build(deps): bump luizm/action-sh-checker from 0.8.0 to 0.9.0

Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest
@@ -34,7 +34,7 @@ jobs:
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v4.1.0
+        uses: metcalfc/changelog-generator@v4.3.1
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v4
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.7.0
+        uses: luizm/action-sh-checker@v0.9.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

.github/workflows/tagged-release.yml

@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v1.0.1
+        uses: dev-drprasad/delete-tag-and-release@v1.1
         with:
           delete_release: true
           tag_name: latest

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 10/11 Hardening
+# :lock: CIS Debian 10/11/12 Hardening
 
 
 <p align="center">
@@ -16,6 +16,9 @@
 Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
+NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
+in production at OVHcloud on Debian 12 Operating Systems.
+
 ```console
 $ bin/hardening.sh --audit-all
 [...]
@@ -40,12 +43,11 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
 ```console
 $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
 $ cp debian/default /etc/default/cis-hardening
-$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" etc/default/cis-hardening
-$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" etc/default/cis-hardening
-$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" etc/default/cis-hardening
-$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" etc/default/cis-hardening
-$ bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
-hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
+$ sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" /etc/default/cis-hardening
+$ sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" /etc/default/cis-hardening
+$ sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" /etc/default/cis-hardening
+$ sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" /etc/default/cis-hardening
+$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit
 1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
 1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
 1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
@@ -244,6 +246,20 @@ built a secure environment. While we use it at OVHcloud to harden our PCI-DSS co
 infrastructure, we can not guarantee that it will work for you. It will not
 magically secure any random host.
 
+A word about numbering, implementation and sustainability over time of this repository:
+This project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF
+has evolved, changing it's numbering, deleting obsolete checks.
+In order to keep retro-compatiblity with the last maintained Debian, the numbering
+has not been changed along with the PDF, because the configuration scripts are named after it.
+Changing the numbering might break automation for admins using it for years, and handling
+this issue without breaking anything would require a huge refactoring.
+As a consequence, please do not worry about numbering, the checks are there,
+but the numbering accross PDFs might differ.
+Please also note that all the check inside CIS Benchmark PDF might not be implemented
+in this set of scripts.
+We did choose the most relevant to us at OVHcloud, do not hesitate to make a
+Pull Request in order to add the missing script you might find relevant for you.
+
 Additionally, quoting the License:
 
 > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
@@ -257,6 +273,7 @@ Additionally, quoting the License:
 > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+
 ## :satellite: Reference
 
 - **Center for Internet Security**: https://www.cisecurity.org/

bin/hardening.sh

@@ -192,7 +192,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 # if no RUN_MODE was passed, usage and quit
-if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
+if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ] && [ "$SET_HARDENING_LEVEL" -eq 0 ]; then
     usage
 fi
 
@@ -299,7 +299,7 @@ for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
         SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
         # shellcheck disable=SC2001
         SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
-        if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -16,10 +16,9 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
-
 PACKAGE='syslog-ng'
-
-PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+SYSLOG_BASEDIR='/etc/syslog-ng'
+PATTERN='destination[[:alnum:][:space:]*_*{]+(tcp|network|udp)[[:space:]]*\([[:space:]]*\"?[[:alnum:]\-.]+\"?.'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -18,9 +18,9 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
 
 PACKAGE='syslog-ng'
-
+SYSLOG_BASEDIR='/etc/syslog-ng'
 REMOTE_HOST=""
-PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
+PATTERN='source[[:alnum:][:space:]*_*{]+(tcp|network|udp)[[:space:]]*\([[:space:]]*\"?[[:alnum:]\-.]+\"?.'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -37,7 +37,7 @@ audit() {
             fi
         done
 
-        if [[ "$REMOTE_HOST" ]]; then
+        if [[ "$REMOTE_HOST" ]] && [[ "$REMOTE_HOST" != 'false' ]]; then
             info "This is the remote host, checking that it only accepts logs from specified zone"
             if [ "$FOUND" = 1 ]; then
                 ok "$PATTERN is present in $FILES"
@@ -70,7 +70,7 @@ apply() {
             fi
         done
 
