FIX: fix issue, we had to run audit twice

First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.

bin/hardening.sh

@@ -20,6 +20,7 @@ AUDIT=0
 APPLY=0
 AUDIT_ALL=0
 AUDIT_ALL_ENABLE_PASSED=0
+CREATE_CONFIG=0
 ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
@@ -76,6 +77,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
         Modifies the policy to allow a certain kind of services on the machine, such
         as http, mail, etc. Can be specified multiple times to allow multiple services.
         Use --allow-service-list to get a list of supported services.
+    
+    --create-config-files-only
+        Create the config files in etc/conf.d
+        Must be run as root, before running the audit with user secaudit
 
 OPTIONS:
 
@@ -126,6 +131,9 @@ while [[ $# > 0 ]]; do
         --allow-service-list)
             ALLOW_SERVICE_LIST=1
         ;;
+        --create-config-files-only)
+            CREATE_CONFIG=1
+        ;;
         --allow-service)
             ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
             shift
@@ -156,7 +164,7 @@ while [[ $# > 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 -a "$AUDIT_ALL" -eq 0 -a "$AUDIT_ALL_ENABLE_PASSED" -eq 0 -a "$APPLY" -eq 0 -a "$CREATE_CONFIG" -eq 0 ]; then
     usage
 fi
 
@@ -210,6 +218,11 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
     exit 0
 fi
 
+if [ $CREATE_CONFIG = 1 ] && [ "$EUID" -ne 0 ]; then
+    echo "For --create-config-files-only, please run as root"
+    exit 1
+fi
+
 # Parse every scripts and execute them in the required mode
 for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     if [ ${#TEST_LIST[@]} -gt 0 ] ; then
@@ -223,8 +236,10 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
     fi
 
     info "Treating $SCRIPT"
-
+    if [ $CREATE_CONFIG = 1 ]; then
-    if [ $AUDIT = 1 ]; then
+        debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
+        $SCRIPT --create-config-files-only $BATCH_MODE
+    elif [ $AUDIT = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
         $SCRIPT --audit $SUDO_MODE $BATCH_MODE
     elif [ $AUDIT_ALL = 1 ]; then

bin/hardening/1.6.2.1_enable_apparmor.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #
 
 set -e # One error, it's over
@@ -24,7 +24,25 @@ audit () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    if [ $ERROR = 0 ]; then
+        ok "$PACKAGE is configured"
+    
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -35,7 +53,28 @@ apply () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    IFS=$d_IFS
+    
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
+        $SUDO_CMD update-grub
+    else
+        ok "$PACKAGE is configured"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/2.2.10_disable_http_server.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.11_disable_imap_pop.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.12_disable_samba.sh

@@ -43,7 +43,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.14_disable_snmp_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.2_disable_xwindow_system.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.3_disable_avahi_server.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.4_disable_print_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.5_disable_dhcp.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.6_disable_ldap.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.7_disable_nfs_rpc.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.8_disable_dns_server.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.2.9_disable_ftp.sh

@@ -37,7 +37,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             crit "$PACKAGE is installed, purging it"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.1_disable_nis.sh

@@ -33,7 +33,7 @@ apply () {
     if [ $FNRET = 0 ]; then
         crit "$PACKAGE is installed, purging it"
         apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get autoremove -y
     else
         ok "$PACKAGE is absent"
     fi

bin/hardening/2.3.2_disable_rsh_client.sh

@@ -36,7 +36,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.3_disable_talk_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.4_disable_telnet_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/2.3.5_disable_ldap_client.sh

@@ -35,7 +35,7 @@ apply () {
         if [ $FNRET = 0 ]; then
             warn "$PACKAGE is installed, purging"
             apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
         else
             ok "$PACKAGE is absent"
         fi

bin/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Disable system on audit log full."
 
 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -75,6 +75,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the conf for auditd
+OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/4.1.4_record_date_time_edit.sh

@@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=4
-DESCRIPTION="Record events taht modify date and time information."
+DESCRIPTION="Record events that modify date and time information."
 
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

bin/hardening/5.2.10_disable_root_login.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the root login boolean for ssh
+OPTIONS='PermitRootLogin=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the empty password boolean for ssh
+OPTIONS='PermitEmptyPasswords=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.12_disable_sshd_setenv.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."
 
 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the permit user env boolean for ssh
+OPTIONS='PermitUserEnvironment=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.13_sshd_ciphers.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."
 
 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the ciphers
+OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.16_sshd_idle_timeout.sh

@@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."
 
 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
@@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
+    :
-        crit "SSHD_TIMEOUT is not set, please edit configuration file"
-        exit 128
-    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/5.2.17_sshd_login_grace_time.sh

@@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."
 
 PACKAGE='openssh-server'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
@@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
+    :
-        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
-        exit 128
-    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/5.2.4_sshd_protocol.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."
 
