fixup! IMP(4.5): rename to 1.6.1.2 improve test

fixup! Move to most recent docker image for buster
2025-07-15 21:32:17 +02:00 · 2020-11-17 13:02:02 +01:00 · 2020-11-17 12:56:10 +01:00 · 2020-11-16 17:07:08 +01:00 · 2020-11-16 16:54:51 +01:00 · 2020-11-16 16:39:47 +01:00
153 changed files with 1295 additions and 310 deletions
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -5,7 +5,7 @@
 #

 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #

 set -e # One error, it's over
@ -24,7 +24,25 @@ audit () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ $ERROR = 0 ]; then
+        ok "$PACKAGE is configured"
+    
+    fi
 }

 # This function will be called if the script status is on enabled mode
@ -35,7 +53,28 @@ apply () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
 }

 # This function will check config parameters required
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -43,7 +43,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -33,7 +33,7 @@ apply () {
    if [ $FNRET = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -21,9 +21,9 @@ SYSCTL_EXP_RESULT=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
-    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            if [ $FNRET != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ $FNRET = 255 ]; then
@ -37,16 +37,18 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
-        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        sysctl -w net.ipv4.route.flush=1 > /dev/null
-    elif [ $FNRET = 255 ]; then
-        warn "$SYSCTL_PARAM does not exist -- Typo?"
-    else
-        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        if [ $FNRET != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            sysctl -w net.ipv4.route.flush=1 > /dev/null
+        elif [ $FNRET = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
 }

 # This function will check config parameters required
--- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Disable system on audit log full."

 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -75,6 +75,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the conf for auditd
+OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/4.1.4_record_date_time_edit.sh
+++ b/bin/hardening/4.1.4_record_date_time_edit.sh
@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=4
-DESCRIPTION="Record events taht modify date and time information."
+DESCRIPTION="Record events that modify date and time information."

 AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
--- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
@ -5,50 +5,113 @@
 #

 #
-# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

-HARDENING_LEVEL=3
-DESCRIPTION="Ensure logfile are created with root:640"
+# Note: this is not exacly the same check as the one described in CIS PDF

-PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);'
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Create and set permissions on syslog-ng logfiles."
+
+PERMISSIONS=''
+USER=''
+GROUP=''
+EXCEPTIONS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
+    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
    for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            warn "$FILE does not exist"
+        else
+            FOUND_EXC=0
+            if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+                debug "$FILE is found in exceptions"
+                debug "Setting special user:group:perm"
+                FOUND_EXC=1
+                local user_bak="$USER"
+                local group_bak="$GROUP"
+                local perm_bak="$PERMISSIONS"
+                USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+            fi
+            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct ownership ($USER:$GROUP)"
+            else
+                crit "$FILE ownership was not set to $USER:$GROUP"
+            fi
+            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct permissions ($PERMISSIONS)"
+            else
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
+            if [ "$FOUND_EXC" = 1 ]; then
+                debug "Resetting user:group:perm"
+                USER="$user_bak"
+                GROUP="$group_bak"
+                PERMISSIONS="$perm_bak"
+            fi
        fi
    done
-
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES"
-    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
    for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            info "$FILE does not exist"
+            filedir=$(dirname "${FILE#/var/log/}")
+            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                debug "Creating /var/log/$filedir for $FILE"
+                debug "mkdir -p /var/log/$filedir"
+                mkdir -p /var/log/"$filedir"
+            fi
+            touch "$FILE"
+        fi
+        FOUND_EXC=0
+        if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+            debug "$FILE is found in exceptions"
+            debug "Setting special user:group:perm"
+            FOUND_EXC=1
+            local user_bak="$USER"
+            local group_bak="$GROUP"
+            local perm_bak="$PERMISSIONS"
+            USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+            GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+            PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        if [ "$FOUND_EXC" = 1 ]; then
+            debug "Resetting user:group:perm"
+            USER="$user_bak"
+            GROUP="$group_bak"
+            PERMISSIONS="$perm_bak"
        fi
    done
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
-    fi
 }

 # This function will create the config file for this check with default values
@ -56,12 +119,27 @@ create_config() {
    cat <<EOF
 status=audit
 SYSLOG_BASEDIR='/etc/syslog-ng'
+PERMISSIONS='640'
+USER='root'
+GROUP='adm'
+# Put exceptions here with file:user:group:permissions
+# example: /dev/null:root:root:666
+EXCEPTIONS=''
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    :
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
 }

 # Source Root Dir Parameter
@ -75,8 +153,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."

 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the root login boolean for ssh
+OPTIONS='PermitRootLogin=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."

