#!/bin/bash # Football Security and Compliance Test Suite # Tests all security controls and compliance requirements # Usage: ./tests/compliance-test.sh set -e # Color codes for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Test counters TOTAL_TESTS=0 PASSED_TESTS=0 FAILED_TESTS=0 SKIPPED_TESTS=0 WARNINGS=0 # Arrays for results declare -a FAILED_TESTS_LIST declare -a WARNING_LIST # ============================================================================ # HELPER FUNCTIONS # ============================================================================ log_test() { echo -n "Testing: $1 ... " ((TOTAL_TESTS++)) } pass_test() { echo -e "${GREEN}PASS${NC}" ((PASSED_TESTS++)) } fail_test() { echo -e "${RED}FAIL${NC}" ((FAILED_TESTS++)) FAILED_TESTS_LIST+=("$1") } warn_test() { echo -e "${YELLOW}WARNING${NC}" ((WARNINGS++)) WARNING_LIST+=("$1") } skip_test() { echo -e "${BLUE}SKIP${NC}" ((SKIPPED_TESTS++)) } section() { echo "" echo -e "${BLUE}========================================${NC}" echo -e "${BLUE}$1${NC}" echo -e "${BLUE}========================================${NC}" echo "" } # ============================================================================ # CIS BENCHMARK TESTS - SECTION 1: FILESYSTEMS # ============================================================================ test_filesystems() { section "CIS Benchmark 1: Filesystem Configuration" # 1.1.1 Disable unused filesystems log_test "1.1.1 Ensure unused filesystems are disabled" if [ -f /etc/modprobe.d/no-network-fs.conf ]; then if grep -q "install nfs /bin/true" /etc/modprobe.d/no-network-fs.conf; then pass_test else fail_test "1.1.1: NFS not disabled in modprobe.d" fi else fail_test "1.1.1: no-network-fs.conf not found" fi # 1.1.3 Ensure /tmp is configured log_test "1.1.3 Ensure /tmp partition configured" if [ -d /tmp ]; then if stat -c "%a" /tmp | grep -q "1777\|0777\|0755"; then pass_test else warn_test "1.1.3: /tmp permissions may not be correct" fi else fail_test "1.1.3: /tmp directory not found" fi # 1.1.19 Ensure sticky bit on world-writable directories log_test "1.1.19 Ensure sticky bit on /tmp" if stat -c "%a" /tmp | grep -q "1777"; then pass_test else warn_test "1.1.19: /tmp may not have sticky bit" fi } # ============================================================================ # CIS BENCHMARK TESTS - SECTION 3: NETWORK # ============================================================================ test_network() { section "CIS Benchmark 3: Network Configuration" # 3.1.1 Ensure IP forwarding is disabled log_test "3.1.1 Ensure IP forwarding is disabled" if sysctl net.ipv4.ip_forward 2>/dev/null | grep -q "net.ipv4.ip_forward = 0"; then pass_test else fail_test "3.1.1: IP forwarding not disabled" fi # 3.1.2 Ensure packet redirect sending is disabled log_test "3.1.2 Ensure packet redirect sending is disabled" if sysctl net.ipv4.conf.all.send_redirects 2>/dev/null | grep -q "net.ipv4.conf.all.send_redirects = 0"; then pass_test else fail_test "3.1.2: Packet redirects not disabled" fi # 3.2.1 Ensure source routed packets are not accepted log_test "3.2.1 Ensure source routed packets are not accepted" if sysctl net.ipv4.conf.all.accept_source_route 2>/dev/null | grep -q "net.ipv4.conf.all.accept_source_route = 0"; then pass_test else fail_test "3.2.1: Source routing not disabled" fi # 3.2.2 Ensure ICMP redirects are not accepted log_test "3.2.2 Ensure ICMP redirects are not accepted" if sysctl net.ipv4.conf.all.accept_redirects 2>/dev/null | grep -q "net.ipv4.conf.all.accept_redirects = 0"; then pass_test else fail_test "3.2.2: ICMP redirects not disabled" fi # 3.2.8 Ensure TCP SYN Cookies is enabled log_test "3.2.8 Ensure TCP SYN Cookies is enabled" if sysctl net.ipv4.tcp_syncookies 2>/dev/null | grep -q "net.ipv4.tcp_syncookies = 1"; then pass_test else fail_test "3.2.8: TCP SYN cookies not enabled" fi # 3.3.1 Ensure IPv6 router advertisements are not accepted log_test "3.3.1 Ensure IPv6 router advertisements are not accepted" if sysctl net.ipv6.conf.all.accept_ra 2>/dev/null | grep -q "net.ipv6.conf.all.accept_ra = 0\|not found"; then pass_test else warn_test "3.3.1: IPv6 may accept router advertisements" fi } # ============================================================================ # CIS BENCHMARK TESTS - SECTION 4: LOGGING AND AUDITING # ============================================================================ test_auditing() { section "CIS Benchmark 4: Logging and Auditing" # 4.1.1.3 Ensure rsyslog is installed log_test "4.1.1.3 Ensure rsyslog is installed" if command -v rsyslogd >/dev/null 2>&1 || systemctl is-active rsyslog >/dev/null 2>&1; then pass_test else fail_test "4.1.1.3: rsyslog not installed or not running" fi # 4.1.1.4 Ensure rsyslog service is enabled log_test "4.1.1.4 Ensure rsyslog service is enabled" if systemctl is-enabled rsyslog >/dev/null 2>&1; then pass_test else fail_test "4.1.1.4: rsyslog not enabled" fi # 4.1.2.1 Ensure system is configured to log audit records log_test "4.1.2.1 Ensure system logs audit records" if systemctl is-active auditd >/dev/null 2>&1; then pass_test else fail_test "4.1.2.1: auditd not running" fi # 4.1.2.2 Ensure auditd service is enabled log_test "4.1.2.2 Ensure auditd service is enabled" if systemctl is-enabled auditd >/dev/null 2>&1; then pass_test else fail_test "4.1.2.2: auditd not enabled" fi # 4.1.2.7 Ensure audit records are stored log_test "4.1.2.7 Ensure audit records are stored" if [ -d /var/log/audit ]; then pass_test else fail_test "4.1.2.7: /var/log/audit directory not found" fi } # ============================================================================ # CIS BENCHMARK TESTS - SECTION 5: ACCESS CONTROL # ============================================================================ test_access_control() { section "CIS Benchmark 5: Access Control" # 5.1.1 Ensure cron daemon is enabled and running log_test "5.1.1 Ensure cron daemon is enabled" if systemctl is-enabled cron >/dev/null 2>&1; then pass_test else fail_test "5.1.1: cron not enabled" fi # 5.2.1 Ensure SSH server is not installed log_test "5.2.1 Ensure SSH server is not installed" if ! command -v sshd >/dev/null 2>&1 && ! systemctl list-unit-files | grep -q "sshd"; then pass_test else if systemctl is-active sshd >/dev/null 2>&1; then fail_test "5.2.1: SSH server is running" else warn_test "5.2.1: SSH installed but not running" fi fi # 5.4.1.1 Ensure password creation requirements are configured log_test "5.4.1.1 Ensure password creation requirements are configured" if [ -f /etc/security/pwquality.conf ]; then pass_test else fail_test "5.4.1.1: pwquality.conf not found" fi # 5.4.2 Ensure password hashing algorithm is SHA-512 log_test "5.4.2 Ensure password hashing algorithm is SHA-512" if grep -q "ENCRYPT_METHOD SHA512" /etc/login.defs; then pass_test else fail_test "5.4.2: Password hashing not set to SHA-512" fi # 5.4.3 Ensure system accounts are secured log_test "5.4.3 Ensure system accounts are secured" local unsecured_accounts=0 for user in daemon bin sys sync man lp mail news uucp; do if id "$user" >/dev/null 2>&1; then if ! passwd -S "$user" 2>/dev/null | grep -q "L"; then ((unsecured_accounts++)) fi fi done if [ $unsecured_accounts -eq 0 ]; then pass_test else fail_test "5.4.3: $unsecured_accounts system accounts not locked" fi } # ============================================================================ # CIS BENCHMARK TESTS - SECTION 6: MAINTENANCE # ============================================================================ test_maintenance() { section "CIS Benchmark 6: System Maintenance" # 6.1.1 Ensure system accounts are non-login log_test "6.1.1 Ensure system accounts are non-login" local login_accounts=0 for user in daemon bin sys sync man lp mail news uucp; do if id "$user" >/dev/null 2>&1; then if [ -n "$(getent passwd "$user" | cut -d: -f7)" ]; then shell=$(getent passwd "$user" | cut -d: -f7) if [ "$shell" != "/usr/sbin/nologin" ] && [ "$shell" != "/bin/false" ]; then ((login_accounts++)) fi fi fi done if [ $login_accounts -eq 0 ]; then pass_test else warn_test "6.1.1: $login_accounts system accounts may have login shells" fi } # ============================================================================ # CMMC AND FEDRAMP COMPLIANCE TESTS # ============================================================================ test_compliance() { section "CMMC Level 3 and FedRAMP Moderate Compliance" # AC.6: Least privilege log_test "AC.6: Ensure sudo configuration enforces least privilege" if [ -f /etc/sudoers.d/cis-hardening ]; then pass_test else fail_test "AC.6: CIS sudoers configuration not found" fi # AU.2: Audit events log_test "AU.2: Ensure comprehensive audit rules are configured" if [ -f /etc/audit/rules.d/cis-audit.rules ]; then pass_test else fail_test "AU.2: CIS audit rules not found" fi # CM.6: Automated monitoring log_test "CM.6: Ensure AIDE is configured for automated monitoring" if [ -f /etc/aide.conf ] && command -v aide >/dev/null 2>&1; then pass_test else fail_test "CM.6: AIDE not configured" fi # SC.8: Transmission confidentiality and integrity log_test "SC.8: Ensure WireGuard is configured for encrypted transmission" if [ -f /etc/wireguard/wg0.conf ]; then pass_test else warn_test "SC.8: WireGuard configuration not found (may be in overlay)" fi # SI.7: Software and firmware integrity checking log_test "SI.7: Ensure file integrity checking is scheduled" if systemctl is-enabled aide-check.timer >/dev/null 2>&1; then pass_test else warn_test "SI.7: AIDE check timer not enabled" fi } # ============================================================================ # SECURITY CONFIGURATION TESTS # ============================================================================ test_security_config() { section "Security Configuration Tests" # Firewall configuration log_test "Ensure firewall rules are configured (WireGuard only)" if [ -f /etc/iptables/rules.v4 ]; then pass_test else warn_test "Firewall rules file not found (may be applied during boot)" fi # Kernel hardening log_test "Ensure kernel hardening parameters are applied" if [ -f /etc/sysctl.d/99-cis-hardening.conf ]; then pass_test else fail_test "Kernel hardening configuration not found" fi # AppArmor status log_test "Ensure AppArmor is enabled" if systemctl is-active apparmor >/dev/null 2>&1 || [ -f /sys/kernel/security/apparmor/profiles ]; then pass_test else warn_test "AppArmor may not be enabled" fi # Core dumps disabled log_test "Ensure core dumps are disabled" if grep -q "hard core 0" /etc/security/limits.conf; then pass_test else fail_test "Core dumps not disabled in limits.conf" fi } # ============================================================================ # NETWORK ISOLATION TESTS # ============================================================================ test_network_isolation() { section "Network Isolation Tests" # SSH disabled log_test "Ensure SSH is disabled" if ! systemctl is-active sshd >/dev/null 2>&1 && ! systemctl is-active ssh >/dev/null 2>&1; then pass_test else fail_test "SSH is running (should be disabled)" fi # Telnet disabled log_test "Ensure Telnet is disabled" if ! command -v telnetd >/dev/null 2>&1; then pass_test else fail_test "Telnet server installed (should be removed)" fi # Bluetooth disabled log_test "Ensure Bluetooth is disabled" if systemctl is-active bluetooth 2>&1 | grep -q "inactive\|not found"; then pass_test else fail_test "Bluetooth is active (should be disabled)" fi # Wireless disabled log_test "Ensure wireless is disabled via kernel modules" if [ -f /etc/modprobe.d/disable-wireless.conf ]; then pass_test else fail_test "Wireless not disabled in modprobe.d" fi } # ============================================================================ # LOGGING AND MONITORING TESTS # ============================================================================ test_logging() { section "Logging and Monitoring Tests" # Audit logs exist log_test "Ensure audit log directory exists" if [ -d /var/log/audit ]; then pass_test else fail_test "Audit log directory not found" fi # Security logs exist log_test "Ensure security log directory exists" if [ -d /var/log/security ] || [ -d /var/log ]; then pass_test else warn_test "Security log directory not found" fi # Logrotate configured log_test "Ensure logrotate is configured for security logs" if [ -f /etc/logrotate.d/cis-logs ]; then pass_test else warn_test "CIS logrotate configuration not found" fi # Audit rules loaded log_test "Ensure audit rules are loaded" if command -v auditctl >/dev/null 2>&1; then if auditctl -l 2>/dev/null | grep -q "\-a\|\-w"; then pass_test else warn_test "Audit rules may not be loaded" fi else skip_test "auditctl command not available" fi } # ============================================================================ # COMPREHENSIVE COMPLIANCE VERIFICATION # ============================================================================ verify_compliance() { section "Compliance Verification Summary" echo "CIS Debian 13 Benchmark: Verifying implementation..." echo "CMMC Level 3: Verifying implementation..." echo "FedRAMP Moderate: Verifying implementation..." echo "NIST SP 800-171: Verifying implementation..." local cis_controls=180 local cis_implemented=$(find /etc -name "*.conf" -o -name "*.rules" | grep -c "cis\|hardening" 2>/dev/null || echo 0) echo "" echo "Implementation Status:" echo " CIS Controls Configured: $cis_implemented / 180" echo " Kernel Parameters Applied: $(grep -r "^[a-z]" /etc/sysctl.d/*.conf 2>/dev/null | wc -l)" echo " Audit Rules Defined: $(grep -r "^-a\|^-w" /etc/audit/rules.d/*.conf 2>/dev/null | wc -l)" echo " Log Files Configured: $(ls -1 /etc/logrotate.d/ 2>/dev/null | wc -l)" echo " Security Services Enabled: $(systemctl list-unit-files | grep -c "enabled" | head -1 || echo 0)" echo "" if [ $cis_implemented -gt 10 ]; then echo -e "${GREEN}✓ CIS Benchmark implementation appears comprehensive${NC}" else echo -e "${YELLOW}⚠ CIS Benchmark implementation may be incomplete${NC}" fi } # ============================================================================ # GENERATE REPORT # ============================================================================ generate_report() { section "TEST RESULTS SUMMARY" echo -e "Total Tests: $TOTAL_TESTS" echo -e "${GREEN}Passed: $PASSED_TESTS${NC}" echo -e "${RED}Failed: $FAILED_TESTS${NC}" echo -e "${YELLOW}Warnings: $WARNINGS${NC}" echo -e "${BLUE}Skipped: $SKIPPED_TESTS${NC}" echo "" # Calculate pass rate local pass_rate=0 if [ $TOTAL_TESTS -gt 0 ]; then pass_rate=$((PASSED_TESTS * 100 / TOTAL_TESTS)) fi echo "Pass Rate: $pass_rate%" echo "" # Display failed tests if [ $FAILED_TESTS -gt 0 ]; then echo -e "${RED}Failed Tests:${NC}" for test in "${FAILED_TESTS_LIST[@]}"; do echo -e " - $test" done echo "" fi # Display warnings if [ $WARNINGS -gt 0 ]; then echo -e "${YELLOW}Warnings:${NC}" for warning in "${WARNING_LIST[@]}"; do echo -e " - $warning" done echo "" fi # Compliance status if [ $FAILED_TESTS -eq 0 ]; then echo -e "${GREEN}✓ ALL CRITICAL TESTS PASSED${NC}" echo "" echo "The system meets compliance requirements for:" echo " - CIS Debian 13 Benchmark" echo " - CMMC Level 3" echo " - FedRAMP Moderate" echo " - NIST SP 800-171" else echo -e "${RED}✗ SOME CRITICAL TESTS FAILED${NC}" echo "" echo "The system does not meet all compliance requirements." echo "Review failed tests and warnings above." fi } # ============================================================================ # MAIN EXECUTION # ============================================================================ main() { echo "================================================" echo "Football Security and Compliance Test Suite" echo "================================================" echo "" # Check if running as root if [ "$EUID" -ne 0 ]; then echo -e "${YELLOW}Warning: Running as non-root user. Some tests may fail.${NC}" echo "Run with sudo for complete results." echo "" fi # Run all test suites test_filesystems test_network test_auditing test_access_control test_maintenance test_compliance test_security_config test_network_isolation test_logging # Verify compliance verify_compliance # Generate report generate_report # Exit with appropriate code if [ $FAILED_TESTS -gt 0 ]; then exit 1 else exit 0 fi } # Run main function main "$@"