fix: resolve critical build bugs and add missing PRD requirements

Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00
parent c03d3a793e
commit 62d20604a6
14 changed files with 1022 additions and 467 deletions
--- a/tests/unit/security-hardening_comprehensive_test.bats
+++ b/tests/unit/security-hardening_comprehensive_test.bats
@@ -1,348 +1,226 @@
 #!/usr/bin/env bats
-# Comprehensive unit tests for security-hardening.sh (100% coverage)
+# Behavioral tests for security-hardening.sh functions
+# Reference: PRD FR-005, FR-006, FR-007

-# Test create_wifi_blacklist function exists
-@test "create_wifi_blacklist function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f create_wifi_blacklist
+setup() {
+    export TEST_TMPDIR=$(mktemp -d)
 }

-@test "create_wifi_blacklist accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
+teardown() {
+    rm -rf "$TEST_TMPDIR"
 }

-@test "create_wifi_blacklist creates modprobe.d file" {
-  grep -q '/etc/modprobe.d/blacklist-wifi.conf' /workspace/src/security-hardening.sh
+# =============================================================================
+# WiFi Blacklist - PRD FR-005
+# =============================================================================
+
+@test "create_wifi_blacklist generates file with correct content" {
+    source /workspace/src/security-hardening.sh
+    create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
+    [ -f "$TEST_TMPDIR/blacklist-wifi.conf" ]
+    grep -q "blacklist cfg80211" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "blacklist mac80211" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "blacklist iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "blacklist brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
 }

-@test "create_wifi_blacklist blacklists cfg80211" {
-  grep -q 'blacklist cfg80211' /workspace/src/security-hardening.sh
-}
-
-@test "create_wifi_blacklist blacklists mac80211" {
-  grep -q 'blacklist mac80211' /workspace/src/security-hardening.sh
-}
-
-@test "create_wifi_blacklist blacklists brcmfmac" {
-  grep -q 'blacklist brcmfmac' /workspace/src/security-hardening.sh
-}
-
-@test "create_wifi_blacklist blacklists iwlwifi" {
-  grep -q 'blacklist iwlwifi' /workspace/src/security-hardening.sh
-}
-
-@test "create_wifi_blacklist blacklists ath9k" {
-  grep -q 'blacklist ath9k' /workspace/src/security-hardening.sh
-}
-
-@test "create_wifi_blacklist blacklists rt73usb" {
-  grep -q 'blacklist rt73usb' /workspace/src/security-hardening.sh
+@test "WiFi blacklist includes PRD-specified driver families" {
+    source /workspace/src/security-hardening.sh
+    create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "rtl8" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "ath9k" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "mwifiex" "$TEST_TMPDIR/blacklist-wifi.conf"
+    grep -q "rt2x00" "$TEST_TMPDIR/blacklist-wifi.conf"
 }

@test "create_wifi_blacklist outputs completion message" {
-  grep -q 'created at' /workspace/src/security-hardening.sh
+    source /workspace/src/security-hardening.sh
+    run create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
+    [ "$status" -eq 0 ]
+    [[ "$output" == *"created at"* ]]
 }

-# Test create_bluetooth_blacklist function exists
-@test "create_bluetooth_blacklist function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f create_bluetooth_blacklist
+# =============================================================================
+# Bluetooth Blacklist - PRD FR-005
+# =============================================================================
+
+@test "create_bluetooth_blacklist generates file with correct content" {
+    source /workspace/src/security-hardening.sh
+    create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
+    [ -f "$TEST_TMPDIR/blacklist-bt.conf" ]
+    grep -q "blacklist btusb" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist bluetooth" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist btrtl" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist btintel" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist btbcm" "$TEST_TMPDIR/blacklist-bt.conf"
 }

-@test "create_bluetooth_blacklist accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
+@test "Bluetooth blacklist includes additional modules (bnep, rfcomm, hidp)" {
+    source /workspace/src/security-hardening.sh
+    create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist bnep" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist rfcomm" "$TEST_TMPDIR/blacklist-bt.conf"
+    grep -q "blacklist hidp" "$TEST_TMPDIR/blacklist-bt.conf"
 }

-@test "create_bluetooth_blacklist creates modprobe.d file" {
-  grep -q '/etc/modprobe.d/blacklist-bluetooth.conf' /workspace/src/security-hardening.sh
+# =============================================================================
+# SSH Client Config - PRD FR-006
+# =============================================================================
+
+@test "configure_ssh_client generates correct ssh_config" {
+    source /workspace/src/security-hardening.sh
+    configure_ssh_client "$TEST_TMPDIR/ssh_config"
+    [ -f "$TEST_TMPDIR/ssh_config" ]
+    grep -q "PasswordAuthentication no" "$TEST_TMPDIR/ssh_config"
+    grep -q "PubkeyAuthentication yes" "$TEST_TMPDIR/ssh_config"
 }

