FIX: fix issue, we had to run audit twice

First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.

bin/hardening.sh

@@ -20,6 +20,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit
 
 OPTIONS:
 
@@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
         --allow-service-list)
             ALLOW_SERVICE_LIST=1
         ;;
+        --create-config-files-only)
+            CREATE_CONFIG=1
+        ;;
         --allow-service)
             ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
             shift
@@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
     usage
 fi
 
@@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
     exit 0
 fi
 
+if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     fi
 
     info "Treating $SCRIPT"
-
-    if [ $AUDIT = 1 ]; then
+    if [ $CREATE_CONFIG = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        $SCRIPT --create-config-files-only $BATCH_MODE
+    elif [ $AUDIT = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
         $SCRIPT --audit $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL = 1 ]; then

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #
 
 set -e # One error, it's over
@@ -24,7 +24,25 @@ audit () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ $ERROR = 0 ]; then
+        ok "$PACKAGE is configured"
+    
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -35,7 +53,28 @@ apply () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/2.2.10_disable_http_server.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.12_disable_samba.sh

@@ -43,7 +43,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.4_disable_print_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.5_disable_dhcp.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.6_disable_ldap.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.8_disable_dns_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.9_disable_ftp.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.1_disable_nis.sh

@@ -33,7 +33,7 @@ apply () {
     if [ $FNRET = 0 ]; then
         crit "$PACKAGE is installed, purging it"
         apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get autoremove -y
     else
         ok "$PACKAGE is absent"
     fi

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.3_disable_talk_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Disable system on audit log full."
 
 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -75,6 +75,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the conf for auditd
+OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/4.1.4_record_date_time_edit.sh

@@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=4
-DESCRIPTION="Record events taht modify date and time information."
+DESCRIPTION="Record events that modify date and time information."
 
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh

@@ -5,50 +5,113 @@
 #
 
 #
-# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-HARDENING_LEVEL=3
-DESCRIPTION="Ensure logfile are created with root:640"
+# Note: this is not exacly the same check as the one described in CIS PDF
 
-PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);'
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Create and set permissions on syslog-ng logfiles."
+
+PERMISSIONS=''
+USER=''
+GROUP=''
+EXCEPTIONS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
+    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
     for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            warn "$FILE does not exist"
+        else
+            FOUND_EXC=0
+            if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+                debug "$FILE is found in exceptions"
+                debug "Setting special user:group:perm"
+                FOUND_EXC=1
+                local user_bak="$USER"
+                local group_bak="$GROUP"
+                local perm_bak="$PERMISSIONS"
+                USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+            fi
+            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct ownership ($USER:$GROUP)"
+            else
+                crit "$FILE ownership was not set to $USER:$GROUP"
+            fi
+            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct permissions ($PERMISSIONS)"
+            else
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
+            if [ "$FOUND_EXC" = 1 ]; then
+                debug "Resetting user:group:perm"
+                USER="$user_bak"
+                GROUP="$group_bak"
+                PERMISSIONS="$perm_bak"
+            fi
         fi
     done
-
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES"
-    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
     for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            info "$FILE does not exist"
+            filedir=$(dirname "${FILE#/var/log/}")
+            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                debug "Creating /var/log/$filedir for $FILE"
+                debug "mkdir -p /var/log/$filedir"
+                mkdir -p /var/log/"$filedir"
+            fi
+            touch "$FILE"
+        fi
+        FOUND_EXC=0
+        if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+            debug "$FILE is found in exceptions"
+            debug "Setting special user:group:perm"
+            FOUND_EXC=1
+            local user_bak="$USER"
+            local group_bak="$GROUP"
+            local perm_bak="$PERMISSIONS"
+            USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+            GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+            PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        if [ "$FOUND_EXC" = 1 ]; then
+            debug "Resetting user:group:perm"
+            USER="$user_bak"
+            GROUP="$group_bak"
+            PERMISSIONS="$perm_bak"
         fi
     done
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
-    fi
 }
 
 # This function will create the config file for this check with default values
@@ -56,12 +119,27 @@ create_config() {
     cat <<EOF
 status=audit
 SYSLOG_BASEDIR='/etc/syslog-ng'
+PERMISSIONS='640'
+USER='root'
+GROUP='adm'
+# Put exceptions here with file:user:group:permissions
+# example: /dev/null:root:root:666
+EXCEPTIONS=''
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    :
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
 }
 
 # Source Root Dir Parameter
@@ -75,8 +153,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/5.2.10_disable_root_login.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the root login boolean for ssh
+OPTIONS='PermitRootLogin=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the empty password boolean for ssh
+OPTIONS='PermitEmptyPasswords=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the permit user env boolean for ssh
+OPTIONS='PermitUserEnvironment=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."
 
 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the ciphers
+OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."
 
 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
@@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
-        crit "SSHD_TIMEOUT is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }
 
 # Source Root Dir Parameter

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."
 
