#!/usr/bin/env bats # Unit tests for security-hardening.sh # Reference: PRD.md FR-001, FR-006, FR-007 @test "security-hardening.sh exists and is executable" { [ -f "/workspace/src/security-hardening.sh" ] [ -x "/workspace/src/security-hardening.sh" ] } @test "WiFi blacklist function exists" { grep -q "create_wifi_blacklist()" /workspace/src/security-hardening.sh } @test "WiFi blacklist includes cfg80211" { grep -q "blacklist cfg80211" /workspace/src/security-hardening.sh } @test "WiFi blacklist includes mac80211" { grep -q "blacklist mac80211" /workspace/src/security-hardening.sh } @test "Bluetooth blacklist function exists" { grep -q "create_bluetooth_blacklist()" /workspace/src/security-hardening.sh } @test "Bluetooth blacklist includes btusb" { grep -q "blacklist btusb" /workspace/src/security-hardening.sh } @test "SSH client configuration function exists" { grep -q "configure_ssh_client()" /workspace/src/security-hardening.sh } @test "SSH client disables password authentication" { grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh } @test "SSH client enables pubkey authentication" { grep -q "PubkeyAuthentication yes" /workspace/src/security-hardening.sh } @test "Password policy function exists" { grep -q "configure_password_policy()" /workspace/src/security-hardening.sh } @test "Password policy requires 14 character minimum" { grep -q "minlen = 14" /workspace/src/security-hardening.sh } @test "Password policy requires digits" { grep -q "dcredit = -1" /workspace/src/security-hardening.sh } @test "Password policy requires uppercase" { grep -q "ucredit = -1" /workspace/src/security-hardening.sh } @test "Password policy requires lowercase" { grep -q "lcredit = -1" /workspace/src/security-hardening.sh } @test "Password policy requires special characters" { grep -q "ocredit = -1" /workspace/src/security-hardening.sh } @test "Password policy enforces complexity (enforcing=1)" { grep -q "enforcing = 1" /workspace/src/security-hardening.sh } @test "FIM configuration function exists" { grep -q "configure_fim()" /workspace/src/security-hardening.sh } @test "FIM monitors /etc" { grep -q "/etc SECURITY" /workspace/src/security-hardening.sh } @test "FIM monitors /boot" { grep -q "/boot SECURITY" /workspace/src/security-hardening.sh } @test "FIM uses SHA256/SHA512" { grep -q "sha256\|sha512" /workspace/src/security-hardening.sh } @test "System limits function exists" { grep -q "configure_system_limits()" /workspace/src/security-hardening.sh } @test "System limits disable core dumps" { grep -q "hard core 0" /workspace/src/security-hardening.sh } @test "Audit rules function exists" { grep -q "configure_audit_rules()" /workspace/src/security-hardening.sh } @test "Audit rules watch /etc/passwd" { grep -q "/etc/passwd.*-k identity" /workspace/src/security-hardening.sh } @test "Audit rules watch /etc/shadow" { grep -q "/etc/shadow.*-k identity" /workspace/src/security-hardening.sh } @test "Audit rules watch /etc/sudoers" { grep -q "/etc/sudoers.*-k privilege_escalation" /workspace/src/security-hardening.sh } @test "Audit rules watch WireGuard config" { grep -q "/etc/wireguard" /workspace/src/security-hardening.sh } @test "Audit rules monitor module loading" { grep -q "init_module\|delete_module" /workspace/src/security-hardening.sh } @test "apply_security_hardening function exists" { grep -q "apply_security_hardening()" /workspace/src/security-hardening.sh }