fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:08:54 -05:00
parent e80725005f
commit 2b422cf62c
13 changed files with 199 additions and 98 deletions
--- a/tests/unit/firewall-setup_comprehensive_test.bats
+++ b/tests/unit/firewall-setup_comprehensive_test.bats
@@ -91,10 +91,11 @@ EOF
    echo "$result" | grep -q "51820"
 }

-@test "Firewall allows ICMP ping" {
+@test "Firewall blocks outbound ICMP ping (reduced attack surface)" {
    source /workspace/src/firewall-setup.sh
    result=$(generate_nftables_rules "203.0.113.1:51820")
-    echo "$result" | grep -q "echo-request"
+    echo "$result" | grep -q "destination-unreachable"
+    ! echo "$result" | grep -q "echo-request accept"
 }

@test "generate_nftables_rules extracts IP and port correctly" {
--- a/tests/unit/firewall_test.bats
+++ b/tests/unit/firewall_test.bats
@@ -77,8 +77,9 @@
    grep -q "oif lo accept" /workspace/src/firewall-setup.sh
 }

-@test "firewall-setup.sh accepts ICMP ping" {
-    grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh
+@test "firewall-setup.sh blocks ICMP ping (security hardening)" {
+    ! grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh
+    grep -q "destination-unreachable" /workspace/src/firewall-setup.sh
 }

@test "firewall-setup.sh allows WireGuard traffic" {
--- a/tests/unit/security-hardening_comprehensive_test.bats
+++ b/tests/unit/security-hardening_comprehensive_test.bats
@@ -94,7 +94,7 @@ teardown() {
@test "SSH client enables strict host key checking" {
    source /workspace/src/security-hardening.sh
    configure_ssh_client "$TEST_TMPDIR/ssh_config"
-    grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config"
+    grep -q "StrictHostKeyChecking yes" "$TEST_TMPDIR/ssh_config"
 }

 # =============================================================================