fixup! IMP(4.5): rename to 1.6.1.2 improve test

fixup! Move to most recent docker image for buster
2025-07-16 22:02:17 +02:00 · 2020-11-17 13:02:02 +01:00 · 2020-11-17 12:56:10 +01:00 · 2020-11-16 17:07:08 +01:00 · 2020-11-16 16:54:51 +01:00 · 2020-11-16 16:39:47 +01:00
135 changed files with 1105 additions and 247 deletions
--- a/bin/hardening/1.6.2.1_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@ -5,7 +5,7 @@
 #
 #
-# 4.5 Activate AppArmor (Scored)
+# 1.6.2.1 Activate AppArmor (Scored)
 #
 set -e # One error, it's over
@ -24,7 +24,25 @@ audit () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 0 ]; then
        ok "$PACKAGE is configured"
    fi
 }
 # This function will be called if the script status is on enabled mode
@ -35,7 +53,28 @@ apply () {
    else
        ok "$PACKAGE is installed"
    fi
-    :
+
    ERROR=0
    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for line in $RESULT; do
        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
            crit "$line is not configured"
            ERROR=1
        fi
    done
    IFS=$d_IFS
    if [ $ERROR = 1 ]; then
        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
        $SUDO_CMD update-grub
    else
        ok "$PACKAGE is configured"
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/2.2.10_disable_http_server.sh
+++ b/bin/hardening/2.2.10_disable_http_server.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.11_disable_imap_pop.sh
+++ b/bin/hardening/2.2.11_disable_imap_pop.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.12_disable_samba.sh
+++ b/bin/hardening/2.2.12_disable_samba.sh
@ -43,7 +43,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.14_disable_snmp_server.sh
+++ b/bin/hardening/2.2.14_disable_snmp_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.2_disable_xwindow_system.sh
+++ b/bin/hardening/2.2.2_disable_xwindow_system.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.3_disable_avahi_server.sh
+++ b/bin/hardening/2.2.3_disable_avahi_server.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.4_disable_print_server.sh
+++ b/bin/hardening/2.2.4_disable_print_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.5_disable_dhcp.sh
+++ b/bin/hardening/2.2.5_disable_dhcp.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.6_disable_ldap.sh
+++ b/bin/hardening/2.2.6_disable_ldap.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.8_disable_dns_server.sh
+++ b/bin/hardening/2.2.8_disable_dns_server.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.2.9_disable_ftp.sh
+++ b/bin/hardening/2.2.9_disable_ftp.sh
@ -37,7 +37,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            crit "$PACKAGE is installed, purging it"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.1_disable_nis.sh
+++ b/bin/hardening/2.3.1_disable_nis.sh
@ -33,7 +33,7 @@ apply () {
    if [ $FNRET = 0 ]; then
        crit "$PACKAGE is installed, purging it"
        apt-get purge $PACKAGE -y
-        apt-get autoremove
+        apt-get autoremove -y
    else
        ok "$PACKAGE is absent"
    fi
--- a/bin/hardening/2.3.2_disable_rsh_client.sh
+++ b/bin/hardening/2.3.2_disable_rsh_client.sh
@ -36,7 +36,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.3_disable_talk_client.sh
+++ b/bin/hardening/2.3.3_disable_talk_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.4_disable_telnet_client.sh
+++ b/bin/hardening/2.3.4_disable_telnet_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/2.3.5_disable_ldap_client.sh
+++ b/bin/hardening/2.3.5_disable_ldap_client.sh
@ -35,7 +35,7 @@ apply () {
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
            apt-get purge $PACKAGE -y
-            apt-get autoremove
+            apt-get autoremove -y
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=4
 DESCRIPTION="Disable system on audit log full."
 FILE='/etc/audit/auditd.conf'
-OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
+OPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -75,6 +75,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the conf for auditd
 OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/4.1.4_record_date_time_edit.sh
+++ b/bin/hardening/4.1.4_record_date_time_edit.sh
@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=4
-DESCRIPTION="Record events taht modify date and time information."
+DESCRIPTION="Record events that modify date and time information."
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
--- a/bin/hardening/5.2.10_disable_root_login.sh
+++ b/bin/hardening/5.2.10_disable_root_login.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH Root Login."
 PACKAGE='openssh-server'
-OPTIONS='PermitRootLogin=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the root login boolean for ssh
 OPTIONS='PermitRootLogin=no'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
+++ b/bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs."
