FIX: fix issue, we had to run audit twice

First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.
fixup! IMP(4.5): rename to 1.6.1.2 improve test
2025-07-15 21:32:17 +02:00 · 2020-11-20 10:05:14 +01:00 · 2020-11-17 13:02:02 +01:00 · 2020-11-17 12:56:10 +01:00 · 2020-11-16 17:07:08 +01:00 · 2020-11-16 16:54:51 +01:00
137 changed files with 1140 additions and 250 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -20,6 +20,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
        Modifies the policy to allow a certain kind of services on the machine, such
        as http, mail, etc. Can be specified multiple times to allow multiple services.
        Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit

 OPTIONS:

@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
        --allow-service-list)
            ALLOW_SERVICE_LIST=1
        ;;
+        --create-config-files-only)
+            CREATE_CONFIG=1
+        ;;
        --allow-service)
            ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
            shift
@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
 done

 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
    usage
 fi

@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
    exit 0
 fi

+if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
    fi

    info "Treating $SCRIPT"
-
-    if [ $AUDIT = 1 ]; then
+    if [ $CREATE_CONFIG = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        $SCRIPT --create-config-files-only $BATCH_MODE
+    elif [ $AUDIT = 1 ]; then
        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
        $SCRIPT --audit $SUDO_MODE $BATCH_MODE
    elif [ $AUDIT_ALL = 1 ]; then
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -5,7 +5,7 @@
 #

 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #

 set -e # One error, it's over
@ -24,7 +24,25 @@ audit () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ $ERROR = 0 ]; then
+        ok "$PACKAGE is configured"
+    
+    fi
 }

 # This function will be called if the script status is on enabled mode
@ -35,7 +53,28 @@ apply () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
 }

 # This function will check config parameters required
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -43,7 +43,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -33,7 +33,7 @@ apply () {
    if [ $FNRET = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Disable system on audit log full."

 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -75,6 +75,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the conf for auditd
+OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/4.1.4_record_date_time_edit.sh
+++ b/bin/hardening/4.1.4_record_date_time_edit.sh
@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=4
-DESCRIPTION="Record events taht modify date and time information."
+DESCRIPTION="Record events that modify date and time information."

 AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."

 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the root login boolean for ssh
+OPTIONS='PermitRootLogin=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."

 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the empty password boolean for ssh
+OPTIONS='PermitEmptyPasswords=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."

 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the permit user env boolean for ssh
+OPTIONS='PermitUserEnvironment=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."

 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the ciphers
+OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
-        crit "SSHD_TIMEOUT is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."

 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
-        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
-        exit 128
-    fi
+    :
 }

 # Source Root Dir Parameter
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."

 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for ssh
+OPTIONS='Protocol=2'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."

 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the forwarding boolean for ssh
+OPTIONS='X11Forwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."

 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the max auth tries for ssh
+OPTIONS='MaxAuthTries=4'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."

 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,14 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the rhosts boolean for ssh
+OPTIONS='IgnoreRhosts=yes'
+EOF
+}
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."

 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }

+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the hostbase boolean for ssh
+OPTIONS='HostbasedAuthentication=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.3.1_enable_pwquality.sh
+++ b/bin/hardening/5.3.1_enable_pwquality.sh
@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."

 PACKAGE='libpam-pwquality'

-PATTERN_COMMON="pam_pwquality.so"
-FILE_COMMON="/etc/pam.d/common-password"
+PATTERN_COMMON='pam_pwquality.so'
+FILE_COMMON='/etc/pam.d/common-password'

-PATTERNS_QUALITY=""
-FILE_QUALITY="/etc/security/pwquality.conf"
+OPTIONS=''
+FILE_QUALITY='/etc/security/pwquality.conf'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -35,11 +35,12 @@ audit () {
        else
            crit "$PATTERN_COMMON is not present in $FILE_COMMON"
        fi
-        for PATTERN in $PATTERNS_QUALITY; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
-            PATTERN="$OPTION *= *$PARAM"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        for PW_OPT in $OPTIONS; do
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE_QUALITY"
            else
@ -58,13 +59,32 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
    else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
    fi 
+    
+    for PW_OPT in $OPTIONS; do
+        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE_QUALITY"
+        else
+            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
+            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
+            if [ $FNRET != 0 ]; then
+                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
+            fi
+        fi
+    done
 }

 # This function will create the config file for this check with default values
@ -72,7 +92,7 @@ create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }

--- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh
+++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh
@ -15,8 +15,10 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."

 PACKAGE='libpam-modules-bin'
-PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
-FILE='/etc/pam.d/login'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
+PATTERN_ACCOUNT='pam_tally[2]?\.so'
+FILE_AUTH='/etc/pam.d/common-auth'
+FILE_ACCOUNT='/etc/pam.d/common-account'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -25,11 +27,17 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
        if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_AUTH is present in $FILE_AUTH"
        else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
+        fi
+        does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+        else
+            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
        fi
    fi
 }
@ -43,13 +51,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_AUTH is present in $FILE_AUTH"
    else
-        crit "$PATTERN is not present in $FILE"
-        add_line_file_before_pattern $FILE "auth    required    pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
-    fi 
+        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
+        add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+    fi
+    does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+    if [ $FNRET = 0 ]; then
+        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+    else
+        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
+        add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
+
+    fi
 }

 # This function will check config parameters required
--- a/bin/hardening/5.3.3_limit_password_reuse.sh
+++ b/bin/hardening/5.3.3_limit_password_reuse.sh
@ -25,7 +25,7 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE "$PATTERN"
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
@ -43,11 +43,11 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE "$PATTERN"
    if [ $FNRET = 0 ]; then
        ok "$PATTERN is present in $FILE"
    else
-        warn "$PATTERN is not present in $FILE"
+        warn "$PATTERN is not present in $FILE, adding it"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
    fi 
 }
--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -34,9 +34,20 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            warn "$CONF_LINE is not present in $CONF_FILE"
+            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+        fi
+    fi
 }

+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.1_set_password_exp_days.sh
+++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration days."

 PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MAX_DAYS=90'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password change minimum number of days."

 PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MIN_DAYS=7'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration warning days."

 PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
+OPTIONS=''
 FILE='/etc/login.defs'

 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+        for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,21 +48,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+    for SHADOW_OPTION in $OPTIONS; do
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
@ -73,6 +73,16 @@ check_config() {
    :
 }

+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_WARN_AGE=7'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/6.1.5_etc_passwd_permissions.sh
+++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh
--- a/bin/hardening/6.1.6_etc_shadow_permissions.sh
+++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh
--- a/bin/hardening/6.1.7_etc_group_permissions.sh
+++ b/bin/hardening/6.1.7_etc_group_permissions.sh
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,25 @@
+cis-hardening (2.1-2) unstable; urgency=medium
+
+  * Add --create-config-files-only mode that only create config files without running audit
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 23 Nov 2020 13:40:14 +0100
+ 
+cis-hardening (2.1-1) stable; urgency=medium
+  * Move to most recent docker image for buster
+  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
+  * Rename 4.5 to 1.6.1.2 to be CIS9 compliant
+  * Fix apt autoremove to be non interactive
+  * Add disclaimer when checks don't require comprehensive checks
+  * Add comprehensive tests for 4.1.x
+  * Add comprehensive tests for 5.2.x
+  * Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
+  * Add comprehensive tests for 5.4.1.x
+  * Add comprehensive tests for 5.4.3, 5.4.4
+  * Add comprehensive test for 5.6
+  * Skip 4.1.3 on docker (bootloader)
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Fri, 13 Nov 2020 13:32:50 +0100
+
 cis-hardening (2.0-6) unstable; urgency=medium

  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
--- a/lib/main.sh
+++ b/lib/main.sh
@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
            info "Audit argument passed but script is disabled"
        fi
        ;;
+        --create-config-files-only)
+            debug "Create config files"
+            forcedstatus=createconfig
+        ;;
        --sudo)
        SUDO_CMD="sudo_wrapper"
        ;;
@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
    else
        echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
    fi
+
 fi
+
+if [ $forcedstatus = "createconfig" ]; then
+    debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
+    exit 0
+fi
+
 [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg

 # Now check configured value for status, and potential cmdline parameter
--- a/tests/docker/Dockerfile.debian10_20181226
+++ b/tests/docker/Dockerfile.debian10_20181226
@ -1,8 +1,13 @@
-FROM debian:buster-20181226
+FROM debian:buster

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/docker/Dockerfile.debian8
+++ b/tests/docker/Dockerfile.debian8
@ -1,8 +1,13 @@
 FROM debian:jessie