-        if [[ "$REMOTE_HOST" ]]; then
+        if [[ "$REMOTE_HOST" ]] && [[ "$REMOTE_HOST" != 'false' ]]; then
             info "This is the remote host, checking that it only accepts logs from specified zone"
             if [ "$FOUND" = 1 ]; then
                 ok "$PATTERN is present in $FILES"

bin/hardening/5.2.18_sshd_limit_access.sh

@@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
+    OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then
         ok "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+        for SSH_OPTION in "${OPTIONS[@]}"; do
             SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
             SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
             # shellcheck disable=SC2001
@@ -53,7 +53,7 @@ apply() {
         crit "$PACKAGE is absent, installing it"
         apt_install "$PACKAGE"
     fi
-    for SSH_OPTION in $OPTIONS; do
+    for SSH_OPTION in "${OPTIONS[@]}"; do
         SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
         SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
         # shellcheck disable=SC2001

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -15,20 +15,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
+DESCRIPTION="Check that the algorithm declared in PAM for password changes is sha512 (or yescrypt for Debian 11+)"
 
 CONF_FILE="/etc/pam.d/common-password"
-CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
+# CONF_LINE is defined in _set_vars_jit below
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    _set_vars_jit
     # Check conf file for default SHA512 hash
     if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
         crit "$CONF_FILE is not readable"
     else
-        if [ "$DEB_MAJ_VER" -ge "11" ]; then
-            CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
-        fi
         # shellcheck disable=SC2001
         does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
         if [ "$FNRET" = 0 ]; then
@@ -41,6 +39,7 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
+    _set_vars_jit
     if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
         crit "$CONF_FILE is not readable"
     else
@@ -50,7 +49,7 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
                 add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
             else
                 add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
@@ -64,6 +63,17 @@ check_config() {
     :
 }
 
+# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
+# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
+# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
+_set_vars_jit() {
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
+    else
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
+    fi
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -19,14 +19,14 @@ DESCRIPTION="Check <from> field in ssh authorized keys files for users with logi
 
 # Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh'
 # shellcheck disable=2089
-REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")"
+REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3})(\/\d{1,2})?)+(?:'|\")"
 REGEX_OK_LINES="(^(#|$)|($REGEX_FROM_IP))"
 AUTHKEYFILE_PATTERN=""
 AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
 
 ALLOWED_IPS=""
 USERS_TO_CHECK=""
-EXCEPTION_USER=""
+EXCEPTION_USERS=""
 
 ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
 
@@ -137,7 +137,10 @@ audit() {
             continue
         else
             info "User $user has a valid shell ($shell)."
-            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
+                info "User $user is named in EXEPTION_USERS and is thus skipped from check."
+                continue
+            elif [ "$user" = "root" ]; then
                 check_dir /root
                 continue
             elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@@ -164,7 +167,7 @@ status=audit
 # Put authorized IPs you want to allow in "from" field of authorized_keys
 ALLOWED_IPS=""
 USERS_TO_CHECK=""
-EXCEPTION_USER=""
+EXCEPTION_USERS=""
 EOF
 }
 

bin/hardening/99.5.2.8_ssh_sys_sandbox.sh

@@ -1,98 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# Legacy CIS Debian Hardening
-#
-
-#
-# 99.5.2.8 Check UsePrivilegeSeparation set to sandbox.
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-# shellcheck disable=2034
-DESCRIPTION="Check UsePrivilegeSeparation set to sandbox."
-
-PACKAGE='openssh-server'
-OPTIONS='UsePrivilegeSeparation=sandbox'
-FILE='/etc/ssh/sshd_config'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        ok "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-            if [ "$FNRET" = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install "$PACKAGE"
-    fi
-    for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN is present in $FILE"
-        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
-            if [ "$FNRET" != 0 ]; then
-                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
-            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-            fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_LIB_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_LIB_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "${CIS_LIB_DIR}"/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.1 Check that any password that will be created will be SHA512 hashed and salted
+# 99.5.4.5.1 Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
 #
 
 set -e # One error, it's over
@@ -15,38 +15,40 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that will be created will be SHA512 hashed and salted"
+DESCRIPTION="Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)"
 
