fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/installed/encryption-setup.sh

@@ -31,7 +31,7 @@ EOF
 if [ -f /etc/crypttab ]; then
     echo "Verifying crypttab configuration..."
     # Ensure crypttab has proper options
-    sed -i 's/luks$/luks,discard,cipher=aes-xts-plain64,key-size=512/g' /etc/crypttab
+    sed -i '/\/dev\/mapper\|^#/!s/\bluks\b/luks,discard,cipher=aes-xts-plain64,key-size=512/' /etc/crypttab
 fi
 
 # Configure initramfs to include necessary modules for decryption
@@ -99,8 +99,8 @@ Recovery Information:
 
 Commands:
 - Check encryption status: cryptsetup status cryptroot
-- Add additional passphrase: cryptsetup luksAddKey /dev/sda3
-- List key slots: cryptsetup luksDump /dev/sda3
+- Add additional passphrase: cryptsetup luksAddKey $(find-luks-device.sh)
+- List key slots: cryptsetup luksDump $(find-luks-device.sh)
 
 WARNING: Losing the encryption passphrase will result in
 permanent data loss. There is NO backdoor or recovery mechanism
@@ -138,11 +138,18 @@ for dev in /dev/mapper/*; do
 done
 echo ""
 
-# Check LUKS container details
-if [ -b /dev/sda3 ]; then
-    echo "LUKS Container Information:"
+# Check LUKS container details (dynamic device discovery)
+LUKS_DEV=""
+for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
+    if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
+        LUKS_DEV="$dev"
+        break
+    fi
+done
+if [ -n "$LUKS_DEV" ]; then
+    echo "LUKS Container Information ($LUKS_DEV):"
     echo "---------------------------"
-    cryptsetup luksDump /dev/sda3 | head -20
+    cryptsetup luksDump "$LUKS_DEV" | head -20
     echo ""
 fi
 
@@ -160,6 +167,45 @@ EOF
 
 chmod +x /usr/local/bin/check-encryption.sh
 
+# Create LUKS device discovery helper
+cat > /usr/local/bin/find-luks-device.sh <<'EOF'
+#!/bin/bash
+# Discover the LUKS encrypted partition dynamically
+set -euo pipefail
+
+# Method 1: Check crypttab for the root device
+if [ -f /etc/crypttab ]; then
+    while read -r name device _ _; do
+        [ -z "$name" ] || [ "$name" = "#" ] && continue
+        if [ -b "$device" ] && cryptsetup isLuks "$device" 2>/dev/null; then
+            echo "$device"
+            exit 0
+        fi
+    done < /etc/crypttab
+fi
+
+# Method 2: Check common partition layouts
+for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
+    if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
+        echo "$dev"
+        exit 0
+    fi
+done
+
+# Method 3: Scan all partitions with lsblk
+if command -v lsblk >/dev/null 2>&1; then
+    while read -r dev; do
+        if cryptsetup isLuks "$dev" 2>/dev/null; then
+            echo "$dev"
+            exit 0
+        fi
+    done < <(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1}')
+fi
+
+exit 1
+EOF
+chmod +x /usr/local/bin/find-luks-device.sh
+
 # Create encryption key management script
 cat > /usr/local/bin/manage-encryption-keys.sh <<'EOF'
 #!/bin/bash
@@ -201,13 +247,23 @@ case $choice in
             exit 1
         fi
 
-        echo "$existing_pass" | cryptsetup luksAddKey /dev/sda3 <<< "$new_pass"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        printf '%s\n' "$existing_pass" "$new_pass" | cryptsetup luksAddKey "$LUKS_DEV"
         echo "New passphrase added successfully"
         ;;
     2)
-        cryptsetup luksDump /dev/sda3 | grep "Key Slot"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot"
         read -p "Enter key slot to remove: " slot
-        cryptsetup luksKillSlot /dev/sda3 "$slot"
+        cryptsetup luksKillSlot "$LUKS_DEV" "$slot"
         echo "Key slot removed successfully"
         ;;
     3)
@@ -225,19 +281,37 @@ case $choice in
         fi
 