 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the empty password boolean for ssh
+OPTIONS='PermitEmptyPasswords=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."

 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the permit user env boolean for ssh
+OPTIONS='PermitUserEnvironment=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."

 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the ciphers
+OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
-        crit "SSHD_TIMEOUT is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
-        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
@ -28,8 +28,13 @@ audit () {
        if [ $FNRET = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
        else
-            ERRORS=$((ERRORS+1))
-            crit "$FILE permissions were not set to $PERMISSIONS"
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                ERRORS=$((ERRORS+1))
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
        fi

    done
@ -64,8 +69,13 @@ apply () {
        if [ $FNRET = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
        else
-            warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
-            chmod 0$PERMISSIONS $FILE
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+                chmod 0$PERMISSIONS $FILE
+            fi
        fi
    done

--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."

 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for ssh
+OPTIONS='Protocol=2'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."

 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the forwarding boolean for ssh
+OPTIONS='X11Forwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."

 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the max auth tries for ssh
+OPTIONS='MaxAuthTries=4'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."

 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,14 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the rhosts boolean for ssh
+OPTIONS='IgnoreRhosts=yes'
+EOF
+}
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."

 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the hostbase boolean for ssh
+OPTIONS='HostbasedAuthentication=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.3.1_enable_pwquality.sh
+++ b/bin/hardening/5.3.1_enable_pwquality.sh
@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."

 PACKAGE='libpam-pwquality'

-PATTERN_COMMON="pam_pwquality.so"
-FILE_COMMON="/etc/pam.d/common-password"
+PATTERN_COMMON='pam_pwquality.so'
+FILE_COMMON='/etc/pam.d/common-password'

-PATTERNS_QUALITY=""
-FILE_QUALITY="/etc/security/pwquality.conf"
+OPTIONS=''
+FILE_QUALITY='/etc/security/pwquality.conf'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -35,11 +35,12 @@ audit () {
        else
            crit "$PATTERN_COMMON is not present in $FILE_COMMON"
        fi
-        for PATTERN in $PATTERNS_QUALITY; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
-            PATTERN="$OPTION *= *$PARAM"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        for PW_OPT in $OPTIONS; do
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE_QUALITY"
            else
@ -58,13 +59,32 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
    else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
    fi 
+    
+    for PW_OPT in $OPTIONS; do
+        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE_QUALITY"
+        else
+            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
+            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
+            if [ $FNRET != 0 ]; then
+                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
+            fi
+        fi
+    done
 }

 # This function will create the config file for this check with default values
@ -72,7 +92,7 @@ create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }

--- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh
+++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh
@ -15,8 +15,10 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."

 PACKAGE='libpam-modules-bin'
-PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
-FILE='/etc/pam.d/login'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
+PATTERN_ACCOUNT='pam_tally[2]?\.so'
+FILE_AUTH='/etc/pam.d/common-auth'
+FILE_ACCOUNT='/etc/pam.d/common-account'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -25,11 +27,17 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
        if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_AUTH is present in $FILE_AUTH"
        else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
+        fi
+        does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+        else
+            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
        fi
    fi
 }
@ -43,13 +51,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_AUTH is present in $FILE_AUTH"
    else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "auth    required    pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
-    fi 
+        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
+        add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+    fi
+    does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+    if [ $FNRET = 0 ]; then
+        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+    else
+        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
+        add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
+
+    fi
 }

 # This function will check config parameters required
--- a/bin/hardening/5.3.3_limit_password_reuse.sh
+++ b/bin/hardening/5.3.3_limit_password_reuse.sh
@ -25,7 +25,7 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE "$PATTERN"
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
@ -43,11 +43,11 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE "$PATTERN"
    if [ $FNRET = 0 ]; then
        ok "$PATTERN is present in $FILE"
    else
-        warn "$PATTERN is not present in $FILE"
+        warn "$PATTERN is not present in $FILE, adding it"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
    fi 
 }
--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -34,9 +34,20 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            warn "$CONF_LINE is not present in $CONF_FILE"
+            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+        fi
+    fi
 }

+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.1_set_password_exp_days.sh
+++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration days."

 PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MAX_DAYS=90'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password change minimum number of days."

 PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MIN_DAYS=7'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration warning days."

 PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,21 +48,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
@ -73,6 +73,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_WARN_AGE=7'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/6.1.5_etc_passwd_permissions.sh
+++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh
--- a/bin/hardening/6.1.6_etc_shadow_permissions.sh
+++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh
--- a/bin/hardening/6.1.7_etc_group_permissions.sh
+++ b/bin/hardening/6.1.7_etc_group_permissions.sh
--- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh
+++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
@ -42,7 +42,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        for FILE in $DIR/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
--- a/bin/hardening/6.2.11_find_user_forward_files.sh
+++ b/bin/hardening/6.2.11_find_user_forward_files.sh
@ -19,7 +19,7 @@ FILENAME='.forward'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.12_find_user_netrc_files.sh
+++ b/bin/hardening/6.2.12_find_user_netrc_files.sh
@ -19,7 +19,7 @@ FILENAME='.netrc'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh
+++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh
@ -19,7 +19,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/.netrc; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.14_find_user_rhosts_files.sh
+++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh
@ -19,7 +19,7 @@ FILENAME=".rhosts"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.16_check_duplicate_uid.sh
+++ b/bin/hardening/6.2.16_check_duplicate_uid.sh
@ -21,7 +21,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
    FOUND_EXCEPTIONS=""
    for LINE in $RESULT; do
        debug "Working on line $LINE"
--- a/bin/hardening/6.2.17_check_duplicate_gid.sh
+++ b/bin/hardening/6.2.17_check_duplicate_gid.sh
@ -20,7 +20,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
    for LINE in $RESULT; do
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")
--- a/bin/hardening/6.2.18_check_duplicate_username.sh
+++ b/bin/hardening/6.2.18_check_duplicate_username.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
    for LINE in $RESULT; do 
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.19_check_duplicate_groupname.sh
+++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
    for LINE in $RESULT; do 
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.1_remove_empty_password_field.sh
+++ b/bin/hardening/6.2.1_remove_empty_password_field.sh
@ -14,12 +14,11 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1
 DESCRIPTION="Ensure password fields are not empty in /etc/shadow."

-FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if accounts have an empty password"
-    RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
    if [ ! -z "$RESULT" ]; then
        crit "Some accounts have an empty password"
        crit $RESULT
@ -30,7 +29,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
    if [ ! -z "$RESULT" ]; then
        warn "Some accounts have an empty password"
        for ACCOUNT in $RESULT; do
--- a/bin/hardening/6.2.7_users_valid_homedir.sh
+++ b/bin/hardening/6.2.7_users_valid_homedir.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do 
        debug "Working on $LINE"
        USER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.8_check_user_dir_perm.sh
+++ b/bin/hardening/6.2.8_check_user_dir_perm.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@ -57,7 +57,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
--- a/bin/hardening/6.2.9_users_valid_homedir.sh
+++ b/bin/hardening/6.2.9_users_valid_homedir.sh
@ -21,7 +21,7 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    debug "Checking homedir exists"
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do
        debug "Working on $LINE"
        USER=$(awk -F: {'print $1'} <<< $LINE)
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,33 @@
+cis-hardening (2.1-1) stable; urgency=medium
+  * Move to most recent docker image for buster
+  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
+  * Rename 4.5 to 1.6.1.2 to be CIS9 compliant
+  * Fix apt autoremove to be non interactive
+  * Add disclaimer when checks don't require comprehensive checks
+  * Add comprehensive tests for 4.1.x
+  * Add comprehensive tests for 5.2.x
+  * Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
+  * Add comprehensive tests for 5.4.1.x
+  * Add comprehensive tests for 5.4.3, 5.4.4
+  * Add comprehensive test for 5.6
+  * Skip 4.1.3 on docker (bootloader)
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Fri, 13 Nov 2020 13:32:50 +0100
+
+cis-hardening (2.0-6) unstable; urgency=medium
+
+  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
+  * Fix permissions in 5.2.3
+  * Revert 4.2.2.3 to old check (8.2.4)
+
+ -- Thibault Ayanides <tayanide@owhcloud.com>  Mon, 16 Nov 2020 14:19:35 +0100
+
+cis-hardening (2.0-5) unstable; urgency=medium
+
+  * Hotfix for 3.1.1 wich resulted to a fail check if ipv6 is disabled 
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Thu, 12 Nov 2020 10:15:46 +0100
+
 cis-hardening (2.0-4) unstable; urgency=medium
  * Add deleted checks during renaming which should be here (3.2.6, 3.2.7, 6.2.7)
  * Delete 4.2.2, duplicate with 4.2.3
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -126,6 +126,11 @@ _does_pattern_exist_in_file() {
    fi
 }