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/docker/Dockerfile.debian9
+++ b/tests/docker/Dockerfile.debian9
@ -1,8 +1,13 @@
 FROM debian:stretch

-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"

-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd

 COPY --chown=500:500 . /opt/debian-cis/

--- a/tests/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/tests/hardening/1.1.1.1_disable_freevxfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+    
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.2_disable_jffs2.sh
+++ b/tests/hardening/1.1.1.2_disable_jffs2.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.3_disable_hfs.sh
+++ b/tests/hardening/1.1.1.3_disable_hfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/tests/hardening/1.1.1.4_disable_hfsplus.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.5_disable_udf.sh
+++ b/tests/hardening/1.1.1.5_disable_udf.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+
--- a/tests/hardening/1.1.1.6_disable_cramfs.sh
+++ b/tests/hardening/1.1.1.6_disable_cramfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.1.7_disable_squashfs.sh
+++ b/tests/hardening/1.1.1.7_disable_squashfs.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
    fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+
--- a/tests/hardening/1.1.10_var_tmp_noexec.sh
+++ b/tests/hardening/1.1.10_var_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.11_var_log_partition.sh
+++ b/tests/hardening/1.1.11_var_log_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.12_var_log_audit_partition.sh
+++ b/tests/hardening/1.1.12_var_log_audit_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.13_home_partition.sh
+++ b/tests/hardening/1.1.13_home_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.14_home_nodev.sh
+++ b/tests/hardening/1.1.14_home_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.18_removable_device_nodev.sh
+++ b/tests/hardening/1.1.18_removable_device_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.19_removable_device_nosuid.sh
+++ b/tests/hardening/1.1.19_removable_device_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.20_removable_device_noexec.sh
+++ b/tests/hardening/1.1.20_removable_device_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.22_disable_automounting.sh
+++ b/tests/hardening/1.1.22_disable_automounting.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.2_tmp_partition.sh
+++ b/tests/hardening/1.1.2_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.3_tmp_nodev.sh
+++ b/tests/hardening/1.1.3_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.4_tmp_nosuid.sh
+++ b/tests/hardening/1.1.4_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.5_tmp_noexec.sh
+++ b/tests/hardening/1.1.5_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.6_var_partition.sh
+++ b/tests/hardening/1.1.6_var_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.7_var_tmp_partition.sh
+++ b/tests/hardening/1.1.7_var_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.8_var_tmp_nodev.sh
+++ b/tests/hardening/1.1.8_var_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/tests/hardening/1.1.9_var_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
+++ b/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/1.6.2.1_enable_apparmor.sh
+++ b/tests/hardening/1.6.2.1_enable_apparmor.sh
@ -0,0 +1,21 @@
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is configured"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
+}
--- a/tests/hardening/1.8_install_updates.sh
+++ b/tests/hardening/1.8_install_updates.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.10_disable_http_server.sh
+++ b/tests/hardening/2.2.10_disable_http_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.11_disable_imap_pop.sh
+++ b/tests/hardening/2.2.11_disable_imap_pop.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.12_disable_samba.sh
+++ b/tests/hardening/2.2.12_disable_samba.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.13_disable_http_proxy.sh
+++ b/tests/hardening/2.2.13_disable_http_proxy.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.14_disable_snmp_server.sh
+++ b/tests/hardening/2.2.14_disable_snmp_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.2_disable_xwindow_system.sh
+++ b/tests/hardening/2.2.2_disable_xwindow_system.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.3_disable_avahi_server.sh
