fix: resolve critical build bugs and add missing PRD requirements
Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
reachableceo
@@ -1,176 +1,126 @@
|
||||
#!/usr/bin/env bats
|
||||
# Comprehensive unit tests for firewall-setup.sh (100% coverage)
|
||||
# Behavioral tests for firewall-setup.sh
|
||||
# Reference: PRD FR-004
|
||||
|
||||
# Test parse_wg_endpoint function exists
|
||||
@test "parse_wg_endpoint function is defined" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
declare -f parse_wg_endpoint
|
||||
setup() {
|
||||
export TEST_TMPDIR=$(mktemp -d)
|
||||
}
|
||||
|
||||
@test "parse_wg_endpoint accepts optional config parameter" {
|
||||
grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
|
||||
teardown() {
|
||||
rm -rf "$TEST_TMPDIR"
|
||||
}
|
||||
|
||||
@test "parse_wg_endpoint checks for WireGuard config file" {
|
||||
grep -q '\[\[ ! -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
|
||||
# =============================================================================
|
||||
# parse_wg_endpoint - PRD FR-004
|
||||
# =============================================================================
|
||||
|
||||
@test "parse_wg_endpoint extracts endpoint from valid config" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
cat >"$TEST_TMPDIR/wg0.conf" <<'EOF'
|
||||
[Interface]
|
||||
PrivateKey = test123
|
||||
Address = 10.0.0.2/24
|
||||
|
||||
[Peer]
|
||||
PublicKey = peer123
|
||||
Endpoint = 203.0.113.1:51820
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
EOF
|
||||
run parse_wg_endpoint "$TEST_TMPDIR/wg0.conf"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" = "203.0.113.1:51820" ]
|
||||
}
|
||||
|
||||
@test "parse_wg_endpoint returns error when config not found" {
|
||||
grep -q 'return 1' /workspace/src/firewall-setup.sh
|
||||
@test "parse_wg_endpoint fails when config missing" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
run parse_wg_endpoint "$TEST_TMPDIR/nonexistent.conf"
|
||||
[ "$status" -ne 0 ]
|
||||
}
|
||||
|
||||
@test "parse_wg_endpoint parses endpoint from config" {
|
||||
grep -q 'grep -oP.*Endpoint.*' /workspace/src/firewall-setup.sh
|
||||
@test "parse_wg_endpoint fails when no Endpoint line" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
cat >"$TEST_TMPDIR/wg0.conf" <<'EOF'
|
||||
[Interface]
|
||||
PrivateKey = test123
|
||||
EOF
|
||||
run parse_wg_endpoint "$TEST_TMPDIR/wg0.conf"
|
||||
[ "$status" -ne 0 ]
|
||||
}
|
||||
|
||||
@test "parse_wg_endpoint returns error on parse failure" {
|
||||
grep -q 'Could not parse endpoint' /workspace/src/firewall-setup.sh
|
||||
# =============================================================================
|
||||
# generate_nftables_rules - PRD FR-004
|
||||
# =============================================================================
|
||||
|
||||
@test "generate_nftables_rules produces valid nftables config" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
run generate_nftables_rules "203.0.113.1:51820"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output" | grep -q "flush ruleset"
|
||||
echo "$output" | grep -q "table inet filter"
|
||||
}
|
||||
|
||||
# Test generate_nftables_rules function exists
|
||||
@test "generate_nftables_rules function is defined" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
declare -f generate_nftables_rules
|
||||
@test "Firewall input chain has DROP policy" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "type filter hook input priority 0; policy drop"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules accepts endpoint parameter" {
|
||||
grep -q 'endpoint="$1"' /workspace/src/firewall-setup.sh
|
||||
@test "Firewall forward chain has DROP policy" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "type filter hook forward priority 0; policy drop"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules parses IP from endpoint" {
|
||||
grep -q 'local ip=' /workspace/src/firewall-setup.sh
|
||||
@test "Firewall output chain has DROP policy" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "type filter hook output priority 0; policy drop"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules parses port from endpoint" {
|
||||
grep -q 'local port=' /workspace/src/firewall-setup.sh
|
||||
@test "Firewall allows loopback traffic" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "iif lo accept"
|
||||
echo "$result" | grep -q "oif lo accept"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules generates nftables config" {
|
||||
grep -q 'cat <<EOF' /workspace/src/firewall-setup.sh
|
||||
@test "Firewall allows WireGuard traffic to specific endpoint" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "203.0.113.1"
|
||||
echo "$result" | grep -q "51820"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules flushes ruleset" {
|
||||
grep -q 'flush ruleset' /workspace/src/firewall-setup.sh
|
||||
@test "Firewall allows ICMP ping" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "203.0.113.1:51820")
|
||||
echo "$result" | grep -q "echo-request"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules defines input chain" {
|
||||
grep -q 'chain input' /workspace/src/firewall-setup.sh
|
||||
@test "generate_nftables_rules extracts IP and port correctly" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
result=$(generate_nftables_rules "10.20.30.40:12345")
|
||||
echo "$result" | grep -q "10.20.30.40"
|
||||
echo "$result" | grep -q "12345"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules sets input policy to drop" {
|
||||
grep -q 'policy drop' /workspace/src/firewall-setup.sh
|
||||
# =============================================================================
|
||||
# Script Structure
|
||||
# =============================================================================
|
||||
|
||||
@test "firewall-setup.sh uses strict mode" {
|
||||
head -5 /workspace/src/firewall-setup.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules accepts loopback traffic" {
|
||||
grep -q 'iif lo accept' /workspace/src/firewall-setup.sh
|
||||
@test "firewall-setup.sh is executable" {
|
||||
[ -x "/workspace/src/firewall-setup.sh" ]
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules accepts ping" {
|
||||
grep -q 'icmp type echo-request accept' /workspace/src/firewall-setup.sh
|
||||
@test "firewall-setup.sh has valid bash syntax" {
|
||||
run bash -n /workspace/src/firewall-setup.sh
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules defines forward chain" {
|
||||
grep -q 'chain forward' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules defines output chain" {
|
||||
grep -q 'chain output' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules accepts WireGuard traffic" {
|
||||
grep -q 'udp dport.*ip daddr.*accept' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "generate_nftables_rules uses inet filter table" {
|
||||
grep -q 'table inet filter' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
# Test apply_firewall function exists
|
||||
@test "apply_firewall function is defined" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
declare -f apply_firewall
|
||||
}
|
||||
|
||||
@test "apply_firewall accepts optional config parameter" {
|
||||
grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall checks for WireGuard config" {
|
||||
grep -q '\[\[ -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall calls parse_wg_endpoint" {
|
||||
grep -q 'parse_wg_endpoint' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall generates rules when endpoint found" {
|
||||
grep -q 'generate_nftables_rules' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall writes nftables config" {
|
||||
grep -q '>/etc/nftables.conf' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall enables nftables service" {
|
||||
grep -q 'systemctl enable nftables' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall restarts nftables service" {
|
||||
grep -q 'systemctl restart nftables' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall handles missing config" {
|
||||
grep -q 'Warning: WireGuard config not found' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "apply_firewall handles parse failure" {
|
||||
grep -q 'Warning: Could not parse WireGuard endpoint' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
# Test main function exists
|
||||
@test "main function is defined" {
|
||||
source /workspace/src/firewall-setup.sh
|
||||
declare -f main
|
||||
}
|
||||
|
||||
@test "main calls apply_firewall" {
|
||||
grep -q 'apply_firewall' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "main outputs setup messages" {
|
||||
grep -q 'Setting up' /workspace/src/firewall-setup.sh
|
||||
grep -q 'completed' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
# Test script behavior
|
||||
@test "script uses set -euo pipefail" {
|
||||
grep -q "set -euo pipefail" /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "script is executable" {
|
||||
[ -x "/workspace/src/firewall-setup.sh" ]
|
||||
}
|
||||
|
||||
@test "script has proper shebang" {
|
||||
head -n1 /workspace/src/firewall-setup.sh | grep -q "#!/bin/bash"
|
||||
}
|
||||
|
||||
@test "script has comments explaining functions" {
|
||||
grep -q "# Function to" /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "script checks if executed directly" {
|
||||