 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
@@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
-        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }
 
 # Source Root Dir Parameter

bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -28,8 +28,13 @@ audit () {
         if [ $FNRET = 0 ]; then
             ok "$FILE permissions were set to $PERMISSIONS"
         else
-            ERRORS=$((ERRORS+1))
-            crit "$FILE permissions were not set to $PERMISSIONS"
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                ERRORS=$((ERRORS+1))
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
         fi
 
     done
@@ -64,8 +69,13 @@ apply () {
         if [ $FNRET = 0 ]; then
             ok "$FILE permissions were set to $PERMISSIONS"
         else
-            warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
-            chmod 0$PERMISSIONS $FILE
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+                chmod 0$PERMISSIONS $FILE
+            fi
         fi
     done
 

bin/hardening/5.2.4_sshd_protocol.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."
 
 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for ssh
+OPTIONS='Protocol=2'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."
 
 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the forwarding boolean for ssh
+OPTIONS='X11Forwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."
 
 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the max auth tries for ssh
+OPTIONS='MaxAuthTries=4'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."
 
 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,14 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the rhosts boolean for ssh
+OPTIONS='IgnoreRhosts=yes'
+EOF
+}
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."
 
 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the hostbase boolean for ssh
+OPTIONS='HostbasedAuthentication=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.3.1_enable_pwquality.sh

@@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
 
 PACKAGE='libpam-pwquality'
 
-PATTERN_COMMON="pam_pwquality.so"
-FILE_COMMON="/etc/pam.d/common-password"
+PATTERN_COMMON='pam_pwquality.so'
+FILE_COMMON='/etc/pam.d/common-password'
 
-PATTERNS_QUALITY=""
-FILE_QUALITY="/etc/security/pwquality.conf"
+OPTIONS=''
+FILE_QUALITY='/etc/security/pwquality.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -35,11 +35,12 @@ audit () {
         else
             crit "$PATTERN_COMMON is not present in $FILE_COMMON"
         fi
-        for PATTERN in $PATTERNS_QUALITY; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
-            PATTERN="$OPTION *= *$PARAM"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        for PW_OPT in $OPTIONS; do
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE_QUALITY"
             else
@@ -58,13 +59,32 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
     if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
     else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
     fi 
+    
+    for PW_OPT in $OPTIONS; do
+        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE_QUALITY"
+        else
+            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
+            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
+            if [ $FNRET != 0 ]; then
+                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
+            fi
+        fi
+    done
 }
 
 # This function will create the config file for this check with default values
@@ -72,7 +92,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }
 

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -15,8 +15,10 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 
 PACKAGE='libpam-modules-bin'
-PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
-FILE='/etc/pam.d/login'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
+PATTERN_ACCOUNT='pam_tally[2]?\.so'
+FILE_AUTH='/etc/pam.d/common-auth'
+FILE_ACCOUNT='/etc/pam.d/common-account'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -25,11 +27,17 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
         if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_AUTH is present in $FILE_AUTH"
         else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
+        fi
+        does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+        else
+            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
         fi
     fi
 }
@@ -43,13 +51,21 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
     if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "auth    required    pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
-    fi 
+        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
+        add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+    fi
+    does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+    if [ $FNRET = 0 ]; then
+        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+    else
+        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
+        add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
+
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/5.3.3_limit_password_reuse.sh

@@ -25,7 +25,7 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE "$PATTERN"
         if [ $FNRET = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
@@ -43,11 +43,11 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE "$PATTERN"
     if [ $FNRET = 0 ]; then
         ok "$PATTERN is present in $FILE"
     else
-        warn "$PATTERN is not present in $FILE"
+        warn "$PATTERN is not present in $FILE, adding it"
         add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
     fi 
 }

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -34,9 +34,20 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            warn "$CONF_LINE is not present in $CONF_FILE"
+            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+        fi
+    fi
 }
 
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.1_set_password_exp_days.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration days."
 
 PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,26 +48,36 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MAX_DAYS=90'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.2_set_password_min_days_change.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password change minimum number of days."
 
 PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,26 +48,36 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MIN_DAYS=7'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.3_set_password_exp_warning_days.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration warning days."
 
 PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,21 +48,21 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
@@ -73,6 +73,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_WARN_AGE=7'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/6.2.10_check_user_dot_file_perm.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then
@@ -42,7 +42,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         for FILE in $DIR/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then
                 FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")

bin/hardening/6.2.11_find_user_forward_files.sh

@@ -19,7 +19,7 @@ FILENAME='.forward'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.12_find_user_netrc_files.sh

@@ -19,7 +19,7 @@ FILENAME='.netrc'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.13_set_perm_on_user_netrc.sh

@@ -19,7 +19,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/.netrc; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.14_find_user_rhosts_files.sh

@@ -19,7 +19,7 @@ FILENAME=".rhosts"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.16_check_duplicate_uid.sh