+++ b/tests/hardening/2.2.3_disable_avahi_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.4_disable_print_server.sh
+++ b/tests/hardening/2.2.4_disable_print_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.5_disable_dhcp.sh
+++ b/tests/hardening/2.2.5_disable_dhcp.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.6_disable_ldap.sh
+++ b/tests/hardening/2.2.6_disable_ldap.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/tests/hardening/2.2.7_disable_nfs_rpc.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.8_disable_dns_server.sh
+++ b/tests/hardening/2.2.8_disable_dns_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.2.9_disable_ftp.sh
+++ b/tests/hardening/2.2.9_disable_ftp.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.3.1_disable_nis.sh
+++ b/tests/hardening/2.3.1_disable_nis.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.3.2_disable_rsh_client.sh
+++ b/tests/hardening/2.3.2_disable_rsh_client.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/2.3.3_disable_talk_client.sh
+++ b/tests/hardening/2.3.3_disable_talk_client.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
--- a/tests/hardening/4.1.1.1_audit_log_storage.sh
+++ b/tests/hardening/4.1.1.1_audit_log_storage.sh
@ -4,7 +4,16 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] max_log_file is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -4,7 +4,20 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    # to avoid error during auditd installation in 4.1.1.2, only necessary during tests
+    sed  -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^space_left_action[[:space:]]*=[[:space:]]*email is present in /etc/audit/auditd.conf"
+    register_test contain "[ OK ] ^action_mail_acct[[:space:]]*=[[:space:]]*root is present in /etc/audit/auditd.conf"
+    register_test contain "[ OK ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.1.3_keep_all_audit_logs.sh
+++ b/tests/hardening/4.1.1.3_keep_all_audit_logs.sh
@ -4,7 +4,16 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.10_record_dac_edit.sh
+++ b/tests/hardening/4.1.10_record_dac_edit.sh
@ -6,5 +6,17 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ]  -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.11_record_failed_access_file.sh
+++ b/tests/hardening/4.1.11_record_failed_access_file.sh
@ -6,5 +6,18 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
+
--- a/tests/hardening/4.1.12_record_privileged_commands.sh
+++ b/tests/hardening/4.1.12_record_privileged_commands.sh
@ -6,5 +6,12 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+   
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.13_record_successful_mount.sh
+++ b/tests/hardening/4.1.13_record_successful_mount.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.14_record_file_deletions.sh
+++ b/tests/hardening/4.1.14_record_file_deletions.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.15_record_sudoers_edit.sh
+++ b/tests/hardening/4.1.15_record_sudoers_edit.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+     describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"   
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.16_record_sudo_usage.sh
+++ b/tests/hardening/4.1.16_record_sudo_usage.sh
@ -6,5 +6,12 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thibault Ayanides	d40a85085d	FIX: fix issue, we had to run audit twice First one as root to create conf files with good owner and permissions, and then with secaudit. Now first run with --create-config-files-only and the normally with --audit.	2020-11-20 10:05:14 +01:00
Thibault Ayanides	467e5f178c	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 13:02:02 +01:00
Thibault Ayanides	d244a2e810	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 12:56:10 +01:00
Thibault Ayanides	84bff4ac88	fixup! Move to most recent docker image for buster	2020-11-16 17:07:08 +01:00
Thibault Ayanides	d640a467e2	fixup! IMP(4.1.x): add tests for each checks	2020-11-16 16:54:51 +01:00
Thibault Ayanides	9bfb7efca1	Update changelog	2020-11-16 16:39:47 +01:00
Thibault Ayanides	7b8cca20d6	FIX(4.1.1.2): fix auditd apply	2020-11-09 11:48:48 +01:00
Thibault Ayanides	a6de243808	Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant	2020-11-09 09:00:34 +01:00
Thibault Ayanides	7e8c976722	Add disclaimer when checks don't require comprehensive checks modified: tests/hardening/1.1.1.1_disable_freevxfs.sh modified: tests/hardening/1.1.1.2_disable_jffs2.sh modified: tests/hardening/1.1.1.3_disable_hfs.sh modified: tests/hardening/1.1.1.4_disable_hfsplus.sh modified: tests/hardening/1.1.1.5_disable_udf.sh modified: tests/hardening/1.1.1.6_disable_cramfs.sh modified: tests/hardening/1.1.1.7_disable_squashfs.sh modified: tests/hardening/1.1.10_var_tmp_noexec.sh modified: tests/hardening/1.1.11_var_log_partition.sh modified: tests/hardening/1.1.12_var_log_audit_partition.sh modified: tests/hardening/1.1.13_home_partition.sh modified: tests/hardening/1.1.14_home_nodev.sh modified: tests/hardening/1.1.18_removable_device_nodev.sh modified: tests/hardening/1.1.19_removable_device_nosuid.sh modified: tests/hardening/1.1.20_removable_device_noexec.sh modified: tests/hardening/1.1.2_tmp_partition.sh modified: tests/hardening/1.1.3_tmp_nodev.sh modified: tests/hardening/1.1.4_tmp_nosuid.sh modified: tests/hardening/1.1.5_tmp_noexec.sh modified: tests/hardening/1.1.6_var_partition.sh modified: tests/hardening/1.1.7_var_tmp_partition.sh modified: tests/hardening/1.1.8_var_tmp_nodev.sh modified: tests/hardening/1.1.9_var_tmp_nosuid.sh modified: tests/hardening/1.8_install_updates.sh modified: tests/hardening/2.2.10_disable_http_server.sh modified: tests/hardening/2.2.11_disable_imap_pop.sh modified: tests/hardening/2.2.12_disable_samba.sh modified: tests/hardening/2.2.13_disable_http_proxy.sh modified: tests/hardening/2.2.14_disable_snmp_server.sh modified: tests/hardening/2.2.2_disable_xwindow_system.sh modified: tests/hardening/2.2.3_disable_avahi_server.sh modified: tests/hardening/2.2.4_disable_print_server.sh modified: tests/hardening/2.2.5_disable_dhcp.sh modified: tests/hardening/2.2.6_disable_ldap.sh modified: tests/hardening/2.2.7_disable_nfs_rpc.sh modified: tests/hardening/2.2.8_disable_dns_server.sh modified: tests/hardening/2.2.9_disable_ftp.sh modified: tests/hardening/2.3.1_disable_nis.sh modified: tests/hardening/2.3.2_disable_rsh_client.sh modified: tests/hardening/2.3.3_disable_talk_client.sh modified: tests/hardening/2.3.4_telnet_client_not_installed.sh modified: tests/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 16:20:10 +01:00
Thibault Ayanides	ffd5b28840	FIX: fix apt autoremove to be non interactive modified: bin/hardening/2.2.10_disable_http_server.sh modified: bin/hardening/2.2.11_disable_imap_pop.sh modified: bin/hardening/2.2.12_disable_samba.sh modified: bin/hardening/2.2.14_disable_snmp_server.sh modified: bin/hardening/2.2.2_disable_xwindow_system.sh modified: bin/hardening/2.2.3_disable_avahi_server.sh modified: bin/hardening/2.2.4_disable_print_server.sh modified: bin/hardening/2.2.5_disable_dhcp.sh modified: bin/hardening/2.2.6_disable_ldap.sh modified: bin/hardening/2.2.7_disable_nfs_rpc.sh modified: bin/hardening/2.2.8_disable_dns_server.sh modified: bin/hardening/2.2.9_disable_ftp.sh modified: bin/hardening/2.3.1_disable_nis.sh modified: bin/hardening/2.3.2_disable_rsh_client.sh modified: bin/hardening/2.3.3_disable_talk_client.sh modified: bin/hardening/2.3.4_telnet_client_not_installed.sh modified: bin/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 14:51:26 +01:00
Thibault Ayanides	ce1e87b1a3	IMP(4.5): rename to 1.6.1.2 improve test	2020-11-06 11:09:22 +01:00
Thibault Ayanides	b5865947ba	Move to most recent docker image for buster	2020-11-06 10:11:46 +01:00
Thibault Ayanides	ee4b2417c2	IMP(4.1.x): add tests for each checks	2020-11-02 15:47:27 +01:00
Thibault Ayanides	5568065c35	IMP(4.1.3): skip on docker (bootloader)	2020-11-02 15:46:45 +01:00
Thibault Ayanides	91a2824246	IMP(5.6): add test	2020-10-30 09:48:36 +01:00
Thibault Ayanides	47f8b7b677	IMP(5.4.4): add test	2020-10-30 09:48:27 +01:00
Thibault Ayanides	728011f846	IMP(5.4.3): add purposely failing test	2020-10-30 09:40:28 +01:00
Thibault Ayanides	17e43753b9	IMP(5.4.1.1-3): add tests and rename some variables	2020-10-30 09:39:42 +01:00
Thibault Ayanides	9aac4c3504	IMP(5.3.4): improve check	2020-10-29 16:47:34 +01:00
Thibault Ayanides	8af91dd6a8	IMP(5.3.1,5.3.2): add tests and upgrade PAM conf	2020-10-29 16:45:15 +01:00
Thibault Ayanides	feefee28e4	IMP(5.3.1): add test and config function for check	2020-10-29 15:35:56 +01:00
Thibault Ayanides	774af39a34	IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh	2020-10-29 11:18:31 +01:00