-@test "create_bluetooth_blacklist blacklists btusb" {
-  grep -q 'blacklist btusb' /workspace/src/security-hardening.sh
+@test "SSH client uses modern key exchange algorithms" {
+    source /workspace/src/security-hardening.sh
+    configure_ssh_client "$TEST_TMPDIR/ssh_config"
+    grep -q "KexAlgorithms" "$TEST_TMPDIR/ssh_config"
+    grep -q "curve25519-sha256" "$TEST_TMPDIR/ssh_config"
 }

-@test "create_bluetooth_blacklist blacklists bluetooth" {
-  grep -q 'blacklist bluetooth' /workspace/src/security-hardening.sh
+@test "SSH client uses modern ciphers" {
+    source /workspace/src/security-hardening.sh
+    configure_ssh_client "$TEST_TMPDIR/ssh_config"
+    grep -q "Ciphers" "$TEST_TMPDIR/ssh_config"
+    grep -q "chacha20-poly1305" "$TEST_TMPDIR/ssh_config"
 }

-@test "create_bluetooth_blacklist blacklists btrtl" {
-  grep -q 'blacklist btrtl' /workspace/src/security-hardening.sh
+@test "SSH client enables strict host key checking" {
+    source /workspace/src/security-hardening.sh
+    configure_ssh_client "$TEST_TMPDIR/ssh_config"
+    grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config"
 }

-@test "create_bluetooth_blacklist blacklists btintel" {
-  grep -q 'blacklist btintel' /workspace/src/security-hardening.sh
+# =============================================================================
+# Password Policy - PRD FR-007
+# =============================================================================
+
+@test "configure_password_policy generates correct pwquality.conf" {
+    source /workspace/src/security-hardening.sh
+    configure_password_policy "$TEST_TMPDIR/pwquality.conf"
+    [ -f "$TEST_TMPDIR/pwquality.conf" ]
+    grep -q "minlen = 14" "$TEST_TMPDIR/pwquality.conf"
+    grep -q "dcredit = -1" "$TEST_TMPDIR/pwquality.conf"
+    grep -q "ucredit = -1" "$TEST_TMPDIR/pwquality.conf"
+    grep -q "lcredit = -1" "$TEST_TMPDIR/pwquality.conf"
+    grep -q "ocredit = -1" "$TEST_TMPDIR/pwquality.conf"
 }

-@test "create_bluetooth_blacklist blacklists btbcm" {
-  grep -q 'blacklist btbcm' /workspace/src/security-hardening.sh
+@test "Password policy requires 3 of 4 character classes" {
+    source /workspace/src/security-hardening.sh
+    configure_password_policy "$TEST_TMPDIR/pwquality.conf"
+    grep -q "minclass = 3" "$TEST_TMPDIR/pwquality.conf"
 }

-@test "create_bluetooth_blacklist outputs completion message" {
-  grep -q 'created at' /workspace/src/security-hardening.sh
+@test "Password policy enforces complexity (enforcing=1)" {
+    source /workspace/src/security-hardening.sh
+    configure_password_policy "$TEST_TMPDIR/pwquality.conf"
+    grep -q "enforcing = 1" "$TEST_TMPDIR/pwquality.conf"
 }

-# Test configure_ssh function exists
-@test "configure_ssh function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f configure_ssh
+@test "Password policy rejects common bad words" {
+    source /workspace/src/security-hardening.sh
+    configure_password_policy "$TEST_TMPDIR/pwquality.conf"
+    grep -q "badwords" "$TEST_TMPDIR/pwquality.conf"
 }

-@test "configure_ssh accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
+# =============================================================================
+# FIM (AIDE) - CIS 1.4
+# =============================================================================
+
+@test "configure_fim generates valid AIDE config" {
+    source /workspace/src/security-hardening.sh
+    configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
+    [ -f "$TEST_TMPDIR/aide.conf" ]
+    grep -q "SECURITY = " "$TEST_TMPDIR/aide.conf"
+    grep -q "/etc SECURITY" "$TEST_TMPDIR/aide.conf"
+    grep -q "/boot SECURITY" "$TEST_TMPDIR/aide.conf"
+    grep -q "/usr SECURITY" "$TEST_TMPDIR/aide.conf"
 }

-@test "configure_ssh creates sshd_config file" {
-  grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
+@test "FIM config excludes volatile paths" {
+    source /workspace/src/security-hardening.sh
+    configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
+    grep -q "!/proc" "$TEST_TMPDIR/aide.conf"
+    grep -q "!/sys" "$TEST_TMPDIR/aide.conf"
+    grep -q "!/dev" "$TEST_TMPDIR/aide.conf"
+    grep -q "!/tmp" "$TEST_TMPDIR/aide.conf"
 }