grep -q 'BASH_SOURCE' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "script calls main only when executed directly" {
|
||||
grep -q '== "${0}"' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "script has proper error messages" {
|
||||
grep -q "Error:" /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "script has proper warning messages" {
|
||||
grep -q "Warning:" /workspace/src/firewall-setup.sh
|
||||
@test "firewall-setup.sh runs main when executed directly" {
|
||||
grep -q 'BASH_SOURCE\[0\]' /workspace/src/firewall-setup.sh
|
||||
}
|
||||
|
||||
230
tests/unit/new-hooks_test.bats
Normal file
230
tests/unit/new-hooks_test.bats
Normal file
@@ -0,0 +1,230 @@
|
||||
#!/usr/bin/env bats
|
||||
# Behavioral tests for new PRD hooks
|
||||
# Reference: PRD FR-005, FR-007
|
||||
|
||||
setup() {
|
||||
export TEST_TMPDIR=$(mktemp -d)
|
||||
}
|
||||
|
||||
teardown() {
|
||||
rm -rf "$TEST_TMPDIR"
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# kernel-hardening.sh - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "kernel-hardening.sh hook exists and is executable" {
|
||||
[ -f "/workspace/config/hooks/live/kernel-hardening.sh" ]
|
||||
[ -x "/workspace/config/hooks/live/kernel-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "kernel-hardening.sh uses strict mode" {
|
||||
head -5 /workspace/config/hooks/live/kernel-hardening.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "Kernel hardening enables ASLR" {
|
||||
grep -q "randomize_va_space = 2" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening restricts ptrace scope" {
|
||||
grep -q "ptrace_scope = 2" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening restricts kernel pointers" {
|
||||
grep -q "kptr_restrict = 2" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening restricts dmesg" {
|
||||
grep -q "dmesg_restrict = 1" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening disables kexec" {
|
||||
grep -q "kexec_load = 0" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening disables SUID core dumps" {
|
||||
grep -q "suid_dumpable = 0" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening protects hardlinks and symlinks" {
|
||||
grep -q "protected_hardlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
grep -q "protected_symlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening disables IPv4 redirects" {
|
||||
grep -q "send_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
grep -q "accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening enables SYN cookies" {
|
||||
grep -q "tcp_syncookies = 1" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening enables reverse path filtering" {
|
||||
grep -q "rp_filter = 1" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening disables IPv6 redirects" {
|
||||
grep -q "ipv6.*accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
@test "Kernel hardening config installs to sysctl.d" {
|
||||
grep -q "/etc/sysctl.d" /workspace/config/hooks/live/kernel-hardening.sh
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# service-hardening.sh - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "service-hardening.sh hook exists and is executable" {
|
||||
[ -f "/workspace/config/hooks/live/service-hardening.sh" ]
|
||||
[ -x "/workspace/config/hooks/live/service-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "service-hardening.sh uses strict mode" {
|
||||
head -5 /workspace/config/hooks/live/service-hardening.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "Service hardening disables avahi-daemon" {
|
||||
grep -q "avahi-daemon" /workspace/config/hooks/live/service-hardening.sh
|
||||
}
|
||||
|
||||
@test "Service hardening disables cups" {
|
||||
grep -q "cups" /workspace/config/hooks/live/service-hardening.sh
|
||||
}
|
||||
|
||||
@test "Service hardening disables bluetooth service" {
|
||||
grep -q "bluetooth" /workspace/config/hooks/live/service-hardening.sh
|
||||
}
|
||||
|
||||
@test "Service hardening disables NetworkManager" {
|
||||
grep -q "NetworkManager" /workspace/config/hooks/live/service-hardening.sh
|
||||
}
|
||||
|
||||
@test "Service hardening masks services to prevent re-enabling" {
|
||||
grep -q "systemctl mask" /workspace/config/hooks/live/service-hardening.sh
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# sudo-hardening.sh - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "sudo-hardening.sh hook exists and is executable" {
|
||||
[ -f "/workspace/config/hooks/live/sudo-hardening.sh" ]
|
||||
[ -x "/workspace/config/hooks/live/sudo-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "sudo-hardening.sh uses strict mode" {
|
||||
head -5 /workspace/config/hooks/live/sudo-hardening.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "Sudo hardening requires TTY" {
|
||||
grep -q "requiretty" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
@test "Sudo hardening configures logging" {
|
||||
grep -q "logfile" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
grep -q "log_input" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
grep -q "log_output" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
@test "Sudo hardening sets timestamp timeout" {
|
||||
grep -q "timestamp_timeout" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
@test "Sudo hardening resets environment" {
|
||||
grep -q "env_reset" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
@test "Sudo hardening restricts football user to specific commands" {
|
||||
grep -q "football" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
grep -q "apply-vpn-config.sh" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
@test "Sudo hardening sets correct permissions (440)" {
|
||||
grep -q "chmod 440" /workspace/config/hooks/live/sudo-hardening.sh
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# mount-hardening.sh - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "mount-hardening.sh hook exists and is executable" {
|
||||
[ -f "/workspace/config/hooks/installed/mount-hardening.sh" ]
|
||||
[ -x "/workspace/config/hooks/installed/mount-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "mount-hardening.sh uses strict mode" {
|
||||
head -5 /workspace/config/hooks/installed/mount-hardening.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "Mount hardening adds nodev to /tmp" {
|
||||
grep -q "nodev" /workspace/config/hooks/installed/mount-hardening.sh
|
||||
}
|
||||
|
||||
@test "Mount hardening adds nosuid to /tmp" {
|
||||
grep -q "nosuid" /workspace/config/hooks/installed/mount-hardening.sh
|
||||
}
|
||||
|
||||
@test "Mount hardening adds noexec to /tmp" {
|
||||
grep -q "noexec" /workspace/config/hooks/installed/mount-hardening.sh
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# Live hook self-containment (BUG FIX VERIFICATION)
|
||||
# =============================================================================
|
||||
|
||||
@test "security-hardening.sh live hook is self-contained (no source from /build)" {
|
||||
! grep -q "source /build/" /workspace/config/hooks/live/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "firewall-setup.sh live hook is self-contained (no source from /build)" {
|
||||
! grep -q "source /build/" /workspace/config/hooks/live/firewall-setup.sh
|
||||
}
|
||||
|
||||
@test "install-scripts.sh does not reference /workspace/src/" {
|
||||
! grep -q "/workspace/src/" /workspace/config/hooks/installed/install-scripts.sh
|
||||
}
|
||||
|
||||
@test "install-scripts.sh embeds firewall-setup.sh inline" {
|
||||
grep -q "parse_wg_endpoint" /workspace/config/hooks/installed/install-scripts.sh
|
||||
grep -q "generate_nftables_rules" /workspace/config/hooks/installed/install-scripts.sh
|
||||
}
|
||||
|
||||
# =============================================================================
|
||||
# WiFi blacklist completeness (BUG FIX VERIFICATION)
|
||||
# =============================================================================
|
||||
|
||||
@test "WiFi blacklist covers rtl* family (PRD FR-005)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
tmpfile=$(mktemp)
|
||||
create_wifi_blacklist "$tmpfile"
|
||||
grep -q "rtl8" "$tmpfile"
|
||||
rm -f "$tmpfile"
|
||||
}
|
||||
|
||||
@test "WiFi blacklist covers mwifi* family (PRD FR-005)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
tmpfile=$(mktemp)
|
||||
create_wifi_blacklist "$tmpfile"
|
||||
grep -q "mwifiex" "$tmpfile"
|
||||
rm -f "$tmpfile"
|
||||
}
|
||||
|
||||
@test "WiFi blacklist covers rt2* family (PRD FR-005)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
tmpfile=$(mktemp)
|
||||
create_wifi_blacklist "$tmpfile"
|
||||
grep -q "rt2x00" "$tmpfile"
|
||||
rm -f "$tmpfile"
|
||||
}
|
||||
|
||||
@test "WiFi blacklist covers ath* family (PRD FR-005)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
tmpfile=$(mktemp)
|
||||
create_wifi_blacklist "$tmpfile"
|
||||
grep -q "ath9k" "$tmpfile"
|
||||
grep -q "ath10k" "$tmpfile"
|
||||
rm -f "$tmpfile"
|
||||
}
|
||||
@@ -1,348 +1,226 @@
|
||||
#!/usr/bin/env bats
|
||||
# Comprehensive unit tests for security-hardening.sh (100% coverage)
|
||||
# Behavioral tests for security-hardening.sh functions
|
||||
# Reference: PRD FR-005, FR-006, FR-007
|
||||
|
||||
# Test create_wifi_blacklist function exists
|
||||
@test "create_wifi_blacklist function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f create_wifi_blacklist
|
||||
setup() {
|
||||
export TEST_TMPDIR=$(mktemp -d)