 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for ssh
+OPTIONS='Protocol=2'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.6_disable_x11_forwarding.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."
 
 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the forwarding boolean for ssh
+OPTIONS='X11Forwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."
 
 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the max auth tries for ssh
+OPTIONS='MaxAuthTries=4'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."
 
 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,14 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the rhosts boolean for ssh
+OPTIONS='IgnoreRhosts=yes'
+EOF
+}
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."
 
 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -74,6 +74,15 @@ check_config() {
     :
 }
 
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here the hostbase boolean for ssh
+OPTIONS='HostbasedAuthentication=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

bin/hardening/5.3.1_enable_pwquality.sh

@@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
 
 PACKAGE='libpam-pwquality'
 
-PATTERN_COMMON="pam_pwquality.so"
+PATTERN_COMMON='pam_pwquality.so'
-FILE_COMMON="/etc/pam.d/common-password"
+FILE_COMMON='/etc/pam.d/common-password'
 
-PATTERNS_QUALITY=""
+OPTIONS=''
-FILE_QUALITY="/etc/security/pwquality.conf"
+FILE_QUALITY='/etc/security/pwquality.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -35,11 +35,12 @@ audit () {
         else
             crit "$PATTERN_COMMON is not present in $FILE_COMMON"
         fi
-        for PATTERN in $PATTERNS_QUALITY; do
+        for PW_OPT in $OPTIONS; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
-            PATTERN="$OPTION *= *$PARAM"
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
+
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE_QUALITY"
             else
@@ -58,13 +59,32 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
     if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
     else
-        crit "$PATTERN is not present in $FILE"
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
     fi 
+    
+    for PW_OPT in $OPTIONS; do
+        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
+        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
+        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
+        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE_QUALITY"
+        else
+            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
+            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
+            if [ $FNRET != 0 ]; then
+                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
+            fi
+        fi
+    done
 }
 
 # This function will create the config file for this check with default values
@@ -72,7 +92,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }
 

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -15,8 +15,10 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 
 PACKAGE='libpam-modules-bin'
-PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
-FILE='/etc/pam.d/login'
+PATTERN_ACCOUNT='pam_tally[2]?\.so'
+FILE_AUTH='/etc/pam.d/common-auth'
+FILE_ACCOUNT='/etc/pam.d/common-account'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -25,11 +27,17 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
         if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_AUTH is present in $FILE_AUTH"
         else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
+        fi
+        does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+        else
+            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
         fi
     fi
 }
@@ -43,13 +51,21 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
     if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
-        crit "$PATTERN is not present in $FILE"
+        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern $FILE "auth    required    pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
+        add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-    fi 
+    fi
+    does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
+    if [ $FNRET = 0 ]; then
+        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
+    else
+        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
+        add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
+
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/5.3.3_limit_password_reuse.sh

@@ -25,7 +25,7 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE "$PATTERN"
         if [ $FNRET = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
@@ -43,11 +43,11 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE "$PATTERN"
     if [ $FNRET = 0 ]; then
         ok "$PATTERN is present in $FILE"
     else
-        warn "$PATTERN is not present in $FILE"
+        warn "$PATTERN is not present in $FILE, adding it"
         add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
     fi 
 }

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -34,9 +34,20 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
+        crit "$CONF_FILE is not readable"
+    else
+        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
+        if [ "$FNRET" = 0 ]; then
+            ok "$CONF_LINE is present in $CONF_FILE"
+        else
+            warn "$CONF_LINE is not present in $CONF_FILE"
+            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+        fi
+    fi
 }
 
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.1_set_password_exp_days.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration days."
 
 PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,26 +48,36 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MAX_DAYS=90'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.2_set_password_min_days_change.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password change minimum number of days."
 
 PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,26 +48,36 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_MIN_DAYS=7'
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.4.1.3_set_password_exp_warning_days.sh

@@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration warning days."
 
 PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 
 # This function will be called if the script status is on enabled / audit mode
@@ -25,10 +25,10 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
@@ -48,21 +48,21 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
                 warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                 if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                 else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                 fi
             fi
     done
@@ -73,6 +73,16 @@ check_config() {
     :
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat << EOF
+# shellcheck disable=2034
+status=audit
+# Put here your protocol for shadow
+OPTIONS='PASS_WARN_AGE=7'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     . /etc/default/cis-hardening

debian/changelog

@@ -1,3 +1,25 @@
+cis-hardening (2.1-2) unstable; urgency=medium
+
+  * Add --create-config-files-only mode that only create config files without running audit
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Mon, 23 Nov 2020 13:40:14 +0100
+ 
+cis-hardening (2.1-1) stable; urgency=medium
+  * Move to most recent docker image for buster
+  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
+  * Rename 4.5 to 1.6.1.2 to be CIS9 compliant
+  * Fix apt autoremove to be non interactive
+  * Add disclaimer when checks don't require comprehensive checks
+  * Add comprehensive tests for 4.1.x
+  * Add comprehensive tests for 5.2.x
+  * Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
+  * Add comprehensive tests for 5.4.1.x
+  * Add comprehensive tests for 5.4.3, 5.4.4
+  * Add comprehensive test for 5.6
+  * Skip 4.1.3 on docker (bootloader)
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Fri, 13 Nov 2020 13:32:50 +0100
+
 cis-hardening (2.0-6) unstable; urgency=medium
 
   * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group

lib/main.sh

@@ -32,6 +32,10 @@ while [[ $# > 0 ]]; do
             info "Audit argument passed but script is disabled"
         fi
         ;;
+        --create-config-files-only)
+            debug "Create config files"
+            forcedstatus=createconfig
+        ;;
         --sudo)
         SUDO_CMD="sudo_wrapper"
         ;;
@@ -62,7 +66,14 @@ if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then
     else
         echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
     fi
+
 fi
+
+if [ $forcedstatus = "createconfig" ]; then
+    debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created"
+    exit 0
+fi
+
 [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
 
 # Now check configured value for status, and potential cmdline parameter

tests/docker/Dockerfile.debian10

@@ -1,8 +1,13 @@
-FROM debian:buster-20181226
+FROM debian:buster
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian8

@@ -1,8 +1,13 @@
 FROM debian:jessie
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian9

@@ -1,8 +1,13 @@
 FROM debian:stretch
 
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/hardening/1.1.1.1_disable_freevxfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+    
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.2_disable_jffs2.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.3_disable_hfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.4_disable_hfsplus.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.5_disable_udf.sh

@@ -8,7 +8,13 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+

tests/hardening/1.1.1.6_disable_cramfs.sh

@@ -8,7 +8,12 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.1.7_disable_squashfs.sh

@@ -8,7 +8,13 @@ test_audit() {
     dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
     fi
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }
+

tests/hardening/1.1.10_var_tmp_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.11_var_log_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.12_var_log_audit_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.13_home_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.14_home_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.18_removable_device_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.19_removable_device_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.20_removable_device_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.22_disable_automounting.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.2_tmp_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.3_tmp_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.4_tmp_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.5_tmp_noexec.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.6_var_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.7_var_tmp_partition.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.8_var_tmp_nodev.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.1.9_var_tmp_nosuid.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.5.3_enable_randomized_vm_placement.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/1.6.2.1_enable_apparmor.sh

@@ -0,0 +1,21 @@
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is configured"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
+}

tests/hardening/1.8_install_updates.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.10_disable_http_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.11_disable_imap_pop.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.12_disable_samba.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.13_disable_http_proxy.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.14_disable_snmp_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.2_disable_xwindow_system.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.3_disable_avahi_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.4_disable_print_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.5_disable_dhcp.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.6_disable_ldap.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.7_disable_nfs_rpc.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.8_disable_dns_server.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.2.9_disable_ftp.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.3.1_disable_nis.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.3.2_disable_rsh_client.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/2.3.3_disable_talk_client.sh

@@ -6,5 +6,10 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
 }

tests/hardening/4.1.1.1_audit_log_storage.sh

@@ -4,7 +4,16 @@ test_audit() {
     register_test retvalshouldbe 0
     dismiss_count_for_test
     # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] max_log_file is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.1.2_halt_when_audit_log_full.sh

@@ -4,7 +4,20 @@ test_audit() {
     register_test retvalshouldbe 0
     dismiss_count_for_test
     # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    # to avoid error during auditd installation in 4.1.1.2, only necessary during tests
+    sed  -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^space_left_action[[:space:]]*=[[:space:]]*email is present in /etc/audit/auditd.conf"
+    register_test contain "[ OK ] ^action_mail_acct[[:space:]]*=[[:space:]]*root is present in /etc/audit/auditd.conf"
+    register_test contain "[ OK ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.1.3_keep_all_audit_logs.sh

@@ -4,7 +4,16 @@ test_audit() {
     register_test retvalshouldbe 0
     dismiss_count_for_test
     # shellcheck disable=2154
+    mkdir -p /etc/audit
+    touch /etc/audit/auditd.conf
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is present in /etc/audit/auditd.conf"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.10_record_dac_edit.sh

@@ -6,5 +6,17 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ]  -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.11_record_failed_access_file.sh

@@ -6,5 +6,18 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
+
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
+

tests/hardening/4.1.12_record_privileged_commands.sh

@@ -6,5 +6,12 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+   
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.13_record_successful_mount.sh

@@ -6,5 +6,13 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.14_record_file_deletions.sh

@@ -6,5 +6,13 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.15_record_sudoers_edit.sh

@@ -6,5 +6,13 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+     describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
+    register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"   
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/hardening/4.1.16_record_sudo_usage.sh

@@ -6,5 +6,12 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }