refactor: is_kernel_option_enabled

Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled We split it in different functions: - is_kernel_monolithic - is_kernel_option_enabled -> check for a kernel configuration in the running kernel - is_kernel_module_loaded -> check if a module is currently loaded - is_kernel_module_available -> check if a module is configured in all available kernel configs - is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration Also: - update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel" - fix "disable_usb_storage" to look for correct module name once loaded : issue #249 - the associated checks now check separately if the module is loaded, and if it is configured - for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
2025-07-16 13:52:17 +02:00 · 2025-07-11 09:16:27 +02:00
35 changed files with 16 additions and 1390 deletions
--- a/bin/hardening/apt_gpg_is_configured.sh
+++ b/bin/hardening/apt_gpg_is_configured.sh
@ -1,105 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure GPG keys are configured (Manual)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure GPG keys are configured"
 APT_KEY_PATH="/etc/apt/trusted.gpg.d"
 APT_KEY_FILE="/etc/apt/trusted.gpg"
 # from "man apt-secure"
 SOURCES_UNSECURE_OPTION='allow-insecure=yes'
 APT_UNSECURE_OPTION='Acquire::AllowInsecureRepositories=true'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    key_files=0
    info "Verifying that apt keys are present"
    # apt-key list requires that gnupg2 is installed
    # we are not going to install it for the sake of a test, so we only check the presence of key files
    is_file_empty "$APT_KEY_FILE"
    if [ "$FNRET" -eq 1 ]; then
        info "$APT_KEY_FILE present and not empty"
        key_files=$((key_files + 1))
    fi
    does_file_exist "$APT_KEY_PATH"
    if [ "$FNRET" -ne 0 ]; then
        info "$APT_KEY_PATH is missing"
    else
        asc_files=$(find "$APT_KEY_PATH" -name '*.asc' | wc -l)
        key_files=$((key_files + asc_files))
        gpg_files=$(find "$APT_KEY_PATH" -name '*.gpg' | wc -l)
        key_files=$((key_files + gpg_files))
        if [ "$asc_files" -eq 0 ] && [ "$gpg_files" -eq 0 ]; then
            info "No key found in $APT_KEY_PATH"
        fi
    fi
    if [ "$key_files" -eq 0 ]; then
        crit "No GPG file found"
    else
        # we do not test the GPG keys validity, but we ensure we don't bypass them
        info "Ensure an unsecure option is not set in some sources list"
        unsecure_sources=$(find /etc/apt/ -name '*.list' -exec grep -l "$SOURCES_UNSECURE_OPTION" {} \;)
        if [ -n "$unsecure_sources" ]; then
            crit "Some source files use $SOURCES_UNSECURE_OPTION : $unsecure_sources"
        fi
        info "Ensure an unsecure option is not set in some apt configuration"
        unsecure_option=$(grep -R "$APT_UNSECURE_OPTION" /etc/apt | wc -l)
        if [ "$unsecure_option" -gt 0 ]; then
            crit "$APT_UNSECURE_OPTION is set in apt configuration"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    audit
    if [ "$FNRET" -gt 0 ]; then
        crit "Your configuraiton does not match the recommendation. Please fix it manually"
    else
        info "Nothing to apply"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No parameter for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/configure_systemd-timesyncd.sh
+++ b/bin/hardening/configure_systemd-timesyncd.sh
@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
+    status=$(systemctl is-enabled "$SERVICE_NAME")
-    if [ "$FNRET" -eq 0 ]; then
+    if [ "$status" = "enabled" ]; then
        ok "$SERVICE_NAME is enabled"
    else
        crit "$SERVICE_NAME is disabled"
--- a/bin/hardening/dev_shm_separate_partition.sh
+++ b/bin/hardening/dev_shm_separate_partition.sh
@ -1,80 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure /dev/shm is a separate partition (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure /dev/shm is a separate partition"