+get_db() {
+    local DB="$1"
+    $SUDO_CMD getent --service files "$DB"
+}
+
 # Look for pattern in file that can spread over multiple lines
 # The func will remove commented lines (that begin with '#')
 # and consider the file as one long line.
--- a/tests/docker/Dockerfile.debian10_20181226
+++ b/tests/docker/Dockerfile.debian10_20181226
@ -1,8 +1,13 @@
-FROM debian:buster-20181226
+FROM debian:buster

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/docker/Dockerfile.debian8
+++ b/tests/docker/Dockerfile.debian8
@ -1,8 +1,13 @@
 FROM debian:jessie

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/docker/Dockerfile.debian9
+++ b/tests/docker/Dockerfile.debian9
@ -1,8 +1,13 @@
 FROM debian:stretch

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/tests/hardening/1.1.1.1_disable_freevxfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+    
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.2_disable_jffs2.sh
+++ b/tests/hardening/1.1.1.2_disable_jffs2.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.3_disable_hfs.sh
+++ b/tests/hardening/1.1.1.3_disable_hfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/tests/hardening/1.1.1.4_disable_hfsplus.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.5_disable_udf.sh
+++ b/tests/hardening/1.1.1.5_disable_udf.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+
--- a/tests/hardening/1.1.1.6_disable_cramfs.sh
+++ b/tests/hardening/1.1.1.6_disable_cramfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.7_disable_squashfs.sh
+++ b/tests/hardening/1.1.1.7_disable_squashfs.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+
--- a/tests/hardening/1.1.10_var_tmp_noexec.sh
+++ b/tests/hardening/1.1.10_var_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.11_var_log_partition.sh
+++ b/tests/hardening/1.1.11_var_log_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.12_var_log_audit_partition.sh
+++ b/tests/hardening/1.1.12_var_log_audit_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.13_home_partition.sh
+++ b/tests/hardening/1.1.13_home_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.14_home_nodev.sh
+++ b/tests/hardening/1.1.14_home_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.18_removable_device_nodev.sh
+++ b/tests/hardening/1.1.18_removable_device_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.19_removable_device_nosuid.sh
+++ b/tests/hardening/1.1.19_removable_device_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.20_removable_device_noexec.sh
+++ b/tests/hardening/1.1.20_removable_device_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.22_disable_automounting.sh
+++ b/tests/hardening/1.1.22_disable_automounting.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.2_tmp_partition.sh
+++ b/tests/hardening/1.1.2_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.3_tmp_nodev.sh
+++ b/tests/hardening/1.1.3_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.4_tmp_nosuid.sh
+++ b/tests/hardening/1.1.4_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.5_tmp_noexec.sh
+++ b/tests/hardening/1.1.5_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.6_var_partition.sh
+++ b/tests/hardening/1.1.6_var_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.7_var_tmp_partition.sh
+++ b/tests/hardening/1.1.7_var_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.8_var_tmp_nodev.sh
+++ b/tests/hardening/1.1.8_var_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/tests/hardening/1.1.9_var_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
+++ b/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.6.2.1_enable_apparmor.sh
+++ b/tests/hardening/1.6.2.1_enable_apparmor.sh