         # This is complex and requires careful handling
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
         echo "This operation requires manual intervention"
-        echo "Please use: cryptsetup luksChangeKey /dev/sda3"
+        echo "Please use: cryptsetup luksChangeKey $LUKS_DEV"
         ;;
     4)
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
         echo "Active key slots:"
-        cryptsetup luksDump /dev/sda3 | grep "Key Slot" | grep "ENABLED"
+        cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" | grep "ENABLED"
         ;;
     5)
         echo "Generating recovery key..."
         # Generate a strong random key
-        dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > /var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt
-        chmod 600 /var/backups/keys/recovery_key_*.txt
-        echo "Recovery key generated and stored in /var/backups/keys/"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        KEY_FILE="/var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt"
+        dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > "$KEY_FILE"
+        chmod 600 "$KEY_FILE"
+        echo "Recovery key generated: $KEY_FILE"
+        echo "To add this key to a LUKS slot:"
+        echo "  cryptsetup luksAddKey $LUKS_DEV $KEY_FILE"
         echo "WARNING: Store this key in a secure, offline location"
         ;;
     0)

config/hooks/installed/install-scripts.sh

@@ -218,7 +218,7 @@ EOF
 # Create WireGuard configuration directory
 mkdir -p /etc/wireguard
 
-# Add football to appropriate groups
-usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
+# Add football to appropriate groups (NOT sudo - access via sudoers.d only)
+usermod -a -G audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
 
 echo "Source scripts installed successfully."

config/hooks/installed/mount-hardening.sh

@@ -5,46 +5,35 @@ set -euo pipefail
 
 echo "Applying mount point hardening..."
 
-# Create fstab security entries for temporary filesystems
-# These are added via a systemd mount helper or tmpfiles.d
-# since fstab is managed by the installer for the main partitions
+FSTAB="/etc/fstab"
 
-# Harden /tmp via tmpfiles.d (systemd-tmpfiles)
-mkdir -p /etc/tmpfiles.d
+# Ensure fstab exists
+touch "$FSTAB"
 
-cat >/etc/tmpfiles.d/knel-mount-hardening.conf <<'EOF'
-# KNEL-Football Mount Hardening
-# Ensure /tmp is mounted with nodev, nosuid, noexec
-# This supplements the installer-created fstab
-d /tmp 1777 root root 0d
-EOF
-
-# Add security mount options to fstab if entries exist
-if [ -f /etc/fstab ]; then
-    # Harden /tmp if present
-    if grep -q '/tmp' /etc/fstab 2>/dev/null; then
-        sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
-    fi
-
-    # Harden /var/tmp if present
-    if grep -q '/var/tmp' /etc/fstab 2>/dev/null; then
-        sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
-    fi
-
-    # Harden /home if present
-    if grep -q '/home' /etc/fstab 2>/dev/null; then
-        sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' /etc/fstab 2>/dev/null || true
-    fi
-
-    # Harden /dev/shm if present
-    if grep -q '/dev/shm' /etc/fstab 2>/dev/null; then
-        sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
-    fi
+# Harden /tmp if present in fstab, otherwise add tmpfs entry
+if grep -q '/tmp' "$FSTAB" 2>/dev/null; then
+    sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
+else
+    echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> "$FSTAB"
 fi
 
-# If /tmp is NOT in fstab, add a tmpfs entry with hardening
-if ! grep -q '/tmp' /etc/fstab 2>/dev/null; then
-    echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> /etc/fstab
+# Harden /var/tmp if present, otherwise add tmpfs entry
+if grep -q '/var/tmp' "$FSTAB" 2>/dev/null; then
+    sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
+else
+    echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
+fi
+
+# Harden /dev/shm if present, otherwise add tmpfs entry
+if grep -q '/dev/shm' "$FSTAB" 2>/dev/null; then
+    sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
+else
+    echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
+fi
+
+# Harden /home if it has its own partition
+if grep -q '/home' "$FSTAB" 2>/dev/null; then
+    sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' "$FSTAB" 2>/dev/null || true
 fi
 
 echo "Mount hardening completed."

config/hooks/live/firewall-setup.sh

@@ -25,8 +25,7 @@ table inet filter {
         udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
         udp sport 68 udp dport 67 accept comment "Accept DHCP requests"
 
-        # Accept ICMP ping
-        icmp type echo-request accept comment "Accept ping"
+        # Accept essential ICMP only
         icmp type destination-unreachable accept comment "Accept dest unreachable"
         icmp type time-exceeded accept comment "Accept time exceeded"
 
@@ -50,8 +49,9 @@ table inet filter {
         # Accept DHCP client requests (broadcast to find DHCP server)
         udp dport 67 accept comment "Allow DHCP client requests"
 
-        # Accept WireGuard UDP (any endpoint - config determines actual peer)
-        udp dport 51820-51830 accept comment "Allow WireGuard VPN"
+        # Accept WireGuard UDP (any endpoint - dynamic config determines actual peer)
+        # Once WireGuard is configured, firewall-setup.sh locks to specific endpoint
+        udp dport 51820 accept comment "Allow WireGuard VPN"
 
         # Accept DNS over WireGuard tunnel interface
         oifname "wg*" accept comment "Accept all traffic via VPN tunnel"

config/hooks/live/qr-code-import.sh

@@ -21,9 +21,10 @@ if ! ls /dev/video* >/dev/null 2>&1; then
     exit 1
 fi
 
-# Create temporary file for QR data
+# Create temporary file for QR data with restricted permissions
 qr_data=$(mktemp)
-trap "rm -f $qr_data" EXIT
+chmod 600 "$qr_data"
+trap "rm -f \"$qr_data\"" EXIT
 
 # Scan QR code
 echo "Scanning QR code..."

config/hooks/live/security-hardening.sh

@@ -11,15 +11,22 @@ cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
 blacklist cfg80211
 blacklist mac80211
 blacklist brcmfmac
+blacklist brcmsmac
+blacklist brcm80211
 blacklist iwlwifi
+blacklist iwlmvm
 blacklist ath9k
 blacklist ath9k_htc
 blacklist ath10k_pci
+blacklist ath10k_sdio
+blacklist ath11k_pci
+blacklist ath11k_ahb
 blacklist rtl8188ee
 blacklist rtl8192ce
 blacklist rtl8192se
 blacklist rtl8723ae
 blacklist rtl8821ae
+blacklist rtl8xxxu
 blacklist rt73usb
 blacklist rt2800usb
 blacklist rt2x00lib
@@ -27,6 +34,8 @@ blacklist rt2x00usb
 blacklist mwifiex
 blacklist mwifiex_pcie
 blacklist mwifiex_sdio
+blacklist r8188eu
+blacklist r8723bs
 EOF
 
 # Bluetooth module blacklist
@@ -57,22 +66,15 @@ Host *
     ConnectTimeout 30
     ServerAliveInterval 300
     ServerAliveCountMax 2
-    StrictHostKeyChecking ask
+    StrictHostKeyChecking yes
     UserKnownHostsFile ~/.ssh/known_hosts
 EOF
 
-# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
-cat >/etc/ssh/sshd_config <<'EOF'
-# SSH Server Hardening (defense-in-depth)
-# Reference: PRD FR-006 - Client-only system, sshd not installed
-Protocol 2
-PermitRootLogin no
-PermitEmptyPasswords no
-MaxAuthTries 3
-ClientAliveInterval 300
-ClientAliveCountMax 2
-X11Forwarding no
-EOF
+# SSH server is NOT installed per PRD FR-006
+# Ensure no sshd_config exists to prevent accidental activation
+rm -f /etc/ssh/sshd_config
+touch /etc/ssh/sshd_config.disabled
+echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled
 
 # Password policy - PRD FR-007, NIST SP 800-63B
 mkdir -p /etc/security

config/hooks/live/usb-automount.sh

@@ -23,20 +23,29 @@ DEVICE="/dev/${1}"
 DEVICE_NAME="${1}"
 MOUNT_BASE="/media/usb-${DEVICE_NAME}"
 
+# Validate device name to prevent injection
+if [[ ! "${DEVICE_NAME}" =~ ^[a-zA-Z0-9]+$ ]]; then
+    echo "Invalid device name" >&2
+    exit 1
+fi
+
 # Create mount point if it doesn't exist
 mkdir -p "${MOUNT_BASE}"
 
 # Determine filesystem type and mount with appropriate options
+# PRD FR-008: noexec,nosuid,nodev mandatory for USB security
 if blkid "${DEVICE}" | grep -q "TYPE=\"vfat\""; then
-    mount -t vfat -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
+    mount -t vfat -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
 elif blkid "${DEVICE}" | grep -q "TYPE=\"ntfs\""; then
-    mount -t ntfs-3g -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
+    mount -t ntfs-3g -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
 elif blkid "${DEVICE}" | grep -q "TYPE=\"ext4\""; then
-    mount -t ext4 -o rw "${DEVICE}" "${MOUNT_BASE}"
+    mount -t ext4 -o rw,noexec,nosuid,nodev "${DEVICE}" "${MOUNT_BASE}"
 else
-    mount -t auto -o rw,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
+    mount -t auto -o rw,noexec,nosuid,nodev,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
 fi
 
+# Audit log USB mount event
+logger -t usb-automount "USB device ${DEVICE} mounted at ${MOUNT_BASE} (noexec,nosuid,nodev)"
 echo "USB device ${DEVICE} mounted at ${MOUNT_BASE}"
 EOF
 

run.sh

@@ -697,8 +697,8 @@ uki_sign() {
         log_info "UKI signed successfully"
         return 0
     else
-        log_warn "UKI signed but verification uncertain"
-        return 0
+        log_error "UKI signature verification FAILED"
+        return 1
     fi
 }
 
@@ -840,7 +840,7 @@ sb_docker_build_uki() {
     local cmdline="${build_dir}/cmdline.txt"
     
     # Create cmdline
-    echo "quiet splash lockdown=confidentiality" > "$cmdline"
+    echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$cmdline"
     
     # Build UKI
     echo "[SecureBoot] Bundling kernel+initrd+cmdline..."
@@ -861,8 +861,8 @@ sb_docker_build_uki() {
         echo "[SecureBoot] UKI signed and verified: $uki_file"
         return 0
     else
-        echo "[SecureBoot] WARNING: UKI verification uncertain"
-        return 0
+        echo "[SecureBoot] ERROR: UKI signature verification FAILED"
+        return 1
     fi
 }
 
@@ -1055,8 +1055,11 @@ main() {
                 KNEL_BUILD_MODE="production"
                 log_info "Build mode: PRODUCTION (prompts for credentials during install)"
             fi
-            log_warn "Host FDE check: ${KNEL_BUILD_MODE} build on potentially unencrypted host"
-            log_warn "PRD FR-011 requires host FDE - proceeding with build anyway"
+            if ! check_host_fde; then
+                log_error "Host FDE check FAILED - cannot build on unencrypted host"
+                log_error "See PRD FR-011: Host FDE is MANDATORY"
+                exit 1
+            fi
             echo "Building KNEL-Football secure ISO..."
             echo "ALL operations run inside Docker container"
             echo "Timezone: America/Chicago"
@@ -1252,7 +1255,8 @@ echo "[SB] Verifying UKI signature..."
 if sbverify "$UKI_FILE" 2>&1 | grep -q "Signature verification"; then
     echo "[SB] UKI signature verified successfully"
 else
-    echo "[SB] WARNING: UKI signature verification uncertain"
+    echo "[SB] ERROR: UKI signature verification FAILED"
+    exit 1
 fi
 
 # Copy keys to ISO for installation enrollment

src/firewall-setup.sh

@@ -32,7 +32,10 @@ table inet filter {
     chain input {
         type filter hook input priority 0; policy drop
         iif lo accept comment "Accept loopback"
-        icmp type echo-request accept comment "Accept ping"
+        ct state established,related accept comment "Accept established/related"
+        udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
+        icmp type destination-unreachable accept
+        icmp type time-exceeded accept
     }
     
     chain forward {
@@ -42,8 +45,11 @@ table inet filter {
     chain output {
         type filter hook output priority 0; policy drop
         oif lo accept comment "Accept loopback"
+        ct state established,related accept comment "Accept established/related"
+        udp dport 67 accept comment "Allow DHCP client requests"
         udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
-        icmp type echo-request accept comment "Allow ping"
+        oifname "wg*" accept comment "Allow VPN tunnel traffic"
+        icmp type destination-unreachable accept
     }
 }
 EOF

src/security-hardening.sh

@@ -77,7 +77,7 @@ Host *
     ServerAliveCountMax 2
     
     # Strict host key checking
-    StrictHostKeyChecking ask
+    StrictHostKeyChecking yes
     UserKnownHostsFile ~/.ssh/known_hosts
 EOF
 
@@ -327,12 +327,26 @@ EOF
 apply_security_hardening() {
   echo "Applying security hardening..."
 
-  create_wifi_blacklist "${1:-}"
-  create_bluetooth_blacklist "${1:-}"
-  configure_ssh "${1:-}"
-  configure_password_policy "${1:-}"
-  configure_system_limits "${1:-}"
-  configure_audit_rules "${1:-}"
+  local output_dir="${1:-}"
+  if [[ -n "$output_dir" && "$output_dir" != "" ]]; then
+    mkdir -p "$output_dir"
+    create_wifi_blacklist "${output_dir}/blacklist-wifi.conf"
+    create_bluetooth_blacklist "${output_dir}/blacklist-bluetooth.conf"
+    configure_ssh_client "${output_dir}/ssh_config"
+    configure_password_policy "${output_dir}/pwquality.conf"
+    configure_system_limits "${output_dir}/security-limits.conf"
+    configure_fim "${output_dir}/aide.conf"
+    configure_audit_rules "${output_dir}/audit.rules"
+  else
+    create_wifi_blacklist
+    create_bluetooth_blacklist
+    configure_ssh_client
+    configure_password_policy
+    configure_system_limits
+    configure_fim
+    initialize_fim
+    configure_audit_rules
+  fi
 
   echo "Security hardening completed."
   echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"

tests/unit/firewall-setup_comprehensive_test.bats

@@ -91,10 +91,11 @@ EOF
     echo "$result" | grep -q "51820"
 }
 
-@test "Firewall allows ICMP ping" {
+@test "Firewall blocks outbound ICMP ping (reduced attack surface)" {
     source /workspace/src/firewall-setup.sh
     result=$(generate_nftables_rules "203.0.113.1:51820")
-    echo "$result" | grep -q "echo-request"
+    echo "$result" | grep -q "destination-unreachable"
+    ! echo "$result" | grep -q "echo-request accept"
 }
 
 @test "generate_nftables_rules extracts IP and port correctly" {

tests/unit/firewall_test.bats

@@ -77,8 +77,9 @@
     grep -q "oif lo accept" /workspace/src/firewall-setup.sh
 }
 
-@test "firewall-setup.sh accepts ICMP ping" {
-    grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh
+@test "firewall-setup.sh blocks ICMP ping (security hardening)" {
+    ! grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh
+    grep -q "destination-unreachable" /workspace/src/firewall-setup.sh
 }
 
 @test "firewall-setup.sh allows WireGuard traffic" {

tests/unit/security-hardening_comprehensive_test.bats

@@ -94,7 +94,7 @@ teardown() {
 @test "SSH client enables strict host key checking" {
     source /workspace/src/security-hardening.sh
     configure_ssh_client "$TEST_TMPDIR/ssh_config"
-    grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config"
+    grep -q "StrictHostKeyChecking yes" "$TEST_TMPDIR/ssh_config"
 }
 
 # =============================================================================