 # Quick factoring as many script use the same logic
 PARTITION="/dev/shm"
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Verifying that $PARTITION is a partition"
    FNRET=0
    is_a_partition "$PARTITION"
    if [ "$FNRET" -gt 0 ]; then
        crit "$PARTITION is not a partition"
        FNRET=2
    else
        ok "$PARTITION is a partition"
        is_mounted "$PARTITION"
        if [ "$FNRET" -gt 0 ]; then
            warn "$PARTITION is not mounted"
            FNRET=1
        else
            ok "$PARTITION is mounted"
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    audit
    if [ "$FNRET" = 0 ]; then
        ok "$PARTITION is correctly set"
    elif [ "$FNRET" = 2 ]; then
        crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
    else
        info "mounting $PARTITION"
        mount "$PARTITION"
    fi
 }
 # This function will check config parameters required
 check_config() {
    # No parameter for this script
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/disable_automounting.sh
+++ b/bin/hardening/disable_automounting.sh
@ -36,7 +36,7 @@ apply() {
    is_service_enabled "$SERVICE_NAME"
    if [ "$FNRET" = 0 ]; then
        info "Disabling $SERVICE_NAME"
-        manage_service disable "$SERVICE_NAME"
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
    else
        ok "$SERVICE_NAME is disabled"
    fi
--- a/bin/hardening/enable_auditd.sh
+++ b/bin/hardening/enable_auditd.sh
@ -50,7 +50,8 @@ apply() {
        ok "$SERVICE_NAME is enabled"
    else
        warn "$SERVICE_NAME is not enabled, enabling it"
-        manage_service enable "$SERVICE_NAME"
+        update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
        update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
    fi
 }
--- a/bin/hardening/enable_cron.sh
+++ b/bin/hardening/enable_cron.sh
@ -47,7 +47,8 @@ apply() {
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" != 0 ]; then
            info "Enabling $SERVICE_NAME"
-            manage_service enable "$SERVICE_NAME"
+            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
        else
            ok "$SERVICE_NAME is enabled"
        fi
--- a/bin/hardening/enable_libpam_pwquality.sh
+++ b/bin/hardening/enable_libpam_pwquality.sh
@ -1,67 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure pam_pwquality module is enabled (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure pam_pwquality module is enabled."
 PATTERN_COMMON='pam_pwquality.so'
 FILE_COMMON='/etc/pam.d/common-password'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    does_pattern_exist_in_file "$FILE_COMMON" "$PATTERN_COMMON"
    if [ "$FNRET" = 0 ]; then
        ok "$PATTERN_COMMON is present in $FILE_COMMON"
    else
        crit "$PATTERN_COMMON is not present in $FILE_COMMON"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
    if [ "$FNRET" = 0 ]; then
        ok "$PATTERN_COMMON is present in $FILE_COMMON"
    else
        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
        add_line_file_before_pattern "$FILE_COMMON" "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/enable_syslog-ng.sh
+++ b/bin/hardening/enable_syslog-ng.sh
@ -46,7 +46,8 @@ apply() {
        is_service_enabled "$SERVICE_NAME"
        if [ "$FNRET" != 0 ]; then
            info "Enabling $SERVICE_NAME"
-            manage_service enable "$SERVICE_NAME" >/dev/null 2>&1
+            update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
            update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
        else
            ok "$SERVICE_NAME is enabled"
        fi
--- a/bin/hardening/install_iptables.sh
+++ b/bin/hardening/install_iptables.sh
@ -1,78 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure iptables packages are installed (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure iptables firewall is installed, does not check for its configuration."
 # Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
 PACKAGES='iptables iptables-persistent'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=false
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE provides firewalling feature"
            FOUND=true
        fi
    done
    if [ "$FOUND" = false ]; then
        crit "None of the following firewall packages are installed: $PACKAGES"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE provides firewalling feature"
            FOUND=true
        fi
    done
    if [ "$FOUND" = false ]; then
        crit "None of the following firewall packages are installed: $PACKAGES, installing them"
        apt_install "$PACKAGES"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/install_libpam_pwquality.sh
+++ b/bin/hardening/install_libpam_pwquality.sh
@ -1,66 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure libpam-pwquality is installed (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure libpam-pwquality is installed "
 PACKAGE='libpam-pwquality'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install "$PACKAGE"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/install_nftables.sh
+++ b/bin/hardening/install_nftables.sh
@ -1,78 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure nftables is installed (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure nftables firewall  is installed, does not check for its configuration."
 # Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
 PACKAGES='nftables'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    FOUND=false
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE provides firewalling feature"
            FOUND=true
        fi
    done
    if [ "$FOUND" = false ]; then
        crit "None of the following firewall packages are installed: $PACKAGES"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed "$PACKAGE"
        if [ "$FNRET" = 0 ]; then
            ok "$PACKAGE provides firewalling feature"
            FOUND=true
        fi
    done
    if [ "$FOUND" = false ]; then
        crit "None of the following firewall packages are installed: $PACKAGES, installing them"
        apt_install "$PACKAGES"
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/last_password_change_past.sh
+++ b/bin/hardening/last_password_change_past.sh
--- a/bin/hardening/password_history_remember.sh
+++ b/bin/hardening/password_history_remember.sh
--- a/bin/hardening/password_complexity.sh
+++ b/bin/hardening/password_complexity.sh
@ -1,77 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure password complexity is configured (Manual)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure password minimum length is configured "
 OPTIONS=''
 FILE_QUALITY='/etc/security/pwquality.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        # note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
        PATTERN="${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            crit "$PATTERN is not present in $FILE_QUALITY"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    info "The values defined here should be adapted to one needs before applying."
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
 OPTIONS="minclass=3 dcredit=-1 ucredit=-2 ocredit=-1 lcredit=-1"
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/password_consecutive_characters.sh
+++ b/bin/hardening/password_consecutive_characters.sh
@ -1,94 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure password same consecutive characters is configured (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure password same consecutive characters is configured"
 OPTIONS=''
 FILE_QUALITY='/etc/security/pwquality.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            crit "$PATTERN is not present in $FILE_QUALITY"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        # note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
            does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
            else
                info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
            fi
        fi
    done
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
 OPTIONS="maxrepeat=3"
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/password_max_sequential_characters.sh
+++ b/bin/hardening/password_max_sequential_characters.sh
@ -1,94 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure password maximum sequential characters is configured (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure password maximum sequential characters is configured"
 OPTIONS=''
 FILE_QUALITY='/etc/security/pwquality.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        # note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            crit "$PATTERN is not present in $FILE_QUALITY"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