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
teardown() {
|
||||
rm -rf "$TEST_TMPDIR"
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist creates modprobe.d file" {
|
||||
grep -q '/etc/modprobe.d/blacklist-wifi.conf' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# WiFi Blacklist - PRD FR-005
|
||||
# =============================================================================
|
||||
|
||||
@test "create_wifi_blacklist generates file with correct content" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
[ -f "$TEST_TMPDIR/blacklist-wifi.conf" ]
|
||||
grep -q "blacklist cfg80211" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "blacklist mac80211" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "blacklist iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "blacklist brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists cfg80211" {
|
||||
grep -q 'blacklist cfg80211' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists mac80211" {
|
||||
grep -q 'blacklist mac80211' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists brcmfmac" {
|
||||
grep -q 'blacklist brcmfmac' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists iwlwifi" {
|
||||
grep -q 'blacklist iwlwifi' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists ath9k" {
|
||||
grep -q 'blacklist ath9k' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist blacklists rt73usb" {
|
||||
grep -q 'blacklist rt73usb' /workspace/src/security-hardening.sh
|
||||
@test "WiFi blacklist includes PRD-specified driver families" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "rtl8" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "ath9k" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "mwifiex" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
grep -q "rt2x00" "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
}
|
||||
|
||||
@test "create_wifi_blacklist outputs completion message" {
|
||||
grep -q 'created at' /workspace/src/security-hardening.sh
|
||||
source /workspace/src/security-hardening.sh
|
||||
run create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" == *"created at"* ]]
|
||||
}
|
||||
|
||||
# Test create_bluetooth_blacklist function exists
|
||||
@test "create_bluetooth_blacklist function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f create_bluetooth_blacklist
|
||||
# =============================================================================
|
||||
# Bluetooth Blacklist - PRD FR-005
|
||||
# =============================================================================
|
||||
|
||||
@test "create_bluetooth_blacklist generates file with correct content" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
[ -f "$TEST_TMPDIR/blacklist-bt.conf" ]
|
||||
grep -q "blacklist btusb" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist bluetooth" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist btrtl" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist btintel" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist btbcm" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
@test "Bluetooth blacklist includes additional modules (bnep, rfcomm, hidp)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist bnep" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist rfcomm" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
grep -q "blacklist hidp" "$TEST_TMPDIR/blacklist-bt.conf"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist creates modprobe.d file" {
|
||||
grep -q '/etc/modprobe.d/blacklist-bluetooth.conf' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# SSH Client Config - PRD FR-006
|
||||
# =============================================================================
|
||||
|
||||
@test "configure_ssh_client generates correct ssh_config" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_ssh_client "$TEST_TMPDIR/ssh_config"
|
||||
[ -f "$TEST_TMPDIR/ssh_config" ]
|
||||
grep -q "PasswordAuthentication no" "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "PubkeyAuthentication yes" "$TEST_TMPDIR/ssh_config"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist blacklists btusb" {
|
||||
grep -q 'blacklist btusb' /workspace/src/security-hardening.sh
|
||||
@test "SSH client uses modern key exchange algorithms" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_ssh_client "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "KexAlgorithms" "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "curve25519-sha256" "$TEST_TMPDIR/ssh_config"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist blacklists bluetooth" {
|
||||
grep -q 'blacklist bluetooth' /workspace/src/security-hardening.sh
|
||||
@test "SSH client uses modern ciphers" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_ssh_client "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "Ciphers" "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "chacha20-poly1305" "$TEST_TMPDIR/ssh_config"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist blacklists btrtl" {
|
||||
grep -q 'blacklist btrtl' /workspace/src/security-hardening.sh
|
||||
@test "SSH client enables strict host key checking" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_ssh_client "$TEST_TMPDIR/ssh_config"
|
||||
grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist blacklists btintel" {
|
||||
grep -q 'blacklist btintel' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# Password Policy - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "configure_password_policy generates correct pwquality.conf" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
|
||||
[ -f "$TEST_TMPDIR/pwquality.conf" ]
|
||||
grep -q "minlen = 14" "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "dcredit = -1" "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "ucredit = -1" "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "lcredit = -1" "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "ocredit = -1" "$TEST_TMPDIR/pwquality.conf"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist blacklists btbcm" {
|
||||
grep -q 'blacklist btbcm' /workspace/src/security-hardening.sh
|
||||
@test "Password policy requires 3 of 4 character classes" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "minclass = 3" "$TEST_TMPDIR/pwquality.conf"
|
||||
}
|
||||
|
||||
@test "create_bluetooth_blacklist outputs completion message" {
|
||||
grep -q 'created at' /workspace/src/security-hardening.sh
|
||||
@test "Password policy enforces complexity (enforcing=1)" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "enforcing = 1" "$TEST_TMPDIR/pwquality.conf"
|
||||
}
|
||||
|
||||
# Test configure_ssh function exists
|
||||
@test "configure_ssh function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f configure_ssh
|
||||
@test "Password policy rejects common bad words" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
|
||||
grep -q "badwords" "$TEST_TMPDIR/pwquality.conf"
|
||||
}
|
||||
|
||||
@test "configure_ssh accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# FIM (AIDE) - CIS 1.4
|
||||
# =============================================================================
|
||||
|
||||
@test "configure_fim generates valid AIDE config" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
|
||||
[ -f "$TEST_TMPDIR/aide.conf" ]
|
||||
grep -q "SECURITY = " "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "/etc SECURITY" "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "/boot SECURITY" "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "/usr SECURITY" "$TEST_TMPDIR/aide.conf"
|
||||
}
|
||||
|
||||
@test "configure_ssh creates sshd_config file" {
|
||||
grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
|
||||
@test "FIM config excludes volatile paths" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
|
||||
grep -q "!/proc" "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "!/sys" "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "!/dev" "$TEST_TMPDIR/aide.conf"
|
||||
grep -q "!/tmp" "$TEST_TMPDIR/aide.conf"
|
||||
}
|
||||
|
||||
@test "configure_ssh sets Protocol to 2" {
|
||||
grep -q 'Protocol 2' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh disables root login" {
|
||||
grep -q 'PermitRootLogin no' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh disables empty passwords" {
|
||||
grep -q 'PermitEmptyPasswords no' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh sets MaxAuthTries to 3" {
|
||||
grep -q 'MaxAuthTries 3' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh sets ClientAliveInterval to 300" {
|
||||
grep -q 'ClientAliveInterval 300' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh sets ClientAliveCountMax to 2" {
|
||||
grep -q 'ClientAliveCountMax 2' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh disables X11 forwarding" {
|
||||
grep -q 'X11Forwarding no' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_ssh outputs completion message" {
|
||||
grep -q 'created at' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
# Test configure_password_policy function exists
|
||||
@test "configure_password_policy function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f configure_password_policy
|
||||
}
|
||||
|
||||
@test "configure_password_policy accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy creates pwquality.conf file" {
|
||||
grep -q '/etc/security/pwquality.conf' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy sets minlen to 14" {
|
||||
grep -q 'minlen = 14' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy requires 1 digit" {
|
||||
grep -q 'dcredit = -1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy requires 1 uppercase" {
|
||||
grep -q 'ucredit = -1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy requires 1 lowercase" {
|
||||
grep -q 'lcredit = -1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy requires 1 special char" {
|
||||
grep -q 'ocredit = -1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy enforces minimum requirements" {
|
||||
grep -q 'enforcing = 1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy checks dictionary" {
|
||||
grep -q 'dictcheck = 1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy checks username" {
|
||||
grep -q 'usercheck = 1' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy sets maxrepeat to 2" {
|
||||
grep -q 'maxrepeat = 2' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy sets maxsequence to 2" {
|
||||
grep -q 'maxsequence = 2' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy sets minclass to 3" {
|
||||
grep -q 'minclass = 3' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy has security comments" {
|
||||
grep -q 'NIST SP 800-63B' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_password_policy outputs completion message" {
|
||||
grep -q 'configured at' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
# Test configure_system_limits function exists
|
||||
@test "configure_system_limits function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f configure_system_limits
|
||||
}
|
||||
|
||||
@test "configure_system_limits accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_system_limits creates limits file" {
|
||||
grep -q '/etc/security/limits.d/security.conf' /workspace/src/security-hardening.sh
|
||||
}
|
||||
# =============================================================================
|
||||
# System Limits - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "configure_system_limits disables core dumps" {
|
||||
grep -q 'hard core 0' /workspace/src/security-hardening.sh
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_system_limits "$TEST_TMPDIR/limits.conf"
|
||||
[ -f "$TEST_TMPDIR/limits.conf" ]
|
||||
grep -q "hard core 0" "$TEST_TMPDIR/limits.conf"
|
||||
}
|
||||
|
||||
@test "configure_system_limits sets nproc limits" {
|
||||
grep -q 'nproc' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# Audit Rules - CIS 6.2, FedRAMP AU-2
|
||||
# =============================================================================
|
||||
|
||||
@test "configure_audit_rules generates comprehensive audit config" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_audit_rules "$TEST_TMPDIR/audit.rules"
|
||||
[ -f "$TEST_TMPDIR/audit.rules" ]
|
||||
grep -q "/etc/passwd" "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "/etc/shadow" "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "/etc/sudoers" "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "/etc/wireguard/" "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "init_module" "$TEST_TMPDIR/audit.rules"
|
||||
}
|
||||
|
||||
@test "configure_system_limits outputs completion message" {
|
||||
grep -q 'configured at' /workspace/src/security-hardening.sh
|
||||
@test "Audit rules monitor privilege escalation" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_audit_rules "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "privilege_escalation" "$TEST_TMPDIR/audit.rules"
|
||||
}
|
||||
|
||||
# Test configure_audit_rules function exists
|
||||
@test "configure_audit_rules function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f configure_audit_rules
|
||||
@test "Audit rules monitor network configuration" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
configure_audit_rules "$TEST_TMPDIR/audit.rules"
|
||||
grep -q "network_config" "$TEST_TMPDIR/audit.rules"
|
||||
}
|
||||
|
||||
@test "configure_audit_rules accepts optional output parameter" {
|
||||
grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# apply_security_hardening - PRD FR-007
|
||||
# =============================================================================
|
||||
|
||||
@test "apply_security_hardening calls all config functions" {
|
||||
grep -q "create_wifi_blacklist" /workspace/src/security-hardening.sh
|
||||
grep -q "create_bluetooth_blacklist" /workspace/src/security-hardening.sh
|
||||
grep -q "configure_ssh" /workspace/src/security-hardening.sh
|
||||
grep -q "configure_password_policy" /workspace/src/security-hardening.sh
|
||||
grep -q "configure_system_limits" /workspace/src/security-hardening.sh
|
||||
grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_audit_rules creates audit.rules file" {
|
||||
grep -q '/etc/audit/rules.d/audit.rules' /workspace/src/security-hardening.sh
|
||||
# =============================================================================
|
||||
# Script Structure
|
||||
# =============================================================================
|
||||
|
||||
@test "security-hardening.sh uses strict mode" {
|
||||
head -5 /workspace/src/security-hardening.sh | grep -q "set -euo pipefail"
|
||||
}
|
||||
|
||||
@test "configure_audit_rules monitors passwd file" {
|
||||
grep -q '/etc/passwd' /workspace/src/security-hardening.sh
|
||||
@test "security-hardening.sh is executable" {
|
||||
[ -x "/workspace/src/security-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "configure_audit_rules monitors shadow file" {
|
||||
grep -q '/etc/shadow' /workspace/src/security-hardening.sh
|
||||
@test "security-hardening.sh has valid bash syntax" {
|
||||
run bash -n /workspace/src/security-hardening.sh
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "configure_audit_rules monitors sshd_config" {
|
||||
grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_audit_rules monitors wireguard directory" {
|
||||
grep -q '/etc/wireguard/' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_audit_rules monitors audit logs" {
|
||||
grep -q '/var/log/audit/' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "configure_audit_rules outputs completion message" {
|
||||
grep -q 'configured at' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
# Test apply_security_hardening function exists
|
||||
@test "apply_security_hardening function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f apply_security_hardening
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls create_wifi_blacklist" {
|
||||
grep -q 'create_wifi_blacklist' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls create_bluetooth_blacklist" {
|
||||
grep -q 'create_bluetooth_blacklist' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls configure_ssh" {
|
||||
grep -q 'configure_ssh' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls configure_password_policy" {
|
||||
grep -q 'configure_password_policy' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls configure_system_limits" {
|
||||
grep -q 'configure_system_limits' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening calls configure_audit_rules" {
|
||||
grep -q 'configure_audit_rules' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening outputs progress messages" {
|
||||
grep -q 'Applying security hardening' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "apply_security_hardening outputs completion message" {
|
||||
grep -q 'completed' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
# Test main function exists
|
||||
@test "main function is defined" {
|
||||
source /workspace/src/security-hardening.sh
|
||||
declare -f main
|
||||
}
|
||||
|
||||
@test "main calls apply_security_hardening" {
|
||||
grep -q 'apply_security_hardening' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "main outputs start message" {
|
||||
grep -q 'Starting KNEL-Football security hardening' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "main outputs completion message" {
|
||||
grep -q 'completed successfully' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
# Test script behavior
|
||||
@test "script uses set -euo pipefail" {
|
||||
grep -q "set -euo pipefail" /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "script is executable" {
|
||||
[ -x "/workspace/src/security-hardening.sh" ]
|
||||
}
|
||||
|
||||
@test "script has proper shebang" {
|
||||
head -n1 /workspace/src/security-hardening.sh | grep -q "#!/bin/bash"
|
||||
}
|
||||
|
||||
@test "script checks if executed directly" {
|
||||
grep -q 'BASH_SOURCE' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "script calls main only when executed directly" {
|
||||
grep -q '== "${0}"' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "script has comments explaining security requirements" {
|
||||
grep -q 'NIST' /workspace/src/security-hardening.sh
|
||||
grep -q 'CIS' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "script has mandatory password requirements" {
|
||||
grep -q 'MANDATORY' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
@test "script has compliance references" {
|
||||
grep -q 'tier0' /workspace/src/security-hardening.sh
|
||||
@test "security-hardening.sh runs main when executed directly" {
|
||||
grep -q 'BASH_SOURCE\[0\]' /workspace/src/security-hardening.sh
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user