Update changelog for release 3.2-2 (#135)

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
         with:
           delete_release: true
           tag_name: latest
@@ -29,12 +29,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # GET LATEST VERSION TAG
       - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.4.1
         id: get-latest-tag
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v0.4.4
+        uses: metcalfc/changelog-generator@v1.0.0
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v2
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.1.12
+        uses: luizm/action-sh-checker@v0.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

.github/workflows/tagged-release.yml

@@ -35,7 +35,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.1.3
+        uses: dev-drprasad/delete-tag-and-release@v0.2.0
         with:
           delete_release: true
           tag_name: latest

bin/hardening.sh

@@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
 SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 BATCH_MODE=''
+SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
 
@@ -101,9 +102,13 @@ OPTIONS:
         Finally note that '--sudo' mode only works for audit mode.
 
     --set-log-level <level>
-        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
+        This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --summary-json
+        While performing system audit, this option sets LOGLEVEL to silent and
+        only output a json summary at the end
+
     --batch
         While performing system audit, this option sets LOGLEVEL to 'ok' and
         captures all output to print only one line once the check is done, formatted like :
@@ -165,6 +170,10 @@ while [[ $# -gt 0 ]]; do
     --sudo)
         SUDO_MODE='--sudo'
         ;;
+    --summary-json)
+        SUMMARY_JSON='--summary-json'
+        ASK_LOGLEVEL=silent
+        ;;
     --batch)
         BATCH_MODE='--batch'
         ASK_LOGLEVEL=ok
@@ -299,19 +308,19 @@ for SCRIPT in $(find "$CIS_ROOT_DIR"/bin/hardening/ -name "*.sh" | sort -V); do
     info "Treating $SCRIPT"
     if [ "$CREATE_CONFIG" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --create-config-files-only"
-        "$SCRIPT" --create-config-files-only "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --create-config-files-only "$BATCH_MODE"
     elif [ "$AUDIT" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$AUDIT_ALL_ENABLE_PASSED" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
-        "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT" --audit-all "$SUDO_MODE" "$BATCH_MODE"
     elif [ "$APPLY" = 1 ]; then
         debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
-        "$SCRIPT"
+        LOGLEVEL=$LOGLEVEL "$SCRIPT"
     fi
 
     SCRIPT_EXITCODE=$?
@@ -355,6 +364,18 @@ if [ "$BATCH_MODE" ]; then
         BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
     fi
     becho "$BATCH_SUMMARY"
+elif [ "$SUMMARY_JSON" ]; then
+    if [ "$TOTAL_TREATED_CHECKS" != 0 ]; then
+        CONFORMITY_PERCENTAGE=$(div $((PASSED_CHECKS * 100)) $TOTAL_TREATED_CHECKS)
+    else
+        CONFORMITY_PERCENTAGE=0 # No check runned, avoid division by 0
+    fi
+    printf '{'
+    printf '"available_checks": %s, ' "$TOTAL_CHECKS"
+    printf '"run_checks": %s, ' "$TOTAL_TREATED_CHECKS"
+    printf '"passed_checks": %s, ' "$PASSED_CHECKS"
+    printf '"conformity_percentage": %s' "$CONFORMITY_PERCENTAGE"
+    printf '}\n'
 else
     printf "%40s\n" "################### SUMMARY ###################"
     printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -26,7 +26,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else
@@ -41,7 +41,7 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
         else

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -26,7 +26,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else
@@ -41,7 +41,7 @@ apply() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
         else

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -17,12 +17,20 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
 
+EXCEPTIONS=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
+    if [ -n "$EXCEPTIONS" ]; then
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         # shellcheck disable=SC2001
@@ -35,8 +43,15 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
+        warn "Setting sticky bit on world writable directories"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"

bin/hardening/1.5.1_bootloader_ownership.sh

@@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -33,7 +34,7 @@ audit() {
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -51,7 +52,7 @@ apply() {
         chown "$USER":"$GROUP" "$FILE"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -63,7 +64,7 @@ apply() {
 # This function will check config parameters required
 check_config() {
 
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
         warn "Grub is not installed, not handling configuration"
         exit 2

bin/hardening/1.5.2_bootloader_password.sh

@@ -55,9 +55,9 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    is_pkg_installed "grub-pc"
+    is_pkg_installed "grub-common"
     if [ "$FNRET" != 0 ]; then
-        warn "grub-pc is not installed, not handling configuration"
+        warn "Grub is not installed, not handling configuration"
         exit 2
     fi
     if [ "$FNRET" != 0 ]; then

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -33,7 +33,7 @@ audit() {
     done
 
     if [ "$ERROR" = 0 ]; then
-        is_pkg_installed "grub-pc"
+        is_pkg_installed "grub-common"
         if [ "$FNRET" != 0 ]; then
             if [ "$IS_CONTAINER" -eq 1 ]; then
                 ok "Grub is not installed in container"

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -32,8 +32,8 @@ audit() {
         fi
     done
     if [ "$ERROR" = 0 ]; then
-        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+        RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
-        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+        RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode." || true)
 
         if [ -n "$RESULT_UNCONFINED" ]; then
             ok "No profiles are unconfined"
@@ -61,8 +61,8 @@ apply() {
         fi
     done
 
-    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined" || true)
-    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode." || true)
 
     if [ -n "$RESULT_UNCONFINED" ]; then
         ok "No profiles are unconfined"

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
+    status=$(systemctl is-enabled "$SERVICE_NAME")
-    if [ "$FNRET" = 0 ]; then
+    if [ "$status" = "enabled" ]; then
         ok "$SERVICE_NAME is enabled"
     else
         crit "$SERVICE_NAME is disabled"

bin/hardening/2.2.1.3_configure_chrony.sh

@@ -25,17 +25,11 @@ CONF_FILE='/etc/chrony/chrony.conf'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
+        ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
-        does_pattern_exist_in_file "$CONF_FILE" "$CONF_DEFAULT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$CONF_DEFAULT_PATTERN not found in $CONF_FILE"
-        else
-            ok "$CONF_DEFAULT_PATTERN found in $CONF_FILE"
-        fi
     fi
 }
 
@@ -46,7 +40,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/2.2.1.4_configure_ntp.sh

@@ -20,30 +20,24 @@ DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters an
 HARDENING_EXCEPTION=ntp
 
 PACKAGE='ntp'
-NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)'
+NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|kod notrap nomodify nopeer noquery|ignore)'
 NTP_CONF_FILE='/etc/ntp.conf'
 NTP_INIT_PATTERN='RUNASUSER=ntp'
 NTP_INIT_FILE='/etc/init.d/ntp'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
     if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
+        crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
     else
-        ok "$PACKAGE is installed, checking configuration"
+        ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
-        does_pattern_exist_in_file "$NTP_CONF_FILE" "$NTP_CONF_DEFAULT_PATTERN"
+    fi
-        if [ "$FNRET" != 0 ]; then
+    does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
-            crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
+    if [ "$FNRET" != 0 ]; then
-        else
+        crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-            ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
+    else
-        fi
+        ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
-        does_pattern_exist_in_file "$NTP_INIT_FILE" "^$NTP_INIT_PATTERN"
-        if [ "$FNRET" != 0 ]; then
-            crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
-        else
-            ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
-        fi
     fi
 }
 
@@ -77,7 +71,11 @@ apply() {
 
 # This function will check config parameters required
 check_config() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        warn "$PACKAGE is not installed, not handling configuration"
+        exit 2
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/3.4.2_disable_sctp.sh

@@ -28,7 +28,7 @@ audit() {
         # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
         ok "Container detected, consider host enforcing or disable this check!"
     else
-        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
+        is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
         if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
             crit "$MODULE_NAME is enabled!"
         else

bin/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -36,7 +36,17 @@ audit() {
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -64,8 +74,13 @@ apply() {
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -36,7 +36,17 @@ audit() {
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -59,13 +69,18 @@ apply() {
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
-            warn "$PATTERN is not present in $FILE, adding it"
+            warn "$PATTERN is not present in $FILE"
             does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.4.5_default_timeout.sh

@@ -31,7 +31,7 @@ audit() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
                     debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                 else
@@ -41,7 +41,7 @@ audit() {
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
@@ -64,7 +64,7 @@ apply() {
             debug "$FILE_SEARCHED is a directory"
             # shellcheck disable=2044
             for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "$PATTERN"
                 if [ "$FNRET" != 0 ]; then
                     debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
                 else
@@ -74,7 +74,7 @@ apply() {
                 fi
             done
         else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$PATTERN"
             if [ "$FNRET" != 0 ]; then
                 debug "$PATTERN is not present in $FILE_SEARCHED"
             else
@@ -87,8 +87,7 @@ apply() {
         warn "$PATTERN is not present in $FILES_TO_SEARCH"
         touch "$FILE"
         chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
+        add_end_of_file "$FILE" "readonly $PATTERN$VALUE"
-        add_end_of_file "$FILE" "readonly TMOUT"
         add_end_of_file "$FILE" "export TMOUT"
     else
         ok "$PATTERN is present in $FILES_TO_SEARCH"

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -17,12 +17,21 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"
 
+EXCLUDED=''
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
+
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         # shellcheck disable=SC2001
@@ -35,7 +44,13 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w

bin/hardening/6.1.11_find_unowned_files.sh

@@ -26,7 +26,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
@@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -26,7 +26,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
@@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -24,7 +24,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
     fi

bin/hardening/6.1.14_find_sgid_files.sh

@@ -24,7 +24,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
     fi

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -49,7 +49,6 @@ apply() {
             info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
             replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
         fi
-        /etc/init.d/ssh reload >/dev/null 2>&1
     fi
 }
 

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
-        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
+        elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "
             ok "User $user has suitable SHA512 hashed password."
         else

cisharden.sudoers

@@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /sbin/sysctl -a,\
                         /bin/dmesg "",\
                         /bin/netstat,\
+                        /usr/sbin/lsmod,\
+                        /sbin/lsmod,\
+                        /sbin/modprobe,\
+                        /usr/sbin/modprobe -n -v*,\
                         /usr/sbin/apparmor_status
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

debian/changelog

@@ -1,3 +1,47 @@
+cis-hardening (3.2-2) unstable; urgency=medium
+
+  * Fix empty fstab test 
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 08 Dec 2021 13:59:49 +0100
+
+cis-hardening (3.2-1) unstable; urgency=medium
+
+  - Skip NTP and Chrony config check if they are not installed (#120)
+  - Fix 3.4.2 audit rule (#123)
+  - Fix grub detection (#119)
+  - Allow grub.cfg permission to be 600 (#121)
+  - Honor --set-log-level parameter (#127)
+  - fix: kernel module detection (#129)
+  - Add silent mode and json summary (#128)
+  - FIX(1.7.1.4): don't abort script in case of unconfined processes (#130)
+  - FIX(2.2.1.4): Validate debian default ntp config (#118)
+  - 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112)
+  - Fix 5.4.5 pattern search (#108)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Wed, 01 Dec 2021 10:56:47 +0000
+
+cis-hardening (3.1-6) unstable; urgency=medium
+
+  * Improve EXCEPTIONS management (1.1.21,6.1.10)
+  * Fix bug linked with regex quoting (6.1.10-11-12-13-14)
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Wed, 02 Jun 2021 09:45:40 +0200
+
+cis-hardening (3.1-5) unstable; urgency=medium
+
+  * Fix unbound EXCEPTIONS variable in some cases
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Fri, 28 May 2021 15:02:34 +0200
+
+cis-hardening (3.1-4) unstable; urgency=medium
+
+  * Add test to check stderr is empty
+  * Fix 2.2.1.2 audit and apply
+  * Accept lower values as valid 5.2.7 and 5.2.23
+  * Add dir exceptions in 1.1.21 and 6.1.10
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 06 May 2021 10:07:22 +0200
+
 cis-hardening (3.1-3) unstable; urgency=medium
 
   * Fix 4.1.11 permissions

lib/common.sh

@@ -25,6 +25,9 @@ backup_file() {
 #
 
 case $LOGLEVEL in
+silent)
+    MACHINE_LOG_LEVEL=0
+    ;;
 error)
     MACHINE_LOG_LEVEL=1
     ;;

lib/main.sh

@@ -10,9 +10,16 @@ BATCH_OUTPUT=""
 status=""
 forcedstatus=""
 SUDO_CMD=""
+SAVED_LOGLEVEL=""
 
+if [ -n "${LOGLEVEL:-}" ]; then
+    SAVED_LOGLEVEL=$LOGLEVEL
+fi
 # shellcheck source=../etc/hardening.cfg
 [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
+if [ -n "$SAVED_LOGLEVEL" ]; then
+    LOGLEVEL=$SAVED_LOGLEVEL
+fi
 # shellcheck source=../lib/common.sh
 [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
 # shellcheck source=../lib/utils.sh

lib/utils.sh

@@ -384,9 +384,9 @@ is_kernel_option_enabled() {
         fi
     else
         if [ "$MODPROBE_FILTER" != "" ]; then
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
         else
-            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
+            DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
         fi
 
         if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
@@ -415,9 +415,9 @@ is_kernel_option_enabled() {
 is_a_partition() {
     local PARTITION=$1
     FNRET=128
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
         debug "/etc/fstab not found or empty, searching mountpoint"
-        if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
+        if mountpoint -q "$PARTITION"; then
             FNRET=0
         fi
     else
@@ -448,8 +448,8 @@ is_mounted() {
 has_mount_option() {
     local PARTITION=$1
     local OPTION=$2
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
-        debug "/etc/fstab not found or empty, readin current mount options"
+        debug "/etc/fstab not found or empty, reading current mount options"
         has_mounted_option "$PARTITION" "$OPTION"
     else
         if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then

tests/hardening/1.1.15_run_shm_nodev.sh

@@ -2,15 +2,14 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup

tests/hardening/1.1.16_run_shm_nosuid.sh

@@ -3,14 +3,13 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup

tests/hardening/1.1.17_run_shm_noexec.sh

@@ -3,14 +3,13 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     ln -s /dev/shm /run/shm
 
     describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     # Cleanup

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,29 +1,35 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/exception
+    chmod 777 /home/secaudit/exception
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "All world writable directories have a sticky bit"
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
-        describe Tests purposely failing
-        local targetdir="/home/secaudit/world_writable_folder"
-        mkdir $targetdir || true
-        chmod 777 "$targetdir"
-        register_test retvalshouldbe 1
-        register_test contain "Some world writable directories are not on sticky bit mode"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe correcting situation
+    describe Tests purposely failing
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    local targetdir="/home/secaudit/world_writable_folder"
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    mkdir $targetdir || true
+    chmod 777 "$targetdir"
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All world writable directories have a sticky bit"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "All world writable directories have a sticky bit"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }

tests/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -7,6 +7,22 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    echo "maxsessions 1" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 1 is lower than recommended 10"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "maxsessions 15" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 15 is higher than recommended 10"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Correcting situation
     # `apply` performs a service reload after each change in the config file
     # the service needs to be started for the reload to succeed

tests/hardening/5.2.7_sshd_maxauthtries.sh

@@ -7,6 +7,22 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 2 is lower than recommended 4"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 6 is higher than recommended 4"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Correcting situation
     # `apply` performs a service reload after each change in the config file
     # the service needs to be started for the reload to succeed

tests/hardening/6.1.10_find_world_writable_file.sh

@@ -1,32 +1,33 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
 
-    #run this test only if we're not in docker
+    describe Running on blank host
-    if [ -f "/.dockerenv" ]; then
+    register_test retvalshouldbe 0
-        skip "SKIPPED on docker"
+    register_test contain "No world writable files found"
-    else
+    # shellcheck disable=2154
-        describe Running on blank host
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        # shellcheck disable=2154
-        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Tests purposely failing
+    describe Tests purposely failing
-        local targetfile="/home/secaudit/worldwritable"
+    local targetfile="/home/secaudit/worldwritable"
-        touch "$targetfile"
+    touch "$targetfile"
-        chmod 777 "$targetfile"
+    chmod 777 "$targetfile"
-        register_test retvalshouldbe 1
+    register_test retvalshouldbe 1
-        register_test contain "Some world writable files are present"
+    register_test contain "Some world writable files are present"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe correcting situation
+    describe correcting situation
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "No world writable files found"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }

tests/hardening/6.1.11_find_unowned_files.sh

@@ -1,6 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/6.1.11/
+    touch /home/secaudit/6.1.11/test
+    chown 1200 /home/secaudit/6.1.11/test
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "No unowned files found"

tests/hardening/6.1.12_find_ungrouped_files.sh

@@ -1,6 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/6.1.12/
+    touch /home/secaudit/6.1.12/test
+    chown 1200:1200 /home/secaudit/6.1.12/test
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "No ungrouped files found"

tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -29,4 +29,12 @@ EOF
     register_test retvalshouldbe 0
     register_test contain "User secaudit has suitable SHA512 hashed password"
     run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    chpasswd -c SHA512 -s 1000 <<EOF
+secaudit:mypassword
+EOF
+    describe Pass: Found properly hashed password with custom round number
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has suitable SHA512 hashed password"
+    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }

tests/launch_tests.sh

@@ -131,12 +131,12 @@ play_consistency_tests() {
     fi
 }
 
-# Actually runs one signel audit script
+# Actually runs one single audit script
 _run() {
     usecase_name=$1
     shift
     printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
-    bash -c "$*" >"$outdir/$usecase_name.log" && true
+    bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
     echo $? >"$outdir/$usecase_name.retval"
     ret=$(<"$outdir"/"$usecase_name".retval)
     get_stdout
@@ -188,15 +188,25 @@ for test_file in $tests_list; do
     echo ""
 done
 
+stderrunexpected=""
+for file in "$outdir"/*_err.log; do
+    if [ -s "$file" ]; then
+        stderrunexpected="$stderrunexpected $(basename "$file")"
+    fi
+done
+
 printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
-if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
+if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
     echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
+    echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
+
 else
     (
         echo -e "\033[41mOne or more tests failed :(\033[0m"
         echo -e "- $nbfailedret unexpected return values ${listfailedret}"
         echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
         echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
+        echo -e "- stderr detected on $stderrunexpected"
     ) | tee "$outdir"/summary
 fi
 echo