            does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
            else
                info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
            fi
        fi
    done
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
 OPTIONS="maxsequence=3"
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/password_min_length.sh
+++ b/bin/hardening/password_min_length.sh
@ -1,94 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure minimum password length is configured (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure password minimum length is configured "
 OPTIONS=''
 FILE_QUALITY='/etc/security/pwquality.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        # note : dont backslash regex characters, as 'does_pattern_exist_in_file' use "grep -E" which don't need it
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            crit "$PATTERN is not present in $FILE_QUALITY"
        fi
    done
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo "$PW_OPT" | cut -d= -f1)
        PW_VALUE=$(echo "$PW_OPT" | cut -d= -f2)
        PATTERN="^${PW_PARAM}[[:space:]]?+=[[:space:]]?+$PW_VALUE"
        does_pattern_exist_in_file "$FILE_QUALITY" "$PATTERN"
        if [ "$FNRET" = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
            does_pattern_exist_in_file "$FILE_QUALITY" "^${PW_PARAM}"
            if [ "$FNRET" != 0 ]; then
                add_end_of_file "$FILE_QUALITY" "$PW_PARAM = $PW_VALUE"
            else
                info "Parameter $PW_PARAM is present but with the wrong value -- Fixing"
                replace_in_file "$FILE_QUALITY" "^${PW_PARAM}*.*" "$PW_PARAM = $PW_VALUE"
            fi
        fi
    done
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
 OPTIONS="minlen=14"
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/bin/hardening/users_homedir_is_configured.sh
+++ b/bin/hardening/users_homedir_is_configured.sh
@ -1,161 +0,0 @@
 #!/bin/bash
 # run-shellcheck
 #
 # CIS Debian Hardening
 #
 #
 # Ensure local interactive user home directories are configured (Automated)
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Users are assigned valid home directories"
 # a home is purposefully owned by another user
 # format: <dir>:<user_name>:<owner_name>
 # ex: HOME_OWNER_EXCEPTIONS="/usr/sbin:daemon:root"
 HOME_OWNER_EXCEPTIONS=""
 # space separated list of path, where permissions are different than 0750
 HOME_PERM_EXCEPTIONS=""
 ERRORS=0
 check_home_owner() {
    # user owns home
    local user=$1
    local home=$2
    FNRET=0
    owner=$(stat -L -c "%U" "$home")
    if [ "$owner" != "$user" ]; then
        EXCEP_FOUND=0
        for excep in $HOME_OWNER_EXCEPTIONS; do
            if [ "$home:$user:$owner" = "$excep" ]; then
                ok "The home directory ($home) of user $user is owned by $owner but is part of exceptions ($home:$user:$owner)."
                EXCEP_FOUND=1
                break
            fi
        done
        if [ "$EXCEP_FOUND" -eq 0 ]; then
            crit "The home directory ($home) of user $user is owned by $owner."
            FNRET=1
        fi
    fi
 }
 check_home_perm() {
    # 750 or more restrictive
    local home=$1
    HOME_PERM_ERRORS=0
    debug "Exceptions : $HOME_PERM_EXCEPTIONS"
    debug "echo \"$HOME_PERM_EXCEPTIONS\" | grep -q $home"
    if echo "$HOME_PERM_EXCEPTIONS" | grep -q "$home"; then
        debug "$home is confirmed as an exception"
        # shellcheck disable=SC2001
        RESULT=$(sed "s!$home!!" <<<"$RESULT")
    else
        debug "$home not found in exceptions"
    fi
    if [ -d "$home" ]; then
        dirperm=$(/bin/ls -ld "$home" | cut -f1 -d" ")
        if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
            crit "Group Write permission set on directory $home"
            HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
        fi
        if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
            crit "Other Read permission set on directory $home"
            HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
        fi
        if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
            crit "Other Write permission set on directory $home"
            HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
        fi
        if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
            crit "Other Execute permission set on directory $home"
            HOME_PERM_ERRORS=$((HOME_PERM_ERRORS + 1))
        fi
    fi
 }
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do
        debug "Working on $LINE"
        USER=$(awk -F: '{print $1}' <<<"$LINE")
        USERID=$(awk -F: '{print $2}' <<<"$LINE")
        DIR=$(awk -F: '{print $3}' <<<"$LINE")
        if [ "$USERID" -ge 1000 ]; then
            if [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
                crit "The home directory ($DIR) of user $USER does not exist."
