test: add comprehensive integration and security tests

Add end-to-end integration tests for complete workflows. Add comprehensive security compliance tests covering FR-001 (Full Disk Encryption) and FR-007 (Password Complexity). Add encryption configuration tests for LUKS2, cipher settings, and validation hooks.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

tests/security/compliance_comprehensive_test.bats

@@ -0,0 +1,231 @@
+#!/usr/bin/env bats
+# Comprehensive security compliance tests
+
+# Add bats library to BATS_LIB_PATH
+export BATS_LIB_PATH="/usr/lib/bats-core"
+
+load 'bats-support/load'
+load 'bats-assert/load'
+load 'bats-file/load'
+load '../test_helper/common.bash'
+
+setup() {
+    export TEST_ROOT="${TEST_TEMP_DIR}/security"
+    mkdir -p "${TEST_ROOT}"
+}
+
+@test "Security: Full Disk Encryption (FDE) is configured in preseed" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "crypto"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "LUKS"
+}
+
+@test "Security: Encryption uses AES-256-XTS cipher" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "AES"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "XTS"
+}
+
+@test "Security: Password policy enforces 14 character minimum" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "minlen = 14"
+}
+
+@test "Security: Password policy requires all character classes" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "dcredit = -1"
+    assert_file_contains "$test_output" "ucredit = -1"
+    assert_file_contains "$test_output" "lcredit = -1"
+    assert_file_contains "$test_output" "ocredit = -1"
+}
+
+@test "Security: Password policy rejects common weak passwords" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "badwords = password secret admin root"
+}
+
+@test "Security: Password policy has dictionary checking enabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "dictcheck = 1"
+}
+
+@test "Security: Password policy rejects weak passwords for root" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "enforcing = 1"
+}
+
+@test "Security: WiFi is permanently disabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/blacklist-wifi.conf"
+    create_wifi_blacklist "$test_output"
+
+    assert_file_contains "$test_output" "blacklist cfg80211"
+    assert_file_contains "$test_output" "blacklist mac80211"
+}
+
+@test "Security: Bluetooth is permanently disabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/blacklist-bluetooth.conf"
+    create_bluetooth_blacklist "$test_output"
+
+    assert_file_contains "$test_output" "blacklist btusb"
+    assert_file_contains "$test_output" "blacklist bluetooth"
+}
+
+@test "Security: SSH disallows root login" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "PermitRootLogin no"
+}
+
+@test "Security: SSH has maximum authentication tries" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "MaxAuthTries 3"
+}
+
+@test "Security: SSH has client alive settings" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "ClientAliveInterval 300"
+    assert_file_contains "$test_output" "ClientAliveCountMax 2"
+}
+
+@test "Security: Firewall blocks inbound traffic by default" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "policy input drop"
+}
+
+@test "Security: Firewall allows outbound traffic" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "policy output accept"
+}
+
+@test "Security: Firewall allows SSH inbound" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "tcp dport 22"
+}
+
+@test "Security: Firewall allows WireGuard" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "udp dport 51820"
+}
+
+@test "Security: Encryption setup hook exists" {
+    assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+    assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh" ]
+}
+
+@test "Security: Encryption validation hook exists" {
+    assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+    assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh" ]
+}
+
+@test "Security: cryptsetup is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup"
+}
+
+@test "Security: cryptsetup-initramfs is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup-initramfs"
+}
+
+@test "Security: pam-pwquality is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "libpam-pwquality"
+}
+
+@test "Security: dmsetup is included in preseed packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "dmsetup"
+}
+
+@test "Security: nftables is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "nftables"
+}
+
+@test "Security: WireGuard is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "wireguard"
+}
+
+@test "Security: No plain-text passwords in configuration files" {
+    skip "Manual review required - check for passwords in config files"
+}
+
+@test "Security: SSH uses protocol 2 only" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "Protocol 2"
+}
+
+@test "Security: SSH disallows empty passwords" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "PermitEmptyPasswords no"
+}
+
+@test "Security: SSH disables challenge-response authentication" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "ChallengeResponseAuthentication no"
+}
+
+@test "Security: SSH disables X11 forwarding" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "X11Forwarding no"
+}