 PACKAGE='openssh-server'
-OPTIONS='PermitEmptyPasswords=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the empty password boolean for ssh
 OPTIONS='PermitEmptyPasswords=no'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.12_disable_sshd_setenv.sh
+++ b/bin/hardening/5.2.12_disable_sshd_setenv.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Do not allow users to set environment options."
 PACKAGE='openssh-server'
-OPTIONS='PermitUserEnvironment=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the permit user env boolean for ssh
 OPTIONS='PermitUserEnvironment=no'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.13_sshd_ciphers.sh
+++ b/bin/hardening/5.2.13_sshd_ciphers.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)."
 PACKAGE='openssh-server'
-OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the ciphers
 OPTIONS='Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.16_sshd_idle_timeout.sh
+++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh
@ -16,11 +16,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Idle Timeout Interval for user login."
 PACKAGE='openssh-server'
 OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -76,16 +76,13 @@ create_config() {
 status=audit
 # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
 # Settles sshd idle timeout
-SSHD_TIMEOUT=300
+OPTIONS="ClientAliveInterval=300 ClientAliveCountMax=0"
 EOF
 }
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_TIMEOUT ]; then
+    :
        crit "SSHD_TIMEOUT is not set, please edit configuration file"
        exit 128
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/5.2.17_sshd_login_grace_time.sh
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@ -15,11 +15,11 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set Login Grace Time for user login."
 PACKAGE='openssh-server'
 OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -75,16 +75,13 @@ create_config() {
 status=audit
 # In seconds, value of LoginGraceTime
 # Settles sshd login grace time
-SSHD_LOGIN_GRACE_TIME=60
+OPTIONS="LoginGraceTime=60"
 EOF
 }
 # This function will check config parameters required
 check_config() {
-    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
+    :
        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
        exit 128
    fi
 }
 # Source Root Dir Parameter
--- a/bin/hardening/5.2.4_sshd_protocol.sh
+++ b/bin/hardening/5.2.4_sshd_protocol.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set secure shell (SSH) protocol to 2."
 PACKAGE='openssh-server'
-OPTIONS='Protocol=2'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here your protocol for ssh
 OPTIONS='Protocol=2'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.6_disable_x11_forwarding.sh
+++ b/bin/hardening/5.2.6_disable_x11_forwarding.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Disable SSH X11 forwarding."
 PACKAGE='openssh-server'
-OPTIONS='X11Forwarding=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,16 @@ check_config() {
    :
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the forwarding boolean for ssh
 OPTIONS='X11Forwarding=no'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.7_sshd_maxauthtries.sh
+++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH MaxAuthTries to 4."
 PACKAGE='openssh-server'
-OPTIONS='MaxAuthTries=4'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the max auth tries for ssh
 OPTIONS='MaxAuthTries=4'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
+++ b/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH IgnoreRhosts to Yes."
 PACKAGE='openssh-server'
-OPTIONS='IgnoreRhosts=yes'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,14 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the rhosts boolean for ssh
 OPTIONS='IgnoreRhosts=yes'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
+++ b/bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=2
 DESCRIPTION="Set SSH HostbasedAUthentication to No."
 PACKAGE='openssh-server'
-OPTIONS='HostbasedAuthentication=no'
+OPTIONS=''
 FILE='/etc/ssh/sshd_config'
 # This function will be called if the script status is on enabled / audit mode
@ -74,6 +74,15 @@ check_config() {
    :
 }
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here the hostbase boolean for ssh
 OPTIONS='HostbasedAuthentication=no'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/5.3.1_enable_pwquality.sh
+++ b/bin/hardening/5.3.1_enable_pwquality.sh
@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
 PACKAGE='libpam-pwquality'
-PATTERN_COMMON="pam_pwquality.so"
+PATTERN_COMMON='pam_pwquality.so'
-FILE_COMMON="/etc/pam.d/common-password"
+FILE_COMMON='/etc/pam.d/common-password'
-PATTERNS_QUALITY=""
+OPTIONS=''
-FILE_QUALITY="/etc/security/pwquality.conf"
+FILE_QUALITY='/etc/security/pwquality.conf'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -35,11 +35,12 @@ audit () {
        else
            crit "$PATTERN_COMMON is not present in $FILE_COMMON"
        fi
-        for PATTERN in $PATTERNS_QUALITY; do
+        for PW_OPT in $OPTIONS; do
-            OPTION=$(cut -d = -f 1 <<< $PATTERN)
+            PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
-            PARAM=$(cut -d = -f 2 <<< $PATTERN)
+            PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
-            PATTERN="$OPTION *= *$PARAM"
+            PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
-            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+            does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE_QUALITY"
            else
@ -58,13 +59,32 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_COMMON is present in $FILE_COMMON"
    else
-        crit "$PATTERN is not present in $FILE"
+        warn "$PATTERN_COMMON is not present in $FILE_COMMON"
-        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+        add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
    fi 
    for PW_OPT in $OPTIONS; do
        PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
        PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
        PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
        does_pattern_exist_in_file $FILE_QUALITY $PATTERN
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE_QUALITY"
        else
            warn "$PATTERN is not present in $FILE_QUALITY, adding it"
            does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
            if [ $FNRET != 0 ]; then
                add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
            else
                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
                replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
            fi
        fi
    done
 }
 # This function will create the config file for this check with default values
@ -72,7 +92,7 @@ create_config() {
    cat <<EOF
 status=audit
 # Put your custom configuration here
-PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
 EOF
 }
--- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh
+++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh
@ -15,8 +15,10 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set lockout for failed password attemps."