-@test "configure_ssh sets Protocol to 2" {
-  grep -q 'Protocol 2' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh disables root login" {
-  grep -q 'PermitRootLogin no' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh disables empty passwords" {
-  grep -q 'PermitEmptyPasswords no' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh sets MaxAuthTries to 3" {
-  grep -q 'MaxAuthTries 3' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh sets ClientAliveInterval to 300" {
-  grep -q 'ClientAliveInterval 300' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh sets ClientAliveCountMax to 2" {
-  grep -q 'ClientAliveCountMax 2' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh disables X11 forwarding" {
-  grep -q 'X11Forwarding no' /workspace/src/security-hardening.sh
-}
-
-@test "configure_ssh outputs completion message" {
-  grep -q 'created at' /workspace/src/security-hardening.sh
-}
-
-# Test configure_password_policy function exists
-@test "configure_password_policy function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f configure_password_policy
-}
-
-@test "configure_password_policy accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy creates pwquality.conf file" {
-  grep -q '/etc/security/pwquality.conf' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy sets minlen to 14" {
-  grep -q 'minlen = 14' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy requires 1 digit" {
-  grep -q 'dcredit = -1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy requires 1 uppercase" {
-  grep -q 'ucredit = -1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy requires 1 lowercase" {
-  grep -q 'lcredit = -1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy requires 1 special char" {
-  grep -q 'ocredit = -1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy enforces minimum requirements" {
-  grep -q 'enforcing = 1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy checks dictionary" {
-  grep -q 'dictcheck = 1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy checks username" {
-  grep -q 'usercheck = 1' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy sets maxrepeat to 2" {
-  grep -q 'maxrepeat = 2' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy sets maxsequence to 2" {
-  grep -q 'maxsequence = 2' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy sets minclass to 3" {
-  grep -q 'minclass = 3' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy has security comments" {
-  grep -q 'NIST SP 800-63B' /workspace/src/security-hardening.sh
-}
-
-@test "configure_password_policy outputs completion message" {
-  grep -q 'configured at' /workspace/src/security-hardening.sh
-}
-
-# Test configure_system_limits function exists
-@test "configure_system_limits function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f configure_system_limits
-}
-
-@test "configure_system_limits accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
-}
-
-@test "configure_system_limits creates limits file" {
-  grep -q '/etc/security/limits.d/security.conf' /workspace/src/security-hardening.sh
-}
+# =============================================================================
+# System Limits - PRD FR-007
+# =============================================================================

@test "configure_system_limits disables core dumps" {
-  grep -q 'hard core 0' /workspace/src/security-hardening.sh
+    source /workspace/src/security-hardening.sh
+    configure_system_limits "$TEST_TMPDIR/limits.conf"
+    [ -f "$TEST_TMPDIR/limits.conf" ]
+    grep -q "hard core 0" "$TEST_TMPDIR/limits.conf"
 }

-@test "configure_system_limits sets nproc limits" {
-  grep -q 'nproc' /workspace/src/security-hardening.sh
+# =============================================================================
+# Audit Rules - CIS 6.2, FedRAMP AU-2
+# =============================================================================
+
+@test "configure_audit_rules generates comprehensive audit config" {
+    source /workspace/src/security-hardening.sh
+    configure_audit_rules "$TEST_TMPDIR/audit.rules"
+    [ -f "$TEST_TMPDIR/audit.rules" ]
+    grep -q "/etc/passwd" "$TEST_TMPDIR/audit.rules"
+    grep -q "/etc/shadow" "$TEST_TMPDIR/audit.rules"
+    grep -q "/etc/sudoers" "$TEST_TMPDIR/audit.rules"
+    grep -q "/etc/wireguard/" "$TEST_TMPDIR/audit.rules"
+    grep -q "init_module" "$TEST_TMPDIR/audit.rules"
 }

-@test "configure_system_limits outputs completion message" {
-  grep -q 'configured at' /workspace/src/security-hardening.sh
+@test "Audit rules monitor privilege escalation" {
+    source /workspace/src/security-hardening.sh
+    configure_audit_rules "$TEST_TMPDIR/audit.rules"
+    grep -q "privilege_escalation" "$TEST_TMPDIR/audit.rules"
 }

-# Test configure_audit_rules function exists
-@test "configure_audit_rules function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f configure_audit_rules
+@test "Audit rules monitor network configuration" {
+    source /workspace/src/security-hardening.sh
+    configure_audit_rules "$TEST_TMPDIR/audit.rules"
+    grep -q "network_config" "$TEST_TMPDIR/audit.rules"
 }

