#!/usr/bin/env bats # Behavioral tests for new PRD hooks # Reference: PRD FR-005, FR-007 setup() { export TEST_TMPDIR=$(mktemp -d) } teardown() { rm -rf "$TEST_TMPDIR" } # ============================================================================= # kernel-hardening.sh - PRD FR-007 # ============================================================================= @test "kernel-hardening.sh hook exists and is executable" { [ -f "/workspace/config/hooks/live/kernel-hardening.sh" ] [ -x "/workspace/config/hooks/live/kernel-hardening.sh" ] } @test "kernel-hardening.sh uses strict mode" { head -5 /workspace/config/hooks/live/kernel-hardening.sh | grep -q "set -euo pipefail" } @test "Kernel hardening enables ASLR" { grep -q "randomize_va_space = 2" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening restricts ptrace scope" { grep -q "ptrace_scope = 2" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening restricts kernel pointers" { grep -q "kptr_restrict = 2" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening restricts dmesg" { grep -q "dmesg_restrict = 1" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening disables kexec" { grep -q "kexec_load = 0" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening disables SUID core dumps" { grep -q "suid_dumpable = 0" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening protects hardlinks and symlinks" { grep -q "protected_hardlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh grep -q "protected_symlinks = 1" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening disables IPv4 redirects" { grep -q "send_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh grep -q "accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening enables SYN cookies" { grep -q "tcp_syncookies = 1" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening enables reverse path filtering" { grep -q "rp_filter = 1" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening disables IPv6 redirects" { grep -q "ipv6.*accept_redirects = 0" /workspace/config/hooks/live/kernel-hardening.sh } @test "Kernel hardening config installs to sysctl.d" { grep -q "/etc/sysctl.d" /workspace/config/hooks/live/kernel-hardening.sh } # ============================================================================= # service-hardening.sh - PRD FR-007 # ============================================================================= @test "service-hardening.sh hook exists and is executable" { [ -f "/workspace/config/hooks/live/service-hardening.sh" ] [ -x "/workspace/config/hooks/live/service-hardening.sh" ] } @test "service-hardening.sh uses strict mode" { head -5 /workspace/config/hooks/live/service-hardening.sh | grep -q "set -euo pipefail" } @test "Service hardening disables avahi-daemon" { grep -q "avahi-daemon" /workspace/config/hooks/live/service-hardening.sh } @test "Service hardening disables cups" { grep -q "cups" /workspace/config/hooks/live/service-hardening.sh } @test "Service hardening disables bluetooth service" { grep -q "bluetooth" /workspace/config/hooks/live/service-hardening.sh } @test "Service hardening disables NetworkManager" { grep -q "NetworkManager" /workspace/config/hooks/live/service-hardening.sh } @test "Service hardening masks services to prevent re-enabling" { grep -q "systemctl mask" /workspace/config/hooks/live/service-hardening.sh } # ============================================================================= # sudo-hardening.sh - PRD FR-007 # ============================================================================= @test "sudo-hardening.sh hook exists and is executable" { [ -f "/workspace/config/hooks/live/sudo-hardening.sh" ] [ -x "/workspace/config/hooks/live/sudo-hardening.sh" ] } @test "sudo-hardening.sh uses strict mode" { head -5 /workspace/config/hooks/live/sudo-hardening.sh | grep -q "set -euo pipefail" } @test "Sudo hardening requires TTY" { grep -q "requiretty" /workspace/config/hooks/live/sudo-hardening.sh } @test "Sudo hardening configures logging" { grep -q "logfile" /workspace/config/hooks/live/sudo-hardening.sh grep -q "log_input" /workspace/config/hooks/live/sudo-hardening.sh grep -q "log_output" /workspace/config/hooks/live/sudo-hardening.sh } @test "Sudo hardening sets timestamp timeout" { grep -q "timestamp_timeout" /workspace/config/hooks/live/sudo-hardening.sh } @test "Sudo hardening resets environment" { grep -q "env_reset" /workspace/config/hooks/live/sudo-hardening.sh } @test "Sudo hardening restricts football user to specific commands" { grep -q "football" /workspace/config/hooks/live/sudo-hardening.sh grep -q "apply-vpn-config.sh" /workspace/config/hooks/live/sudo-hardening.sh } @test "Sudo hardening sets correct permissions (440)" { grep -q "chmod 440" /workspace/config/hooks/live/sudo-hardening.sh } # ============================================================================= # mount-hardening.sh - PRD FR-007 # ============================================================================= @test "mount-hardening.sh hook exists and is executable" { [ -f "/workspace/config/hooks/installed/mount-hardening.sh" ] [ -x "/workspace/config/hooks/installed/mount-hardening.sh" ] } @test "mount-hardening.sh uses strict mode" { head -5 /workspace/config/hooks/installed/mount-hardening.sh | grep -q "set -euo pipefail" } @test "Mount hardening adds nodev to /tmp" { grep -q "nodev" /workspace/config/hooks/installed/mount-hardening.sh } @test "Mount hardening adds nosuid to /tmp" { grep -q "nosuid" /workspace/config/hooks/installed/mount-hardening.sh } @test "Mount hardening adds noexec to /tmp" { grep -q "noexec" /workspace/config/hooks/installed/mount-hardening.sh } # ============================================================================= # Live hook self-containment (BUG FIX VERIFICATION) # ============================================================================= @test "security-hardening.sh live hook is self-contained (no source from /build)" { ! grep -q "source /build/" /workspace/config/hooks/live/security-hardening.sh } @test "firewall-setup.sh live hook is self-contained (no source from /build)" { ! grep -q "source /build/" /workspace/config/hooks/live/firewall-setup.sh } @test "install-scripts.sh does not reference /workspace/src/" { ! grep -q "/workspace/src/" /workspace/config/hooks/installed/install-scripts.sh } @test "install-scripts.sh embeds firewall-setup.sh inline" { grep -q "parse_wg_endpoint" /workspace/config/hooks/installed/install-scripts.sh grep -q "generate_nftables_rules" /workspace/config/hooks/installed/install-scripts.sh } # ============================================================================= # WiFi blacklist completeness (BUG FIX VERIFICATION) # ============================================================================= @test "WiFi blacklist covers rtl* family (PRD FR-005)" { source /workspace/src/security-hardening.sh tmpfile=$(mktemp) create_wifi_blacklist "$tmpfile" grep -q "rtl8" "$tmpfile" rm -f "$tmpfile" } @test "WiFi blacklist covers mwifi* family (PRD FR-005)" { source /workspace/src/security-hardening.sh tmpfile=$(mktemp) create_wifi_blacklist "$tmpfile" grep -q "mwifiex" "$tmpfile" rm -f "$tmpfile" } @test "WiFi blacklist covers rt2* family (PRD FR-005)" { source /workspace/src/security-hardening.sh tmpfile=$(mktemp) create_wifi_blacklist "$tmpfile" grep -q "rt2x00" "$tmpfile" rm -f "$tmpfile" } @test "WiFi blacklist covers ath* family (PRD FR-005)" { source /workspace/src/security-hardening.sh tmpfile=$(mktemp) create_wifi_blacklist "$tmpfile" grep -q "ath9k" "$tmpfile" grep -q "ath10k" "$tmpfile" rm -f "$tmpfile" }