 PACKAGE='libpam-modules-bin'
-PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
+PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
-FILE='/etc/pam.d/login'
+PATTERN_ACCOUNT='pam_tally[2]?\.so'
 FILE_AUTH='/etc/pam.d/common-auth'
 FILE_ACCOUNT='/etc/pam.d/common-account'
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -25,11 +27,17 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
        if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_AUTH is present in $FILE_AUTH"
        else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_AUTH is not present in $FILE_AUTH"
        fi
        does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
        if [ $FNRET = 0 ]; then
            ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
        else
            crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
        fi
    fi
 }
@ -43,13 +51,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
+        ok "$PATTERN_AUTH is present in $FILE_AUTH"
    else
-        crit "$PATTERN is not present in $FILE"
+        warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern $FILE "auth    required    pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
+        add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-    fi 
+    fi
    does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
    if [ $FNRET = 0 ]; then
        ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
    else
        warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
        add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
    fi
 }
 # This function will check config parameters required
--- a/bin/hardening/5.3.3_limit_password_reuse.sh
+++ b/bin/hardening/5.3.3_limit_password_reuse.sh
@ -25,7 +25,7 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE "$PATTERN"
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
@ -43,11 +43,11 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    does_pattern_exist_in_file $FILE $PATTERN
+    does_pattern_exist_in_file $FILE "$PATTERN"
    if [ $FNRET = 0 ]; then
        ok "$PATTERN is present in $FILE"
    else
-        warn "$PATTERN is not present in $FILE"
+        warn "$PATTERN is not present in $FILE, adding it"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
    fi 
 }
--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -34,9 +34,20 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
-    :
+    if $SUDO_CMD [ ! -r $CONF_FILE ]; then
        crit "$CONF_FILE is not readable"
    else
        does_pattern_exist_in_file $CONF_FILE "$(sed 's/ /[[:space:]]+/g' <<< "$CONF_LINE")"
        if [ "$FNRET" = 0 ]; then
            ok "$CONF_LINE is present in $CONF_FILE"
        else
            warn "$CONF_LINE is not present in $CONF_FILE"
            add_line_file_before_pattern $CONF_FILE "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
        fi
    fi
 }
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.1_set_password_exp_days.sh
+++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration days."
 PACKAGE='login'
-OPTIONS='PASS_MAX_DAYS=90'
+OPTIONS=''
 FILE='/etc/login.defs'
 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here your protocol for shadow
 OPTIONS='PASS_MAX_DAYS=90'
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh
+++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password change minimum number of days."
 PACKAGE='login'
-OPTIONS='PASS_MIN_DAYS=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,26 +48,36 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here your protocol for shadow
 OPTIONS='PASS_MIN_DAYS=7'
 EOF
 }
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
+++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh
@ -15,7 +15,7 @@ HARDENING_LEVEL=3
 DESCRIPTION="Set password expiration warning days."