@@ -21,7 +21,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
     FOUND_EXCEPTIONS=""
     for LINE in $RESULT; do
         debug "Working on line $LINE"

bin/hardening/6.2.17_check_duplicate_gid.sh

@@ -20,7 +20,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
     for LINE in $RESULT; do
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")

bin/hardening/6.2.18_check_duplicate_username.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
     for LINE in $RESULT; do 
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.19_check_duplicate_groupname.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
     for LINE in $RESULT; do 
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.1_remove_empty_password_field.sh

@@ -14,12 +14,11 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1
 DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
 
-FILE='/etc/shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if accounts have an empty password"
-    RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
     if [ ! -z "$RESULT" ]; then
         crit "Some accounts have an empty password"
         crit $RESULT
@@ -30,7 +29,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
     if [ ! -z "$RESULT" ]; then
         warn "Some accounts have an empty password"
         for ACCOUNT in $RESULT; do

bin/hardening/6.2.7_users_valid_homedir.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do 
         debug "Working on $LINE"
         USER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.8_check_user_dir_perm.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@@ -57,7 +57,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"

bin/hardening/6.2.9_users_valid_homedir.sh

@@ -21,7 +21,7 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     debug "Checking homedir exists"
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: {'print $1'} <<< $LINE)

debian/changelog

@@ -1,3 +1,33 @@
+cis-hardening (2.1-2) unstable; urgency=medium
+
+  * Add --create-config-files-only mode that only create config files without running audit
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 23 Nov 2020 13:40:14 +0100
+ 
+cis-hardening (2.1-1) stable; urgency=medium
+  * Move to most recent docker image for buster
+  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
+  * Rename 4.5 to 1.6.1.2 to be CIS9 compliant
+  * Fix apt autoremove to be non interactive
+  * Add disclaimer when checks don't require comprehensive checks
+  * Add comprehensive tests for 4.1.x
+  * Add comprehensive tests for 5.2.x
+  * Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
+  * Add comprehensive tests for 5.4.1.x
+  * Add comprehensive tests for 5.4.3, 5.4.4
+  * Add comprehensive test for 5.6
+  * Skip 4.1.3 on docker (bootloader)
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Fri, 13 Nov 2020 13:32:50 +0100
+
+cis-hardening (2.0-6) unstable; urgency=medium
+
+  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
+  * Fix permissions in 5.2.3
+  * Revert 4.2.2.3 to old check (8.2.4)
+
+ -- Thibault Ayanides <tayanide@owhcloud.com>  Mon, 16 Nov 2020 14:19:35 +0100
+
 cis-hardening (2.0-5) unstable; urgency=medium
 
   * Hotfix for 3.1.1 wich resulted to a fail check if ipv6 is disabled 

lib/main.sh

@@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
             info "Audit argument passed but script is disabled"
         fi
         ;;
+        --create-config-files-only)
+            debug "Create config files"
+            forcedstatus=createconfig
+        ;;
         --sudo)
         SUDO_CMD="sudo_wrapper"
         ;;
@@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
     else
         echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
     fi
+
 fi
+
+if [ $forcedstatus = "createconfig" ]; then
+    debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
+    exit 0
+fi
+
 [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
 
 # Now check configured value for status, and potential cmdline parameter

lib/utils.sh

@@ -126,6 +126,11 @@ _does_pattern_exist_in_file() {
     fi
 }
 
+get_db() {
+    local DB="$1"
+    $SUDO_CMD getent --service files "$DB"
+}
+
 # Look for pattern in file that can spread over multiple lines
 # The func will remove commented lines (that begin with '#')
 # and consider the file as one long line.

tests/docker/Dockerfile.debian10

@@ -1,8 +1,13 @@
-FROM debian:buster-20181226
+FROM debian:buster
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian8

@@ -1,8 +1,13 @@
 FROM debian:jessie
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian9

@@ -1,8 +1,13 @@
 FROM debian:stretch
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/hardening/1.1.1.1_disable_freevxfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+    
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.2_disable_jffs2.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.3_disable_hfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.4_disable_hfsplus.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.5_disable_udf.sh

@@ -8,7 +8,13 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+

tests/hardening/1.1.1.6_disable_cramfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.7_disable_squashfs.sh

@@ -8,7 +8,13 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+

tests/hardening/1.1.10_var_tmp_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.11_var_log_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.12_var_log_audit_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.13_home_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.14_home_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.18_removable_device_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.19_removable_device_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.20_removable_device_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.22_disable_automounting.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.2_tmp_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.3_tmp_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.4_tmp_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.5_tmp_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.6_var_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.7_var_tmp_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.8_var_tmp_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.9_var_tmp_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.5.3_enable_randomized_vm_placement.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.6.2.1_enable_apparmor.sh

@@ -0,0 +1,21 @@
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is configured"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
+}

tests/hardening/1.8_install_updates.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.10_disable_http_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.11_disable_imap_pop.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.12_disable_samba.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.13_disable_http_proxy.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.14_disable_snmp_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.2_disable_xwindow_system.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.3_disable_avahi_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.4_disable_print_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.5_disable_dhcp.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.6_disable_ldap.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }