bump to 3.8-1

Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.0
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest
@@ -34,7 +34,7 @@ jobs:
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v3.0.0
+        uses: metcalfc/changelog-generator@v4.1.0
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v3
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.4.0
+        uses: luizm/action-sh-checker@v0.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

.github/workflows/tagged-release.yml

@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.0
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -19,6 +19,10 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
 
 EXCEPTIONS=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
@@ -26,13 +30,17 @@ audit() {
         # maybe EXCEPTIONS allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -19,6 +19,10 @@ DESCRIPTION="Ensure no world writable files exist"
 
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
@@ -26,13 +30,17 @@ audit() {
         # maybe EXCLUDED allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then

bin/hardening/6.1.11_find_unowned_files.sh

@@ -20,6 +20,10 @@ DESCRIPTION="Ensure no unowned files or directories exist."
 USER='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are unowned files"
@@ -27,13 +31,17 @@ audit() {
         # maybe EXCLUDED allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -20,6 +20,10 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
 GROUP='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are ungrouped files"
@@ -27,13 +31,18 @@ audit() {
         # maybe EXCLUDED allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then

bin/hardening/6.1.13_find_suid_files.sh

@@ -18,6 +18,10 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are suid files"
@@ -25,13 +29,17 @@ audit() {
         # maybe IGNORED_PATH allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     BAD_BINARIES=""

bin/hardening/6.1.14_find_sgid_files.sh

@@ -18,6 +18,10 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are sgid files"
@@ -25,13 +29,18 @@ audit() {
         # maybe IGNORED_PATH allow us to filter out some FS
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
         FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
 
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     BAD_BINARIES=""

bin/hardening/6.2.9_users_homedir_ownership.sh

@@ -23,30 +23,13 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    debug "Checking homedir exists"
-    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
-            crit "The home directory ($DIR) of user $USER does not exist."
-            ERRORS=$((ERRORS + 1))
-        fi
-    done
-
-    if [ "$ERRORS" = 0 ]; then
-        ok "All home directories exists"
-    fi
-    debug "Checking homedir ownership"
     RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: '{print $1}' <<<"$LINE")
         USERID=$(awk -F: '{print $2}' <<<"$LINE")
         DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+        if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
                 EXCEP_FOUND=0

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
 
 FILE="/etc/sudoers"
 DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
+# spaces will be expanded to [[:space:]]* when using the regex
 # improves readability in audit report
 REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
 EXCEPT=""
+MAX_FILES_TO_LOG=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # expand spaces to [[:space:]]*
+    # shellcheck disable=2001
+    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
+
+    local skiplog
+    skiplog=0
+    if [ $MAX_FILES_TO_LOG != 0 ]; then
+        # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
+        # logging in the loop, to avoid flooding the logs and getting timed out
+        local nbfiles
+        # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
+        nbfiles=$(ls -f "$DIRECTORY" | wc -l)
+        if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
+            skiplog=1
+            info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
+        fi
+    fi
+
     FILES=""
     if $SUDO_CMD [ ! -r "$FILE" ]; then
         crit "$FILE is not readable"
@@ -43,12 +62,12 @@ audit() {
         if $SUDO_CMD [ ! -r "$file" ]; then
             crit "$file is not readable"
         else
-            # shellcheck disable=2001
-            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
-                ok "There is no carte-blanche sudo permission in $file"
+            if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
+                if [ $skiplog = 0 ]; then
+                    ok "There is no carte-blanche sudo permission in $file"
+                fi
             else
-                # shellcheck disable=2001
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
+                RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
                 for line in $RET; do
                     if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
                         # shellcheck disable=2001
@@ -73,8 +92,16 @@ apply() {
 create_config() {
     cat <<EOF
 status=audit
+
 # Put EXCEPTION account names here, space separated
 EXCEPT="root %root %sudo %wheel"
+
+# If we find more than this amount of files in sudoers.d/,
+# we'll reduce the logging in the loop to avoid getting
+# timed out because we spend too much time logging.
+# Using 0 disables this feature and will never reduce the
+# logging, regardless of the number of files.
+MAX_FILES_TO_LOG=0
 EOF
 }
 # This function will check config parameters required

debian/changelog

@@ -1,3 +1,15 @@
+cis-hardening (3.8-1) unstable; urgency=medium
+
+  * fix: timeout of 99.1.3 (#168)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Thu, 23 Mar 2023 10:00:06 +0000
+
+cis-hardening (3.7-1) unstable; urgency=medium
+
+  * feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
+
+ -- Yannick Martin <yannick.martin@ovhcloud.com>  Mon, 04 Jul 2022 14:34:03 +0200
+
 cis-hardening (3.6-1) unstable; urgency=medium
 
   * feat: Filter the filesystem to check when the list is built. (#156)

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -23,6 +23,12 @@ test_audit() {
     register_test contain "Some world writable directories are not on sticky bit mode"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.10_find_world_writable_file.sh

@@ -23,6 +23,12 @@ test_audit() {
     register_test contain "Some world writable files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.11_find_unowned_files.sh

@@ -24,6 +24,12 @@ test_audit() {
     register_test contain "Some unowned files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some unowned files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh || true

tests/hardening/6.1.12_find_ungrouped_files.sh

@@ -24,6 +24,12 @@ test_audit() {
     register_test contain "Some ungrouped files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some ungrouped files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.13_find_suid_files.sh

@@ -21,6 +21,12 @@ test_audit() {
     register_test contain "$targetfile"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some suid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     chmod 700 $targetfile
 

tests/hardening/6.1.14_find_sgid_files.sh

@@ -22,6 +22,12 @@ test_audit() {
     register_test contain "$targetfile"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some sgid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     chmod 700 $targetfile
 

tests/hardening/6.2.3_users_homedir_exist.sh

@@ -3,7 +3,6 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 

tests/hardening/6.2.9_users_homedir_ownership.sh

@@ -1,14 +1,8 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running void to generate the conf file that will later be edited
-    # shellcheck disable=2154
-    /opt/debian-cis/bin/hardening/"${script}".sh || true
-    echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
-
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
@@ -22,7 +16,7 @@ test_audit() {
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     describe correcting situation
-    echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo "EXCEPTIONS=\"/home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
 
     describe Checking resolved state
     register_test retvalshouldbe 0

tests/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -28,6 +28,19 @@ test_audit() {
     register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
     run userexcept /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    # testing the MAX_FILES_TO_LOG config option
+    echo 'MAX_FILES_TO_LOG=1' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=1
+    register_test retvalshouldbe 0
+    register_test contain "won't log every file we check"
+    run maxlogfiles_1 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo 'MAX_FILES_TO_LOG=9999' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=9999
+    register_test retvalshouldbe 0
+    register_test contain "There is no carte-blanche sudo permission in"
+    run maxlogfiles_9999 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     rm -f /etc/sudoers.d/jeantestuser
     userdel jeantestuser
 }