                ERRORS=$((ERRORS + 1))
            fi
            if [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
                check_home_owner "$USER" "$DIR"
                [ $FNRET -ne 0 ] && ERRORS=$((ERRORS + 1))
            fi
        fi
    done
    for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        check_home_perm "$DIR"
        ERRORS=$((ERRORS + HOME_PERM_ERRORS))
    done
    if [ "$ERRORS" -eq 0 ]; then
        ok "All home directories are correctly configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply() {
    info "Modifying home directories may seriously harm your system, report only here"
 }
 create_config() {
    cat <<EOF
 status=audit
 # Put here user home directories exceptions
 # format: <dir>:<user_name>:<owner_name>
 HOME_OWNER_EXCEPTIONS=""
 # space separated list of path, where permissions are different than 0750
 HOME_PERM_EXCEPTIONS=""
 EOF
 }
 # This function will check config parameters required
 check_config() {
    if [ -z "$HOME_PERM_EXCEPTIONS" ]; then
        HOME_PERM_EXCEPTIONS="@"
    fi
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_LIB_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_LIB_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "${CIS_LIB_DIR}"/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -100,15 +100,6 @@ does_file_exist() {
    fi
 }
 is_file_empty() {
    local FILE=$1
    if $SUDO_CMD [ -s "$FILE" ]; then
        FNRET=1
    else
        FNRET=0
    fi
 }
 has_file_correct_ownership() {
    local FILE=$1
    local USER=$2
@ -316,17 +307,7 @@ does_group_exist() {
 is_service_enabled() {
    local SERVICE=$1
-
+    if [ "$($SUDO_CMD find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l)" -gt 0 ]; then
    # if running in a container, it does not make much sense to test for systemd / service
    # the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices
    # currently, did not find a unified way to manage all cases, so we check this only for systemctl usage
    is_using_sbin_init
    if [ "$FNRET" -eq 1 ]; then
        debug "host was not started using '/sbin/init', systemd should not be available"
        FNRET=1
        return
    fi
    if $SUDO_CMD systemctl -t service is-enabled "$SERVICE" >/dev/null; then
        debug "Service $SERVICE is enabled"
        FNRET=0
    else
@ -599,20 +580,6 @@ is_pkg_installed() {
    fi
 }
 is_pkg_a_dependency() {
    # check if package is needed by another installed package
    local PKG_NAME=$1
    local dependencies=0
    dependencies=$(grep -w "${PKG_NAME}$" /var/lib/dpkg/status | grep -cEi "depends|recommends")
    if [ "$dependencies" -gt 0 ]; then
        debug "$PKG_NAME is a dependency for another installed package"
        FNRET=0
    else
        FNRET=1
        debug "$PKG_NAME is not a dependency for another installed package"
    fi
 }
 # Returns Debian major version
 get_debian_major_version() {
@ -645,26 +612,3 @@ get_distribution() {
 is_running_in_container() {
    awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
 }
 is_using_sbin_init() {
    FNRET=0
    # remove '\0' to avoid 'command substitution: ignored null byte in input'
    if [[ $($SUDO_CMD cat /proc/1/cmdline | tr -d '\0') != "/sbin/init" ]]; then
        debug "init process is not '/sbin/init'"
        FNRET=1
    fi
 }
 manage_service() {
    local action="$1"
    local service="$2"
    is_using_sbin_init
    if [ "$FNRET" -ne 0 ]; then
        debug "/sbin/init not used, systemctl wont manage service $service"
        return
    fi
    systemctl "$action" "$service" >/dev/null 2>&1
 }
--- a/tests/hardening/apt_gpg_is_configured.sh
+++ b/tests/hardening/apt_gpg_is_configured.sh
@ -1,40 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local APT_KEY_FILE="/etc/apt/trusted.gpg"
    local APT_KEY_PATH="/etc/apt/trusted.gpg.d"
    local unsecure_source="/etc/apt/sources.list.d/unsecure.list"
    local unsecure_conf_file="/etc/apt/apt.conf.d/unsecure"
    # make sure we don't have any key
    [ -f "$APT_KEY_FILE" ] && mv "$APT_KEY_FILE" /tmp
    [ -d "$APT_KEY_PATH" ] && mv "$APT_KEY_PATH" /tmp
    describe Running non compliant missing keys
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    # fix the situation
    [ -d /tmp/trusted.gpg.d ] && mv /tmp/trusted.gpg.d /etc/apt/
    [ -f /tmp/trusted.gpg ] && mv /tmp/trusted.gpg /etc/apt/