 PACKAGE='login'
-OPTIONS='PASS_WARN_AGE=7'
+OPTIONS=''
 FILE='/etc/login.defs'
 # This function will be called if the script status is on enabled / audit mode
@ -25,10 +25,10 @@ audit () {
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
@ -48,21 +48,21 @@ apply () {
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
-    for SSH_OPTION in $OPTIONS; do
+    for SHADOW_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ $FNRET = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                does_pattern_exist_in_file $FILE "^$SHADOW_PARAM"
                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                    add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE"
                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                    replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE"
                fi
            fi
    done
@ -73,6 +73,16 @@ check_config() {
    :
 }
 # This function will create the config file for this check with default values
 create_config() {
    cat << EOF
 # shellcheck disable=2034
 status=audit
 # Put here your protocol for shadow
 OPTIONS='PASS_WARN_AGE=7'
 EOF
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
--- a/bin/hardening/6.1.5_etc_passwd_permissions.sh
+++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh
--- a/bin/hardening/6.1.6_etc_shadow_permissions.sh
+++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh
--- a/bin/hardening/6.1.7_etc_group_permissions.sh
+++ b/bin/hardening/6.1.7_etc_group_permissions.sh
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,19 @@
 cis-hardening (2.1-1) stable; urgency=medium
  * Move to most recent docker image for buster
  * Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant
  * Rename 4.5 to 1.6.1.2 to be CIS9 compliant
  * Fix apt autoremove to be non interactive
  * Add disclaimer when checks don't require comprehensive checks
  * Add comprehensive tests for 4.1.x
  * Add comprehensive tests for 5.2.x
  * Add comprehensive test for 5.3.x, add config function for the checks, upgrade PAM conf
  * Add comprehensive tests for 5.4.1.x
  * Add comprehensive tests for 5.4.3, 5.4.4
  * Add comprehensive test for 5.6
  * Skip 4.1.3 on docker (bootloader)
 -- Thibault Ayanides <tayanide@ovhcloud.com>  Fri, 13 Nov 2020 13:32:50 +0100
 cis-hardening (2.0-6) unstable; urgency=medium
  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
--- a/tests/docker/Dockerfile.debian10_20181226
+++ b/tests/docker/Dockerfile.debian10_20181226
@ -1,8 +1,13 @@
-FROM debian:buster-20181226
+FROM debian:buster
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
 LABEL project="debian-cis"
 LABEL url="https://github.com/ovh/debian-cis"
 LABEL description="This image is used to run tests"
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 COPY --chown=500:500 . /opt/debian-cis/
--- a/tests/docker/Dockerfile.debian8
+++ b/tests/docker/Dockerfile.debian8
@ -1,8 +1,13 @@
 FROM debian:jessie
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
 LABEL project="debian-cis"
 LABEL url="https://github.com/ovh/debian-cis"
 LABEL description="This image is used to run tests"
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 COPY --chown=500:500 . /opt/debian-cis/
--- a/tests/docker/Dockerfile.debian9
+++ b/tests/docker/Dockerfile.debian9
@ -1,8 +1,13 @@
 FROM debian:stretch
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && mkdir -m 700 /home/secaudit && chown secaudit:secaudit /home/secaudit
+LABEL vendor="OVH"
 LABEL project="debian-cis"
 LABEL url="https://github.com/ovh/debian-cis"
 LABEL description="This image is used to run tests"
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bc openssh-server sudo syslog-ng net-tools auditd
 COPY --chown=500:500 . /opt/debian-cis/
--- a/tests/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/tests/hardening/1.1.1.1_disable_freevxfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.2_disable_jffs2.sh
+++ b/tests/hardening/1.1.1.2_disable_jffs2.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.3_disable_hfs.sh
+++ b/tests/hardening/1.1.1.3_disable_hfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/tests/hardening/1.1.1.4_disable_hfsplus.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.5_disable_udf.sh
+++ b/tests/hardening/1.1.1.5_disable_udf.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.6_disable_cramfs.sh
+++ b/tests/hardening/1.1.1.6_disable_cramfs.sh
@ -8,7 +8,12 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.1.7_disable_squashfs.sh
+++ b/tests/hardening/1.1.1.7_disable_squashfs.sh
@ -8,7 +8,13 @@ test_audit() {
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    # TODO fill comprehensive tests
    fi
    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.10_var_tmp_noexec.sh
+++ b/tests/hardening/1.1.10_var_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.11_var_log_partition.sh
+++ b/tests/hardening/1.1.11_var_log_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.12_var_log_audit_partition.sh
+++ b/tests/hardening/1.1.12_var_log_audit_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.13_home_partition.sh
+++ b/tests/hardening/1.1.13_home_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.14_home_nodev.sh
+++ b/tests/hardening/1.1.14_home_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.18_removable_device_nodev.sh
+++ b/tests/hardening/1.1.18_removable_device_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.19_removable_device_nosuid.sh
+++ b/tests/hardening/1.1.19_removable_device_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.20_removable_device_noexec.sh
+++ b/tests/hardening/1.1.20_removable_device_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.22_disable_automounting.sh
+++ b/tests/hardening/1.1.22_disable_automounting.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.2_tmp_partition.sh
+++ b/tests/hardening/1.1.2_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.3_tmp_nodev.sh
+++ b/tests/hardening/1.1.3_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.4_tmp_nosuid.sh
+++ b/tests/hardening/1.1.4_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.5_tmp_noexec.sh
+++ b/tests/hardening/1.1.5_tmp_noexec.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.6_var_partition.sh
+++ b/tests/hardening/1.1.6_var_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.7_var_tmp_partition.sh
+++ b/tests/hardening/1.1.7_var_tmp_partition.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.8_var_tmp_nodev.sh
+++ b/tests/hardening/1.1.8_var_tmp_nodev.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.1.9_var_tmp_nosuid.sh
+++ b/tests/hardening/1.1.9_var_tmp_nosuid.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
+++ b/tests/hardening/1.5.3_enable_randomized_vm_placement.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/1.6.2.1_enable_apparmor.sh
+++ b/tests/hardening/1.6.2.1_enable_apparmor.sh
@ -0,0 +1,21 @@
 # run-shellcheck
 test_audit() {
    if [ -f "/.dockerenv" ]; then
        skip "SKIPPED on docker"
    else
        describe Running on blank host
        register_test retvalshouldbe 0
        dismiss_count_for_test
        # shellcheck disable=2154
        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
        describe correcting situation
        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
        describe Checking resolved state
        register_test retvalshouldbe 0
        register_test contain "is configured"
        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
    fi
 }
--- a/tests/hardening/1.8_install_updates.sh
+++ b/tests/hardening/1.8_install_updates.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.10_disable_http_server.sh
+++ b/tests/hardening/2.2.10_disable_http_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.11_disable_imap_pop.sh
+++ b/tests/hardening/2.2.11_disable_imap_pop.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.12_disable_samba.sh
+++ b/tests/hardening/2.2.12_disable_samba.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.13_disable_http_proxy.sh
+++ b/tests/hardening/2.2.13_disable_http_proxy.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.14_disable_snmp_server.sh
+++ b/tests/hardening/2.2.14_disable_snmp_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.2_disable_xwindow_system.sh
+++ b/tests/hardening/2.2.2_disable_xwindow_system.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.3_disable_avahi_server.sh
+++ b/tests/hardening/2.2.3_disable_avahi_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.4_disable_print_server.sh
+++ b/tests/hardening/2.2.4_disable_print_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.5_disable_dhcp.sh
+++ b/tests/hardening/2.2.5_disable_dhcp.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.6_disable_ldap.sh
+++ b/tests/hardening/2.2.6_disable_ldap.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.7_disable_nfs_rpc.sh
+++ b/tests/hardening/2.2.7_disable_nfs_rpc.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.8_disable_dns_server.sh
+++ b/tests/hardening/2.2.8_disable_dns_server.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.2.9_disable_ftp.sh
+++ b/tests/hardening/2.2.9_disable_ftp.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.3.1_disable_nis.sh
+++ b/tests/hardening/2.3.1_disable_nis.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.3.2_disable_rsh_client.sh
+++ b/tests/hardening/2.3.2_disable_rsh_client.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/2.3.3_disable_talk_client.sh
+++ b/tests/hardening/2.3.3_disable_talk_client.sh
@ -6,5 +6,10 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    ##################################################################
    # For this test, we only check that it runs properly on a blank  #
    # host, and we check root/sudo consistency. But, we don't test   #
    # the apply function because it can't be automated or it is very #
    # long to test and not very useful.                              #
    ##################################################################
 }
--- a/tests/hardening/4.1.1.1_audit_log_storage.sh
+++ b/tests/hardening/4.1.1.1_audit_log_storage.sh
@ -4,7 +4,16 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    mkdir -p /etc/audit
    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] max_log_file is present in /etc/audit/auditd.conf"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
+++ b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh
@ -4,7 +4,20 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    mkdir -p /etc/audit
    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    # to avoid error during auditd installation in 4.1.1.2, only necessary during tests
    sed  -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^space_left_action[[:space:]]*=[[:space:]]*email is present in /etc/audit/auditd.conf"
    register_test contain "[ OK ] ^action_mail_acct[[:space:]]*=[[:space:]]*root is present in /etc/audit/auditd.conf"
    register_test contain "[ OK ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is present in /etc/audit/auditd.conf"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.1.3_keep_all_audit_logs.sh
+++ b/tests/hardening/4.1.1.3_keep_all_audit_logs.sh
@ -4,7 +4,16 @@ test_audit() {
    register_test retvalshouldbe 0
    dismiss_count_for_test
    # shellcheck disable=2154
    mkdir -p /etc/audit
    touch /etc/audit/auditd.conf
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is present in /etc/audit/auditd.conf"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.10_record_dac_edit.sh
+++ b/tests/hardening/4.1.10_record_dac_edit.sh
@ -6,5 +6,17 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ]  -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.11_record_failed_access_file.sh
+++ b/tests/hardening/4.1.11_record_failed_access_file.sh
@ -6,5 +6,18 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+
    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.12_record_privileged_commands.sh
+++ b/tests/hardening/4.1.12_record_privileged_commands.sh
@ -6,5 +6,12 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+   
    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.13_record_successful_mount.sh
+++ b/tests/hardening/4.1.13_record_successful_mount.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.14_record_file_deletions.sh
+++ b/tests/hardening/4.1.14_record_file_deletions.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.15_record_sudoers_edit.sh
+++ b/tests/hardening/4.1.15_record_sudoers_edit.sh
@ -6,5 +6,13 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+     describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"   
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.16_record_sudo_usage.sh
+++ b/tests/hardening/4.1.16_record_sudo_usage.sh
@ -6,5 +6,12 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.17_record_kernel_modules.sh
+++ b/tests/hardening/4.1.17_record_kernel_modules.sh
@ -6,5 +6,14 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules"
    register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/tests/hardening/4.1.18_freeze_auditd_conf.sh
+++ b/tests/hardening/4.1.18_freeze_auditd_conf.sh
@ -6,5 +6,12 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    # TODO fill comprehensive tests
+    describe Correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thibault Ayanides	467e5f178c	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 13:02:02 +01:00
Thibault Ayanides	d244a2e810	fixup! IMP(4.5): rename to 1.6.1.2 improve test	2020-11-17 12:56:10 +01:00
Thibault Ayanides	84bff4ac88	fixup! Move to most recent docker image for buster	2020-11-16 17:07:08 +01:00
Thibault Ayanides	d640a467e2	fixup! IMP(4.1.x): add tests for each checks	2020-11-16 16:54:51 +01:00
Thibault Ayanides	9bfb7efca1	Update changelog	2020-11-16 16:39:47 +01:00