@ -0,0 +1,21 @@
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is configured"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
+}
--- a/tests/hardening/1.8_install_updates.sh
+++ b/tests/hardening/1.8_install_updates.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.10_disable_http_server.sh
+++ b/tests/hardening/2.2.10_disable_http_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.11_disable_imap_pop.sh
+++ b/tests/hardening/2.2.11_disable_imap_pop.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.12_disable_samba.sh
+++ b/tests/hardening/2.2.12_disable_samba.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.13_disable_http_proxy.sh
+++ b/tests/hardening/2.2.13_disable_http_proxy.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.14_disable_snmp_server.sh
+++ b/tests/hardening/2.2.14_disable_snmp_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.2_disable_xwindow_system.sh
+++ b/tests/hardening/2.2.2_disable_xwindow_system.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.3_disable_avahi_server.sh
+++ b/tests/hardening/2.2.3_disable_avahi_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.4_disable_print_server.sh
+++ b/tests/hardening/2.2.4_disable_print_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.5_disable_dhcp.sh
+++ b/tests/hardening/2.2.5_disable_dhcp.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.6_disable_ldap.sh
+++ b/tests/hardening/2.2.6_disable_ldap.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/tests/hardening/2.2.7_disable_nfs_rpc.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thibault Ayanides	467e5f178c	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 13:02:02 +01:00
Thibault Ayanides	d244a2e810	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 12:56:10 +01:00
Thibault Ayanides	84bff4ac88	fixup! Move to most recent docker image for buster	2020-11-16 17:07:08 +01:00
Thibault Ayanides	d640a467e2	fixup! IMP(4.1.x): add tests for each checks	2020-11-16 16:54:51 +01:00
Thibault Ayanides	9bfb7efca1	Update changelog	2020-11-16 16:39:47 +01:00
Thibault Ayanides	7b8cca20d6	FIX(4.1.1.2): fix auditd apply	2020-11-09 11:48:48 +01:00
Thibault Ayanides	a6de243808	Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant	2020-11-09 09:00:34 +01:00
Thibault Ayanides	7e8c976722	Add disclaimer when checks don't require comprehensive checks modified: tests/hardening/1.1.1.1_disable_freevxfs.sh modified: tests/hardening/1.1.1.2_disable_jffs2.sh modified: tests/hardening/1.1.1.3_disable_hfs.sh modified: tests/hardening/1.1.1.4_disable_hfsplus.sh modified: tests/hardening/1.1.1.5_disable_udf.sh modified: tests/hardening/1.1.1.6_disable_cramfs.sh modified: tests/hardening/1.1.1.7_disable_squashfs.sh modified: tests/hardening/1.1.10_var_tmp_noexec.sh modified: tests/hardening/1.1.11_var_log_partition.sh modified: tests/hardening/1.1.12_var_log_audit_partition.sh modified: tests/hardening/1.1.13_home_partition.sh modified: tests/hardening/1.1.14_home_nodev.sh modified: tests/hardening/1.1.18_removable_device_nodev.sh modified: tests/hardening/1.1.19_removable_device_nosuid.sh modified: tests/hardening/1.1.20_removable_device_noexec.sh modified: tests/hardening/1.1.2_tmp_partition.sh modified: tests/hardening/1.1.3_tmp_nodev.sh modified: tests/hardening/1.1.4_tmp_nosuid.sh modified: tests/hardening/1.1.5_tmp_noexec.sh modified: tests/hardening/1.1.6_var_partition.sh modified: tests/hardening/1.1.7_var_tmp_partition.sh modified: tests/hardening/1.1.8_var_tmp_nodev.sh modified: tests/hardening/1.1.9_var_tmp_nosuid.sh modified: tests/hardening/1.8_install_updates.sh modified: tests/hardening/2.2.10_disable_http_server.sh modified: tests/hardening/2.2.11_disable_imap_pop.sh modified: tests/hardening/2.2.12_disable_samba.sh modified: tests/hardening/2.2.13_disable_http_proxy.sh modified: tests/hardening/2.2.14_disable_snmp_server.sh modified: tests/hardening/2.2.2_disable_xwindow_system.sh modified: tests/hardening/2.2.3_disable_avahi_server.sh modified: tests/hardening/2.2.4_disable_print_server.sh modified: tests/hardening/2.2.5_disable_dhcp.sh modified: tests/hardening/2.2.6_disable_ldap.sh modified: tests/hardening/2.2.7_disable_nfs_rpc.sh modified: tests/hardening/2.2.8_disable_dns_server.sh modified: tests/hardening/2.2.9_disable_ftp.sh modified: tests/hardening/2.3.1_disable_nis.sh modified: tests/hardening/2.3.2_disable_rsh_client.sh modified: tests/hardening/2.3.3_disable_talk_client.sh modified: tests/hardening/2.3.4_telnet_client_not_installed.sh modified: tests/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 16:20:10 +01:00
Thibault Ayanides	ffd5b28840	FIX: fix apt autoremove to be non interactive modified: bin/hardening/2.2.10_disable_http_server.sh modified: bin/hardening/2.2.11_disable_imap_pop.sh modified: bin/hardening/2.2.12_disable_samba.sh modified: bin/hardening/2.2.14_disable_snmp_server.sh modified: bin/hardening/2.2.2_disable_xwindow_system.sh modified: bin/hardening/2.2.3_disable_avahi_server.sh modified: bin/hardening/2.2.4_disable_print_server.sh modified: bin/hardening/2.2.5_disable_dhcp.sh modified: bin/hardening/2.2.6_disable_ldap.sh modified: bin/hardening/2.2.7_disable_nfs_rpc.sh modified: bin/hardening/2.2.8_disable_dns_server.sh modified: bin/hardening/2.2.9_disable_ftp.sh modified: bin/hardening/2.3.1_disable_nis.sh modified: bin/hardening/2.3.2_disable_rsh_client.sh modified: bin/hardening/2.3.3_disable_talk_client.sh modified: bin/hardening/2.3.4_telnet_client_not_installed.sh modified: bin/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 14:51:26 +01:00
Thibault Ayanides	ce1e87b1a3	IMP(4.5): rename to 1.6.1.2 improve test	2020-11-06 11:09:22 +01:00
Thibault Ayanides	b5865947ba	Move to most recent docker image for buster	2020-11-06 10:11:46 +01:00
Thibault Ayanides	ee4b2417c2	IMP(4.1.x): add tests for each checks	2020-11-02 15:47:27 +01:00
Thibault Ayanides	5568065c35	IMP(4.1.3): skip on docker (bootloader)	2020-11-02 15:46:45 +01:00
Thibault Ayanides	91a2824246	IMP(5.6): add test	2020-10-30 09:48:36 +01:00
Thibault Ayanides	47f8b7b677	IMP(5.4.4): add test	2020-10-30 09:48:27 +01:00
Thibault Ayanides	728011f846	IMP(5.4.3): add purposely failing test	2020-10-30 09:40:28 +01:00
Thibault Ayanides	17e43753b9	IMP(5.4.1.1-3): add tests and rename some variables	2020-10-30 09:39:42 +01:00
Thibault Ayanides	9aac4c3504	IMP(5.3.4): improve check	2020-10-29 16:47:34 +01:00
Thibault Ayanides	8af91dd6a8	IMP(5.3.1,5.3.2): add tests and upgrade PAM conf	2020-10-29 16:45:15 +01:00
Thibault Ayanides	feefee28e4	IMP(5.3.1): add test and config function for check	2020-10-29 15:35:56 +01:00
Thibault Ayanides	774af39a34	IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh	2020-10-29 11:18:31 +01:00
Thibault Ayanides	e288835381	Update changelog	2020-11-16 14:21:47 +01:00
Thibault Ayanides	fbd26ceefa	Fix race condition on /etc/passwd, /etc/shadow and /etc/group	2020-11-16 14:09:12 +01:00
Thibault Ayanides	501ce8c651	IMP(5.2.3): 640 permission is now ok for the check	2020-11-16 14:08:42 +01:00
Thibault Ayanides	829ee8631f	Revert to previous check (8.2.4 in old num)	2020-11-16 14:06:39 +01:00
Thibault Ayanides	6620a82f34	Update changelog	2020-11-12 10:17:32 +01:00
Thibault	3c7a03445c	FIX(3.1.1): fix unbound variable issue	2020-11-12 10:15:41 +01:00