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    echo 'deb [allow-insecure=yes] http://deb.debian.org/debian bookworm main' >"$unsecure_source"
    describe Running non compliant unsecure option in sources list
    register_test retvalshouldbe 1
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    rm -f "$unsecure_source"
    echo 'Acquire::AllowInsecureRepositories=true' >"$unsecure_conf_file"
    describe Running non compliant unsecure option in apt conf
    register_test retvalshouldbe 1
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    rm -f "$unsecure_conf_file"
 }
--- a/tests/hardening/dev_shm_separate_partition.sh
+++ b/tests/hardening/dev_shm_separate_partition.sh
@ -1,16 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/enable_auditd.sh
+++ b/tests/hardening/enable_auditd.sh
@ -1,11 +1,9 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Prepare failing test
    apt remove -y auditd
    describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
@ -14,8 +12,7 @@ test_audit() {
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    describe Checking resolved state
-    # service still wont be enabled due to tests running inside a docker container
+    register_test retvalshouldbe 0
-    register_test retvalshouldbe 1
+    register_test contain "[ OK ] auditd is enabled"
    register_test contain "[ OK ] auditd is installed"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/enable_libpam_pwquality.sh
+++ b/tests/hardening/enable_libpam_pwquality.sh
@ -1,21 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    PATTERN_COMMON='pam_pwquality.so'
    FILE_COMMON='/etc/pam.d/common-password'
    # create issue
    sed -i '/'$PATTERN_COMMON'/d' "$FILE_COMMON"
    describe Running non compliant
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/install_iptables.sh
+++ b/tests/hardening/install_iptables.sh
@ -1,16 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/install_libpam_pwquality.sh
+++ b/tests/hardening/install_libpam_pwquality.sh
@ -1,16 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/install_nftables.sh
+++ b/tests/hardening/install_nftables.sh
@ -1,16 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/last_password_change_past.sh
+++ b/tests/hardening/last_password_change_past.sh
--- a/tests/hardening/password_history_remember.sh
+++ b/tests/hardening/password_history_remember.sh
--- a/tests/hardening/password_complexity.sh
+++ b/tests/hardening/password_complexity.sh
@ -1,28 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local OPTIONS="minclass=3 dcredit=-1 ucredit=-2 ocredit=-1 lcredit=-1"
    local FILE_QUALITY='/etc/security/pwquality.conf'
    # install dependencies
    apt-get update
    apt-get install -y libpam-pwquality
    # prepare to fail
    describe Prepare on purpose failed test
    sed -i '/minclass/d' $FILE_QUALITY
    describe Running on purpose failed test
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    describe Correcting situation
    echo "$OPTIONS" >>"$FILE_QUALITY"
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/password_consecutive_characters.sh
+++ b/tests/hardening/password_consecutive_characters.sh
@ -1,28 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local OPTIONS="maxrepeat=3"
    local FILE_QUALITY='/etc/security/pwquality.conf'
    # install dependencies
    apt-get update
    apt-get install -y libpam-pwquality
    # prepare to fail
    describe Prepare on purpose failed test
    sed -i '/maxrepeat/d' $FILE_QUALITY
    describe Running on purpose failed test
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    describe Correcting situation
    echo "$OPTIONS" >>"$FILE_QUALITY"
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/password_max_sequential_characters.sh
+++ b/tests/hardening/password_max_sequential_characters.sh
@ -1,28 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local OPTIONS="maxsequence=3"
    local FILE_QUALITY='/etc/security/pwquality.conf'
    # install dependencies
    apt-get update
    apt-get install -y libpam-pwquality
    # prepare to fail
    describe Prepare on purpose failed test
    sed -i '/maxsequence/d' $FILE_QUALITY
    describe Running on purpose failed test
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    describe Correcting situation
    echo "$OPTIONS" >>"$FILE_QUALITY"