-@test "configure_audit_rules accepts optional output parameter" {
-  grep -q 'output_file=.*${1:-' /workspace/src/security-hardening.sh
+# =============================================================================
+# apply_security_hardening - PRD FR-007
+# =============================================================================
+
+@test "apply_security_hardening calls all config functions" {
+    grep -q "create_wifi_blacklist" /workspace/src/security-hardening.sh
+    grep -q "create_bluetooth_blacklist" /workspace/src/security-hardening.sh
+    grep -q "configure_ssh" /workspace/src/security-hardening.sh
+    grep -q "configure_password_policy" /workspace/src/security-hardening.sh
+    grep -q "configure_system_limits" /workspace/src/security-hardening.sh
+    grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
 }

-@test "configure_audit_rules creates audit.rules file" {
-  grep -q '/etc/audit/rules.d/audit.rules' /workspace/src/security-hardening.sh
+# =============================================================================
+# Script Structure
+# =============================================================================
+
+@test "security-hardening.sh uses strict mode" {
+    head -5 /workspace/src/security-hardening.sh | grep -q "set -euo pipefail"
 }

-@test "configure_audit_rules monitors passwd file" {
-  grep -q '/etc/passwd' /workspace/src/security-hardening.sh
+@test "security-hardening.sh is executable" {
+    [ -x "/workspace/src/security-hardening.sh" ]
 }

-@test "configure_audit_rules monitors shadow file" {
-  grep -q '/etc/shadow' /workspace/src/security-hardening.sh
+@test "security-hardening.sh has valid bash syntax" {
+    run bash -n /workspace/src/security-hardening.sh
+    [ "$status" -eq 0 ]
 }

-@test "configure_audit_rules monitors sshd_config" {
-  grep -q '/etc/ssh/sshd_config' /workspace/src/security-hardening.sh
-}
-
-@test "configure_audit_rules monitors wireguard directory" {
-  grep -q '/etc/wireguard/' /workspace/src/security-hardening.sh
-}
-
-@test "configure_audit_rules monitors audit logs" {
-  grep -q '/var/log/audit/' /workspace/src/security-hardening.sh
-}
-
-@test "configure_audit_rules outputs completion message" {
-  grep -q 'configured at' /workspace/src/security-hardening.sh
-}
-
-# Test apply_security_hardening function exists
-@test "apply_security_hardening function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f apply_security_hardening
-}
-
-@test "apply_security_hardening calls create_wifi_blacklist" {
-  grep -q 'create_wifi_blacklist' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening calls create_bluetooth_blacklist" {
-  grep -q 'create_bluetooth_blacklist' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening calls configure_ssh" {
-  grep -q 'configure_ssh' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening calls configure_password_policy" {
-  grep -q 'configure_password_policy' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening calls configure_system_limits" {
-  grep -q 'configure_system_limits' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening calls configure_audit_rules" {
-  grep -q 'configure_audit_rules' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening outputs progress messages" {
-  grep -q 'Applying security hardening' /workspace/src/security-hardening.sh
-}
-
-@test "apply_security_hardening outputs completion message" {
-  grep -q 'completed' /workspace/src/security-hardening.sh
-}
-
-# Test main function exists
-@test "main function is defined" {
-  source /workspace/src/security-hardening.sh
-  declare -f main
-}
-
-@test "main calls apply_security_hardening" {
-  grep -q 'apply_security_hardening' /workspace/src/security-hardening.sh
-}
-
-@test "main outputs start message" {
-  grep -q 'Starting KNEL-Football security hardening' /workspace/src/security-hardening.sh
-}
-
-@test "main outputs completion message" {
-  grep -q 'completed successfully' /workspace/src/security-hardening.sh
-}
-
-# Test script behavior
-@test "script uses set -euo pipefail" {
-  grep -q "set -euo pipefail" /workspace/src/security-hardening.sh
-}
-
-@test "script is executable" {
-  [ -x "/workspace/src/security-hardening.sh" ]
-}
-
-@test "script has proper shebang" {
-  head -n1 /workspace/src/security-hardening.sh | grep -q "#!/bin/bash"
-}
-
-@test "script checks if executed directly" {
-  grep -q 'BASH_SOURCE' /workspace/src/security-hardening.sh
-}
-
-@test "script calls main only when executed directly" {
-  grep -q '== "${0}"' /workspace/src/security-hardening.sh
-}
-
-@test "script has comments explaining security requirements" {
-  grep -q 'NIST' /workspace/src/security-hardening.sh
-  grep -q 'CIS' /workspace/src/security-hardening.sh
-}
-
-@test "script has mandatory password requirements" {
-  grep -q 'MANDATORY' /workspace/src/security-hardening.sh
-}
-
-@test "script has compliance references" {
-  grep -q 'tier0' /workspace/src/security-hardening.sh
+@test "security-hardening.sh runs main when executed directly" {
+    grep -q 'BASH_SOURCE\[0\]' /workspace/src/security-hardening.sh
 }