fix: debian package does not include "versions"

Related to #259: https://github.com/ovh/debian-cis/issues/259

.github/workflows/functionnal-tests.yml

@@ -4,6 +4,13 @@ on:
   - pull_request
   - push
 jobs:
+  functionnal-tests-docker-debian10:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Run the tests debian10
+        run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 11/12 Hardening
+cis-hardening - CIS Debian 10/11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 11/12 Hardening
 
 # DESCRIPTION
 
-Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 11/12 Hardening
+# :lock: CIS Debian 10/11/12 Hardening
 
 
 <p align="center">
@@ -13,7 +13,7 @@
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian11` or `debian12`.
+With `target` being like `debian10` or `debian11`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -254,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
         echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
     fi
 else
-    if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
         echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
         if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
             echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"
@@ -319,7 +319,10 @@ fi
 for SCRIPT in $(find "${CIS_CHECKS_DIR}"/ -name "*.sh" | sort -V); do
     if [ "${#TEST_LIST[@]}" -gt 0 ]; then
         # --only X has been specified at least once, is this script in my list ?
-        if ! grep -qE "$(basename "$SCRIPT")" <<<"${TEST_LIST[@]}"; then
+        SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename "$SCRIPT")")
+        # shellcheck disable=SC2001
+        SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
+        if ! grep -qE "(^|[[:space:]])$SCRIPT_PREFIX_RE([[:space:]]|$)" <<<"${TEST_LIST[@]}"; then
             # not in the list
             continue
         fi

bin/hardening/acc_logindefs_sha512.sh

@@ -59,9 +59,17 @@ check_config() {
     :
 }
 
+# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
+# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
+# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
-    CONF_LINE="ENCRYPT_METHOD YESCRYPT"
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
+    else
+        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
+        CONF_LINE="ENCRYPT_METHOD SHA512"
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_pam_sha512.sh

@@ -49,7 +49,11 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
+            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
+            else
+                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
+            fi
         fi
     fi
 }
@@ -63,7 +67,11 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
+    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
+    else
+        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_shadow_sha512.sh

@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # yescrypt: Check password against $y$<salt>$<base64>
-        elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
+        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
             pw_found+="$user "
             ok "User $user has suitable yescrypt hashed password."
         # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@@ -46,7 +46,11 @@ audit() {
             ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
+            if [ "$DEB_MAJ_VER" -ge "11" ]; then
+                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
+            else
+                crit "User $user has a password that is not sha512crypt hashed."
+            fi
         fi
     done
     if [[ -z "$users_reviewed" ]]; then

bin/hardening/check_distribution.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure that the distribution version is debian and supported
+# Ensure that the distribution version is debian and that the version is 9 or 10
 #
 
 set -e # One error, it's over
@@ -22,7 +22,7 @@ audit() {
     if [ "$DISTRIBUTION" != "debian" ]; then
         crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
     else
-        if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is too recent and is not yet supported."
         elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

bin/hardening/enable_lockout_failed_password.sh

@@ -59,14 +59,23 @@ apply() {
         ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
         warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
+        fi
     fi
     does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
     else
         warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
+        if [ 10 -ge "$DEB_MAJ_VER" ]; then
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
+        else
+            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
+        fi
+
     fi
 }
 

bin/hardening/record_mac_edit.sh

@@ -17,48 +17,64 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
 
-AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy")
-AUDIT_FILE='/etc/audit/audit.rules'
-ADDITIONAL_PATH="/etc/audit/rules.d"
-FILE_TO_WRITE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    MISSING_PARAMS=()
-    index=0
-    # use find here in order to simplify test usage with sudo using secaudit user
-    FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE"
-    for i in "${!AUDIT_PARAMS[@]}"; do
-        debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH"
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
         SEARCH_RES=0
         for FILE_SEARCHED in $FILES_TO_SEARCH; do
-            does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}"
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
             if [ "$FNRET" != 0 ]; then
-                debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED"
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
             else
-                ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED"
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
                 SEARCH_RES=1
             fi
         done
         if [ "$SEARCH_RES" = 0 ]; then
-            crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH"
-            MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}"
-            index=$((index + 1))
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
         fi
     done
+    IFS=$d_IFS
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    audit
-    changes=0
-    for i in "${!MISSING_PARAMS[@]}"; do
-        info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it"
-        add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}"
-        changes=1
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
+            if [ "$FNRET" != 0 ]; then
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+            else
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
+            add_end_of_file "$FILE" "$AUDIT_VALUE"
+            eval "$(pkill -HUP -P 1 auditd)"
+        fi
     done
-
-    [ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)"
+    IFS=$d_IFS
 }
 
 # This function will check config parameters required

bin/hardening/ssh_cry_kex.sh

@@ -73,7 +73,14 @@ apply() {
 }
 
 create_config() {
-    KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
+    set +u
+    debug "Debian version : $DEB_MAJ_VER "
+    if [[ "$DEB_MAJ_VER" -le 7 ]]; then
+        KEX='diffie-hellman-group-exchange-sha256'
+    else
+        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
+    fi
+    set -u
     cat <<EOF
 status=audit
 # Put your KexAlgorithms

bin/hardening/ssh_cry_rekey.sh

@@ -30,7 +30,11 @@ audit() {
         crit "Cannot get Debian version. Aborting..."
         return
     fi
-
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+        set -u
+        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
+        return
+    fi
     set -u
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then

debian/changelog

@@ -1,12 +1,3 @@
-cis-hardening (4.1-5) unstable; urgency=medium
-
-  * drop debian10 and below support
-  * fix: ipv6_is_enabled (#251)
-  * fix: record_mac_edit.sh (#195)
-  * add --set-version to manage multiple cis versions in the future
-
- -- Damien Cavagnini <damien.cavagnini@ovhcloud.com>  Fri, 04 Jul 2025 10:27:18 +0200
-
 cis-hardening (4.1-4) unstable; urgency=medium
 
   * allow multiple users in 5.2.18 (#228)

debian/cis-hardening.8

@@ -4,13 +4,13 @@
 .hy
 .SH NAME
 .PP
-cis-hardening - CIS Debian 11/12 Hardening
+cis-hardening - CIS Debian 10/11/12 Hardening
 .SH SYNOPSIS
 .PP
 \f[B]hardening.sh\f[R] RUN_MODE OPTIONS
 .SH DESCRIPTION
 .PP
-Modular Debian 11/12 security hardening scripts based on the CIS
+Modular Debian 10/11/12 security hardening scripts based on the CIS
 (https://www.cisecurity.org) recommendations.
 .PP
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS

debian/control

@@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch, coreutils
+Depends: ${misc:Depends}, patch
 Description: Suite of configurable scripts to audit or harden a Debian.
  Modular Debian security hardening scripts based on cisecurity.org
  ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

lib/constants.sh

@@ -57,6 +57,6 @@ get_distribution
 get_debian_major_version
 
 # shellcheck disable=SC2034
-SMALLEST_SUPPORTED_DEBIAN_VERSION=11
+SMALLEST_SUPPORTED_DEBIAN_VERSION=10
 # shellcheck disable=SC2034
 HIGHEST_SUPPORTED_DEBIAN_VERSION=12

lib/utils.sh

@@ -53,7 +53,7 @@ set_sysctl_param() {
 #
 
 is_ipv6_enabled() {
-    local SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
+    SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
 
     does_sysctl_param_exists "net.ipv6"
     local ENABLE=1
@@ -64,9 +64,7 @@ is_ipv6_enabled() {
             debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
             has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
             if [ "$FNRET" != 0 ]; then
-                # we don't want to fail because ipv6 is enabled
-                # it's just an info that some scripts are going to use to decide what to do
-                info "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
+                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
                 ENABLE=0
             fi
         done
@@ -572,7 +570,11 @@ get_debian_major_version() {
     DEB_MAJ_VER=""
     does_file_exist /etc/debian_version
     if [ "$FNRET" = 0 ]; then
-        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+        if grep -q "sid" /etc/debian_version; then
+            DEB_MAJ_VER="sid"
+        else
+            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
+        fi
     else
         # shellcheck disable=2034
         DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)

tests/docker/Dockerfile.debian10

@@ -0,0 +1,22 @@
+FROM debian:buster
+
+LABEL vendor="OVH"
+LABEL project="debian-cis"
+LABEL url="https://github.com/ovh/debian-cis"
+LABEL description="This image is used to run tests"
+
+RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
+
+COPY --chown=500:500 . /opt/debian-cis/
+
+COPY debian/default /etc/default/cis-hardening
+RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
+
+COPY cisharden.sudoers /etc/sudoers.d/secaudit
+RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
+
+
+ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
+

tests/hardening/acc_logindefs_sha512.sh

@@ -36,4 +36,35 @@ test_audit() {
     register_test contain "is present in /etc/login.defs"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    # shellcheck disable=2154
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    cp /etc/login.defs /tmp/login.defs.bak
+    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
+
+    describe Fail: wrong hash function configuration as sid
+    register_test retvalshouldbe 1
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "(SHA512|yescrypt|YESCRYPT)"
+    run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/hardening/acc_pam_sha512.sh

@@ -21,6 +21,35 @@ test_audit() {
     describe Checking resolved state
     register_test retvalshouldbe 0
     register_test contain "is present in /etc/pam.d/common-password"
-    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
+    # DEB_MAJ_VER cannot be overwritten here;
+    # therefore we need to trick get_debian_major_version
+    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
+    echo "sid" >/etc/debian_version
+
+    describe Running on blank host as sid
+    register_test retvalshouldbe 0
+    register_test contain "(sha512|yescrypt)"
+    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Tests purposely failing as sid
+    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
+    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
+    register_test retvalshouldbe 1
+    register_test contain "is not present"
+    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation as sid
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state as sid
+    register_test retvalshouldbe 0
+    register_test contain "is present in /etc/pam.d/common-password"
+    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    # Cleanup
+    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
+    unset ORIGINAL_DEB_VER
 }

tests/hardening/record_mac_edit.sh

@@ -2,7 +2,8 @@
 # run-shellcheck
 test_audit() {
     describe Running on blank host
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
     # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
@@ -12,6 +13,6 @@ test_audit() {
 
     describe Checking resolved state
     register_test retvalshouldbe 0
-    register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
+    register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
     run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 }