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/password_min_length.sh
+++ b/tests/hardening/password_min_length.sh
@ -1,27 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local OPTIONS="minlen=14"
    local FILE_QUALITY='/etc/security/pwquality.conf'
    # install dependencies
    apt-get update
    apt-get install -y libpam-pwquality
    # prepare to fail
    describe Prepare on purpose failed test
    sed -i '/minlen/d' $FILE_QUALITY
    describe Running on purpose failed test
    register_test retvalshouldbe 1
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    describe Correcting situation
    echo "$OPTIONS" >>"$FILE_QUALITY"
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
--- a/tests/hardening/users_homedir_is_configured.sh
+++ b/tests/hardening/users_homedir_is_configured.sh
@ -1,88 +0,0 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
    local no_home_test_user="userwithouthome"
    local owner_test_user="testhomeuser"
    local perm_test_user="testhomepermuser"
    describe Running on blank host
    register_test retvalshouldbe 0
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    home_dir_missing "$no_home_test_user"
    home_dir_ownership "$owner_test_user"
    home_dir_perm "$perm_test_user"
    fix_home "$no_home_test_user" "$owner_test_user" "$perm_test_user"
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
    cleanup "$no_home_test_user" "$owner_test_user" "$perm_test_user"
 }
 home_dir_missing() {
    local test_user="$1"
    useradd -d /home/"$test_user" "$test_user"
    describe Tests purposely failing that a homdedir does not exists
    register_test retvalshouldbe 1
    register_test contain "does not exist."
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
 home_dir_ownership() {
    local test_user="$1"
    describe Test purposely failing that a user does not own its home
    useradd -d /home/"$test_user" -m "$test_user"
    chown root:root /home/"$test_user"
    chmod 0750 /home/"$test_user"
    register_test retvalshouldbe 1
    register_test contain "[ KO ] The home directory (/home/$test_user) of user $test_user is owned by root"
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
 home_dir_perm() {
    local test_user="$1"
    describe Tests purposely failing for wrong permissions on home
    useradd -d /home/"$test_user" --create-home "$test_user"
    chmod 777 /home/"$test_user"
    register_test retvalshouldbe 1
    register_test contain "Group Write permission set on directory"
    register_test contain "Other Read permission set on directory"
    register_test contain "Other Write permission set on directory"
    register_test contain "Other Execute permission set on directory"
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }
 fix_home() {
    local missing_home_test_user="$1"
    local owner_test_user="$2"
    local perm_test_user="$3"
    describe correcting situation for missing home
    install -d -m 0750 -o "$missing_home_test_user" /home/"$missing_home_test_user"
    describe correcting situation for ownership
    # we don't want to erase default configurations, or others checks could fail
    # shellcheck disable=2086
    sed -i '/^HOME_OWNER_EXCEPTIONS/s|HOME_OWNER_EXCEPTIONS=\"|HOME_OWNER_EXCEPTIONS=\"/home/'$owner_test_user':'$owner_test_user':root |' ${CIS_CONF_DIR}/conf.d/${script}.cfg
    describe correcting situation for permissions
    chmod 0750 /home/"$perm_test_user"
 }
 cleanup() {
    local users="$*"
    for user in $users; do
        # owner_test_user del will fail as its home is owned by another user
        userdel -r "$user" || true
        rm -rf /home/"${user:?}" || true
    done
 }
--- a/versions/ovh_legacy/5.3.3_limit_password_reuse.sh
+++ b/versions/ovh_legacy/5.3.3_limit_password_reuse.sh
@ -1 +1 @@
-../../bin/hardening/password_history_remember.sh
+../../bin/hardening/limit_password_reuse.sh
--- a/versions/ovh_legacy/5.4.1.5_last_password_change_past.sh
+++ b/versions/ovh_legacy/5.4.1.5_last_password_change_past.sh
@ -1 +1 @@
-../../bin/hardening/password_last_change_past.sh
+../../bin/hardening/last_password_change_past.sh
		`@ -1 +1 @@`
			`../../bin/hardening/password_history_remember.sh`				`../../bin/hardening/limit_password_reuse.sh`
		`@ -1 +1 @@`
			`../../bin/hardening/password_last_change_past.sh`				`../../bin/hardening/last_password_change_past.sh`