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Tests purposely failing as sid
-    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
-    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
-    register_test retvalshouldbe 1
-    register_test contain "is not present"
-    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe correcting situation as sid
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
-
-    describe Checking resolved state as sid
-    register_test retvalshouldbe 0
-    register_test contain "is present in /etc/pam.d/common-password"
-    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    # Cleanup
-    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
-    unset ORIGINAL_DEB_VER
 }

tests/hardening/record_mac_edit.sh

@@ -2,8 +2,7 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
@@ -13,6 +12,6 @@ test_audit() {
 
     describe Checking resolved state
     register_test retvalshouldbe 0
-    register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
+    register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
     run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }