fix: resolve critical build bugs and add missing PRD requirements

Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00
parent c03d3a793e
commit 62d20604a6
14 changed files with 1022 additions and 467 deletions
--- a/tests/unit/new-hooks_test.bats
+++ b/tests/unit/new-hooks_test.bats
@@ -0,0 +1,230 @@
+#!/usr/bin/env bats
+# Behavioral tests for new PRD hooks
+# Reference: PRD FR-005, FR-007
+
+setup() {
+    export TEST_TMPDIR=$(mktemp -d)
+}
+
+teardown() {
+    rm -rf "$TEST_TMPDIR"
+}
+
+# =============================================================================
+# kernel-hardening.sh - PRD FR-007
+# =============================================================================
+
+@test "kernel-hardening.sh hook exists and is executable" {
+    [ -f "/workspace/config/hooks/live/kernel-hardening.sh" ]
+    [ -x "/workspace/config/hooks/live/kernel-hardening.sh" ]
+}
+
+@test "kernel-hardening.sh uses strict mode" {
+    head -5 /workspace/config/hooks/live/kernel-hardening.sh | grep -q "set -euo pipefail"
+}
+
+@test "Kernel hardening enables ASLR" {
+    grep -q "randomize_va_space = 2" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening restricts ptrace scope" {
+    grep -q "ptrace_scope = 2" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening restricts kernel pointers" {
+    grep -q "kptr_restrict = 2" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening restricts dmesg" {
+    grep -q "dmesg_restrict = 1" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening disables kexec" {
+    grep -q "kexec_load = 0" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening disables SUID core dumps" {
+    grep -q "suid_dumpable = 0" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening protects hardlinks and symlinks" {
+    grep -q "protected_hardlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh
+    grep -q "protected_symlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening disables IPv4 redirects" {
+    grep -q "send_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
+    grep -q "accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening enables SYN cookies" {
+    grep -q "tcp_syncookies = 1" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening enables reverse path filtering" {
+    grep -q "rp_filter = 1" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening disables IPv6 redirects" {
+    grep -q "ipv6.*accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+@test "Kernel hardening config installs to sysctl.d" {
+    grep -q "/etc/sysctl.d" /workspace/config/hooks/live/kernel-hardening.sh
+}
+
+# =============================================================================
+# service-hardening.sh - PRD FR-007
+# =============================================================================
+
+@test "service-hardening.sh hook exists and is executable" {
+    [ -f "/workspace/config/hooks/live/service-hardening.sh" ]
+    [ -x "/workspace/config/hooks/live/service-hardening.sh" ]
+}
+
+@test "service-hardening.sh uses strict mode" {
+    head -5 /workspace/config/hooks/live/service-hardening.sh | grep -q "set -euo pipefail"
+}
+
+@test "Service hardening disables avahi-daemon" {
+    grep -q "avahi-daemon" /workspace/config/hooks/live/service-hardening.sh
+}
+
+@test "Service hardening disables cups" {
+    grep -q "cups" /workspace/config/hooks/live/service-hardening.sh
+}
+
+@test "Service hardening disables bluetooth service" {
+    grep -q "bluetooth" /workspace/config/hooks/live/service-hardening.sh
+}
+
+@test "Service hardening disables NetworkManager" {
+    grep -q "NetworkManager" /workspace/config/hooks/live/service-hardening.sh
+}
+
+@test "Service hardening masks services to prevent re-enabling" {
+    grep -q "systemctl mask" /workspace/config/hooks/live/service-hardening.sh
+}
+
+# =============================================================================
+# sudo-hardening.sh - PRD FR-007
+# =============================================================================
+
+@test "sudo-hardening.sh hook exists and is executable" {
+    [ -f "/workspace/config/hooks/live/sudo-hardening.sh" ]
+    [ -x "/workspace/config/hooks/live/sudo-hardening.sh" ]
+}
+
+@test "sudo-hardening.sh uses strict mode" {
+    head -5 /workspace/config/hooks/live/sudo-hardening.sh | grep -q "set -euo pipefail"
+}
+
+@test "Sudo hardening requires TTY" {
+    grep -q "requiretty" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+@test "Sudo hardening configures logging" {
+    grep -q "logfile" /workspace/config/hooks/live/sudo-hardening.sh
+    grep -q "log_input" /workspace/config/hooks/live/sudo-hardening.sh
+    grep -q "log_output" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+@test "Sudo hardening sets timestamp timeout" {
+    grep -q "timestamp_timeout" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+@test "Sudo hardening resets environment" {
+    grep -q "env_reset" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+@test "Sudo hardening restricts football user to specific commands" {
+    grep -q "football" /workspace/config/hooks/live/sudo-hardening.sh
+    grep -q "apply-vpn-config.sh" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+@test "Sudo hardening sets correct permissions (440)" {
+    grep -q "chmod 440" /workspace/config/hooks/live/sudo-hardening.sh
+}
+
+# =============================================================================
+# mount-hardening.sh - PRD FR-007
+# =============================================================================
+
+@test "mount-hardening.sh hook exists and is executable" {
+    [ -f "/workspace/config/hooks/installed/mount-hardening.sh" ]
+    [ -x "/workspace/config/hooks/installed/mount-hardening.sh" ]
+}
+
+@test "mount-hardening.sh uses strict mode" {
+    head -5 /workspace/config/hooks/installed/mount-hardening.sh | grep -q "set -euo pipefail"
+}
+
+@test "Mount hardening adds nodev to /tmp" {
+    grep -q "nodev" /workspace/config/hooks/installed/mount-hardening.sh
+}
+
+@test "Mount hardening adds nosuid to /tmp" {
+    grep -q "nosuid" /workspace/config/hooks/installed/mount-hardening.sh
+}
+
+@test "Mount hardening adds noexec to /tmp" {
+    grep -q "noexec" /workspace/config/hooks/installed/mount-hardening.sh
+}
+
+# =============================================================================
+# Live hook self-containment (BUG FIX VERIFICATION)
+# =============================================================================
+
+@test "security-hardening.sh live hook is self-contained (no source from /build)" {
+    ! grep -q "source /build/" /workspace/config/hooks/live/security-hardening.sh
+}
+
+@test "firewall-setup.sh live hook is self-contained (no source from /build)" {
+    ! grep -q "source /build/" /workspace/config/hooks/live/firewall-setup.sh
+}
+
+@test "install-scripts.sh does not reference /workspace/src/" {
+    ! grep -q "/workspace/src/" /workspace/config/hooks/installed/install-scripts.sh
+}
+
+@test "install-scripts.sh embeds firewall-setup.sh inline" {
+    grep -q "parse_wg_endpoint" /workspace/config/hooks/installed/install-scripts.sh
+    grep -q "generate_nftables_rules" /workspace/config/hooks/installed/install-scripts.sh
+}
+
+# =============================================================================
+# WiFi blacklist completeness (BUG FIX VERIFICATION)
+# =============================================================================
+
+@test "WiFi blacklist covers rtl* family (PRD FR-005)" {
+    source /workspace/src/security-hardening.sh
+    tmpfile=$(mktemp)
+    create_wifi_blacklist "$tmpfile"
+    grep -q "rtl8" "$tmpfile"
+    rm -f "$tmpfile"
+}
+
+@test "WiFi blacklist covers mwifi* family (PRD FR-005)" {
+    source /workspace/src/security-hardening.sh
+    tmpfile=$(mktemp)
+    create_wifi_blacklist "$tmpfile"
+    grep -q "mwifiex" "$tmpfile"
+    rm -f "$tmpfile"
+}
+
+@test "WiFi blacklist covers rt2* family (PRD FR-005)" {
+    source /workspace/src/security-hardening.sh
+    tmpfile=$(mktemp)
+    create_wifi_blacklist "$tmpfile"
+    grep -q "rt2x00" "$tmpfile"
+    rm -f "$tmpfile"
+}
+
+@test "WiFi blacklist covers ath* family (PRD FR-005)" {
+    source /workspace/src/security-hardening.sh
+    tmpfile=$(mktemp)
+    create_wifi_blacklist "$tmpfile"
+    grep -q "ath9k" "$tmpfile"
+    grep -q "ath10k" "$tmpfile"
+    rm -f "$tmpfile"
+}