Thibault Ayanides	7b8cca20d6	FIX(4.1.1.2): fix auditd apply	2020-11-09 11:48:48 +01:00
Thibault Ayanides	a6de243808	Rename 6.1.2,6.1.3,6.1.4 to be CIS9 compliant	2020-11-09 09:00:34 +01:00
Thibault Ayanides	7e8c976722	Add disclaimer when checks don't require comprehensive checks modified: tests/hardening/1.1.1.1_disable_freevxfs.sh modified: tests/hardening/1.1.1.2_disable_jffs2.sh modified: tests/hardening/1.1.1.3_disable_hfs.sh modified: tests/hardening/1.1.1.4_disable_hfsplus.sh modified: tests/hardening/1.1.1.5_disable_udf.sh modified: tests/hardening/1.1.1.6_disable_cramfs.sh modified: tests/hardening/1.1.1.7_disable_squashfs.sh modified: tests/hardening/1.1.10_var_tmp_noexec.sh modified: tests/hardening/1.1.11_var_log_partition.sh modified: tests/hardening/1.1.12_var_log_audit_partition.sh modified: tests/hardening/1.1.13_home_partition.sh modified: tests/hardening/1.1.14_home_nodev.sh modified: tests/hardening/1.1.18_removable_device_nodev.sh modified: tests/hardening/1.1.19_removable_device_nosuid.sh modified: tests/hardening/1.1.20_removable_device_noexec.sh modified: tests/hardening/1.1.2_tmp_partition.sh modified: tests/hardening/1.1.3_tmp_nodev.sh modified: tests/hardening/1.1.4_tmp_nosuid.sh modified: tests/hardening/1.1.5_tmp_noexec.sh modified: tests/hardening/1.1.6_var_partition.sh modified: tests/hardening/1.1.7_var_tmp_partition.sh modified: tests/hardening/1.1.8_var_tmp_nodev.sh modified: tests/hardening/1.1.9_var_tmp_nosuid.sh modified: tests/hardening/1.8_install_updates.sh modified: tests/hardening/2.2.10_disable_http_server.sh modified: tests/hardening/2.2.11_disable_imap_pop.sh modified: tests/hardening/2.2.12_disable_samba.sh modified: tests/hardening/2.2.13_disable_http_proxy.sh modified: tests/hardening/2.2.14_disable_snmp_server.sh modified: tests/hardening/2.2.2_disable_xwindow_system.sh modified: tests/hardening/2.2.3_disable_avahi_server.sh modified: tests/hardening/2.2.4_disable_print_server.sh modified: tests/hardening/2.2.5_disable_dhcp.sh modified: tests/hardening/2.2.6_disable_ldap.sh modified: tests/hardening/2.2.7_disable_nfs_rpc.sh modified: tests/hardening/2.2.8_disable_dns_server.sh modified: tests/hardening/2.2.9_disable_ftp.sh modified: tests/hardening/2.3.1_disable_nis.sh modified: tests/hardening/2.3.2_disable_rsh_client.sh modified: tests/hardening/2.3.3_disable_talk_client.sh modified: tests/hardening/2.3.4_telnet_client_not_installed.sh modified: tests/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 16:20:10 +01:00
Thibault Ayanides	ffd5b28840	FIX: fix apt autoremove to be non interactive modified: bin/hardening/2.2.10_disable_http_server.sh modified: bin/hardening/2.2.11_disable_imap_pop.sh modified: bin/hardening/2.2.12_disable_samba.sh modified: bin/hardening/2.2.14_disable_snmp_server.sh modified: bin/hardening/2.2.2_disable_xwindow_system.sh modified: bin/hardening/2.2.3_disable_avahi_server.sh modified: bin/hardening/2.2.4_disable_print_server.sh modified: bin/hardening/2.2.5_disable_dhcp.sh modified: bin/hardening/2.2.6_disable_ldap.sh modified: bin/hardening/2.2.7_disable_nfs_rpc.sh modified: bin/hardening/2.2.8_disable_dns_server.sh modified: bin/hardening/2.2.9_disable_ftp.sh modified: bin/hardening/2.3.1_disable_nis.sh modified: bin/hardening/2.3.2_disable_rsh_client.sh modified: bin/hardening/2.3.3_disable_talk_client.sh modified: bin/hardening/2.3.4_telnet_client_not_installed.sh modified: bin/hardening/2.3.5_ldap_client_not_installed.sh	2020-11-06 14:51:26 +01:00
Thibault Ayanides	ce1e87b1a3	IMP(4.5): rename to 1.6.1.2 improve test	2020-11-06 11:09:22 +01:00
Thibault Ayanides	b5865947ba	Move to most recent docker image for buster	2020-11-06 10:11:46 +01:00
Thibault Ayanides	ee4b2417c2	IMP(4.1.x): add tests for each checks	2020-11-02 15:47:27 +01:00
Thibault Ayanides	5568065c35	IMP(4.1.3): skip on docker (bootloader)	2020-11-02 15:46:45 +01:00
Thibault Ayanides	91a2824246	IMP(5.6): add test	2020-10-30 09:48:36 +01:00
Thibault Ayanides	47f8b7b677	IMP(5.4.4): add test	2020-10-30 09:48:27 +01:00
Thibault Ayanides	728011f846	IMP(5.4.3): add purposely failing test	2020-10-30 09:40:28 +01:00
Thibault Ayanides	17e43753b9	IMP(5.4.1.1-3): add tests and rename some variables	2020-10-30 09:39:42 +01:00
Thibault Ayanides	9aac4c3504	IMP(5.3.4): improve check	2020-10-29 16:47:34 +01:00
Thibault Ayanides	8af91dd6a8	IMP(5.3.1,5.3.2): add tests and upgrade PAM conf	2020-10-29 16:45:15 +01:00
Thibault Ayanides	feefee28e4	IMP(5.3.1): add test and config function for check	2020-10-29 15:35:56 +01:00
Thibault Ayanides	774af39a34	IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh	2020-10-29 11:18:31 +01:00