 CONF_FILE="/etc/login.defs"
-CONF_LINE="ENCRYPT_METHOD SHA512"
+# CONF_LINE and CONF_LINE_REGEX are defined in _set_vars_jit below
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    _set_vars_jit
     # Check conf file for default SHA512 hash
     if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
         crit "$CONF_FILE is not readable"
     else
-        does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE/ /[[:space:]]+}"
+        does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE_REGEX/ /[[:space:]]+}"
         if [ "$FNRET" = 0 ]; then
-            ok "$CONF_LINE is present in $CONF_FILE"
+            ok "$CONF_LINE_REGEX is present in $CONF_FILE"
         else
-            crit "$CONF_LINE is not present in $CONF_FILE"
+            crit "$CONF_LINE_REGEX is not present in $CONF_FILE"
         fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE/ /[[:space:]]+}"
+    _set_vars_jit
+    does_pattern_exist_in_file "$CONF_FILE" "^ *${CONF_LINE_REGEX/ /[[:space:]]+}"
     if [ "$FNRET" = 0 ]; then
-        ok "$CONF_LINE is present in $CONF_FILE"
+        ok "$CONF_LINE_REGEX is present in $CONF_FILE"
     else
         warn "$CONF_LINE is not present in $CONF_FILE, adding it"
         does_pattern_exist_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)"
         if [ "$FNRET" != 0 ]; then
             add_end_of_file "$CONF_FILE" "$CONF_LINE"
         else
-            info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+            info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
             replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
         fi
     fi
@@ -57,6 +59,19 @@ check_config() {
     :
 }
 
+# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
+# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
+# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
+_set_vars_jit() {
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
+    else
+        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
+        CONF_LINE="ENCRYPT_METHOD SHA512"
+    fi
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.2 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# 99.5.4.5.2 Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
 #
 
 set -e # One error, it's over
@@ -15,7 +15,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
+DESCRIPTION="Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted"
 FILE="/etc/shadow"
 
 # This function will be called if the script status is on enabled / audit mode
@@ -36,13 +36,21 @@ audit() {
         elif [[ $passwd =~ ^!.*$ ]]; then
             pw_found+="$user "
             ok "User $user has a disabled password."
-        # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
+        # yescrypt: Check password against $y$<salt>$<base64>
+        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
+            pw_found+="$user "
+            ok "User $user has suitable yescrypt hashed password."
+        # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
         elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "
-            ok "User $user has suitable SHA512 hashed password."
+            ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            crit "User $user has a password that is not SHA512 hashed."
+            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
+            else
+                crit "User $user has a password that is not sha512crypt hashed."
+            fi
         fi
     done
     if [[ -z "$users_reviewed" ]]; then

debian/changelog

@@ -1,3 +1,25 @@
+cis-hardening (4.1-4) unstable; urgency=medium
+
+  * allow multiple users in 5.2.18 (#228)
+  * Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
+  * Syslog-ng fixes and enhancements (#226)
+  * fix: Allow --only option to be called multiple times (#225)
+  * fix: update Readme to clarify project usage (#223)
+  * fix: typo in README. Update example of --audit usage (#222)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Thu, 18 Jan 2024 09:13:15 +0000
+
+cis-hardening (4.1-3) unstable; urgency=medium
+
+  * Adapt all scripts to yescrypt (#216)
+  * build(deps): bump metcalfc/changelog-generator from 4.1.0 to 4.2.0 (#214)
+  * fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
+  * enh: remove ssh system sandbox check (#213)
+  * build(deps): bump luizm/action-sh-checker from 0.7.0 to 0.8.0 (#210)
+  * feat: advertise Debian 12 compatibility in readme
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Tue, 28 Nov 2023 10:33:04 +0000
+
 cis-hardening (4.1-2) unstable; urgency=medium
 
   * fix: root_dir is still /opt/cis-hardening for the moment (#208)

tests/hardening/4.2.1.5_syslog-ng_remote_host.sh

@@ -38,6 +38,6 @@ EOF
     run subfile "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     # Cleanup
-    rm /etc/syslog-ng/conf.d/1_tcp_destination
+    rm -f /etc/syslog-ng/conf.d/1_tcp_destination
 
 }

tests/hardening/4.2.1.6_remote_syslog-ng_acl.sh

@@ -2,10 +2,37 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
     # shellcheck disable=2154
+    echo 'REMOTE_HOST="true"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # TODO fill comprehensive tests
+    cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak
+    echo "source mySyslog tcp (\"127.0.0.1\")" >>/etc/syslog-ng/syslog-ng.conf
+
+    describe Checking one line conf
+    register_test retvalshouldbe 0
+    run oneline "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
+    cat >>/etc/syslog-ng/syslog-ng.conf <<EOF
+    source mySyslog {
+    tcp ("127.0.0.1"),
+    port(1234),
+EOF
+
+    describe Checking mutliline conf
+    register_test retvalshouldbe 0
+    run multiline "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    mv /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf
+    echo "source mySyslog tcp (\"127.0.0.1\")" >>/etc/syslog-ng/conf.d/1_tcp_source
+    cat /etc/syslog-ng/conf.d/1_tcp_source
+
+    describe Checking file in subdirectory
+    register_test retvalshouldbe 0
+    run subfile "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    rm -f /etc/syslog-ng/conf.d/1_tcp_source
+
 }

tests/hardening/5.2.18_sshd_limit_access.sh

@@ -22,4 +22,109 @@ test_audit() {
     register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
     register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
     run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Check and report mismatch for allowed user
+    useradd -s /bin/bash johnallow
+    sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply allowed user
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple allowed users
+    useradd -s /bin/bash janeallow
+    sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple allowed users
+    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    tail -n 5 /etc/ssh/sshd_config
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset allowed users to default before continuing
+    sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+
+    describe Check and report mismatch for denied user
+    useradd -s /bin/bash peterdeny
+    sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply denied user
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
+
+    describe Check and report mismatch for multiple denied users
+    useradd -s /bin/bash marrydeny
+    sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    register_test retvalshouldbe 1
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correctly apply multiple denied users
+    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    # and check again that the fix was correctly applied
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # reset to prevent other test from possibly failing in the future
+    sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
+    run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    userdel johnallow
+    userdel janeallow
+    userdel peterdeny
+    userdel marrydeny
 }

tests/hardening/5.3.4_acc_pam_sha512.sh

@@ -3,7 +3,53 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    register_test contain REGEX "[ OK ] .*(sha512|yescrypt) is present in /etc/pam.d/common-password"
+    register_test contain "is present in /etc/pam.d/common-password"
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Tests purposely failing
+    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
+    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
+    register_test retvalshouldbe 1
+    register_test contain "is not present"
+    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "is present in /etc/pam.d/common-password"
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(sha512|yescrypt)"
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Tests purposely failing as sid
+    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
+    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
+    register_test retvalshouldbe 1
+    register_test contain "is not present"
+    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "is present in /etc/pam.d/common-password"
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/hardening/99.5.2.4_ssh_keys_from.sh

@@ -2,7 +2,7 @@
 # run-shellcheck
 test_audit() {
     # shellcheck disable=2154
-    echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
 
     skip_tests
     # shellcheck disable=2154
@@ -12,12 +12,29 @@ test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
     dismiss_count_for_test
+    register_test contain "[INFO] User root has a valid shell"
     register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
     register_test contain "[INFO] User jeantestuser has a valid shell"
     register_test contain "[INFO] User jeantestuser has no home directory"
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
+    mkdir -p /root/.ssh
+    ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
+    cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
+    describe Check /root is used for root user instead of home by placing key without from field
+    register_test retvalshouldbe 1
+    run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    useradd -s /bin/bash exceptiontestuser
+    describe Check multiple exception users are skipped
+    register_test retvalshouldbe 0
+    register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
+    register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
+    # shellcheck disable=2154
+    run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
     mkdir -p /home/secaudit/.ssh
     touch /home/secaudit/.ssh/authorized_keys2
     describe empty authorized keys file
@@ -55,11 +72,11 @@ test_audit() {
     run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     # shellcheck disable=2016
-    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
     {
         echo -n 'from="10.0.1.2",command="echo bla" '
         cat /tmp/key1.pub
-        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
+        echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
         cat /tmp/key1.pub
     } >>/home/secaudit/.ssh/authorized_keys2
     describe Key with from and command options
@@ -74,7 +91,9 @@ test_audit() {
     run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     # Cleanup
+    userdel exceptiontestuser
     userdel jeantestuser
     userdel -r jeantest2
-    rm -f /tmp/key1 /tmp/key1.pub
+    rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
+    rm -rf /root/.ssh
 }

tests/hardening/99.5.2.8_ssh_sys_sandbox.sh

@@ -1,22 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 1
-    register_test contain "openssh-server is installed"
-    # shellcheck disable=2154
-    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Correcting situation
-    # `apply` performs a service reload after each change in the config file
-    # the service needs to be started for the reload to succeed
-    service ssh start
-    # if the audit script provides "apply" option, enable and run it
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" || true
-
-    describe Checking resolved state
-    register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config"
-    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-}

tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -3,7 +3,7 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    register_test contain "ENCRYPT_METHOD SHA512 is present in /etc/login.defs"
+    register_test contain "is present in /etc/login.defs"
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
@@ -11,7 +11,7 @@ test_audit() {
     describe Line as comment
     sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs
     register_test retvalshouldbe 1
-    register_test contain "SHA512 is not present"
+    register_test contain "is not present in /etc/login.defs"
     run commented "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     rm /etc/login.defs
@@ -24,15 +24,47 @@ test_audit() {
     sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs
     describe Fail: wrong hash function configuration
     register_test retvalshouldbe 1
-    register_test contain "SHA512 is not present"
+    register_test contain "is not present in /etc/login.defs"
     run wrongconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     describe Correcting situation
-    sed -i 's/disabled/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
     "${CIS_CHECKS_DIR}/${script}.sh" || true
 
     describe Checking resolved state
-    mv /tmp/login.defs.bak /etc/login.defs
     register_test retvalshouldbe 0
+    register_test contain "is present in /etc/login.defs"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    # shellcheck disable=2154
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cp /etc/login.defs /tmp/login.defs.bak
+    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
+
+    describe Fail: wrong hash function configuration as sid
+    register_test retvalshouldbe 1
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -12,7 +12,7 @@ test_audit() {
     sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow
     describe Fail: Found unsecure password
     register_test retvalshouldbe 1
-    register_test contain "User secaudit has a password that is not SHA512 hashed"
+    register_test contain "User secaudit has a password that is not"
     run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
@@ -27,7 +27,7 @@ secaudit:mypassword
 EOF
     describe Pass: Found properly hashed password
     register_test retvalshouldbe 0
-    register_test contain "User secaudit has suitable SHA512 hashed password"
+    register_test contain "User secaudit has suitable"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     chpasswd -c SHA512 -s 1000 <<EOF
@@ -35,6 +35,6 @@ secaudit:mypassword
 EOF
     describe Pass: Found properly hashed password with custom round number
     register_test retvalshouldbe 0
-    register_test contain "User secaudit has suitable SHA512 hashed password"
+    register_test contain "User secaudit has suitable"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }

tests/launch_tests.sh

@@ -140,6 +140,11 @@ _run() {
     echo $? >"$outdir/$usecase_name.retval"
     ret=$(<"$outdir"/"$usecase_name".retval)
     get_stdout
+    if [ -s "$outdir/${usecase_name}_err.log" ]; then
+        echo ">>> stderr follows"
+        cat "$outdir/${usecase_name}_err.log"
+        echo "<<< end of stderr"
+    fi
 }
 
 # Load assertion functions for functionnal tests