#!/usr/bin/env bats # Comprehensive security compliance tests # Add bats library to BATS_LIB_PATH load 'bats-support/load' load 'bats-assert/load' load 'bats-file/load' load '../test_helper/common.bash' setup() { export TEST_ROOT="${TEST_TEMP_DIR}/security" mkdir -p "${TEST_ROOT}" } @test "Security: Full Disk Encryption (FDE) is configured in preseed" { assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "crypto" assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "LUKS" } @test "Security: Encryption uses AES-256-XTS cipher" { assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "AES" assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "XTS" } @test "Security: Password policy enforces 14 character minimum" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/pwquality.conf" configure_password_policy "$test_output" assert_file_contains "$test_output" "minlen = 14" } @test "Security: Password policy requires all character classes" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/pwquality.conf" configure_password_policy "$test_output" assert_file_contains "$test_output" "dcredit = -1" assert_file_contains "$test_output" "ucredit = -1" assert_file_contains "$test_output" "lcredit = -1" assert_file_contains "$test_output" "ocredit = -1" } @test "Security: Password policy rejects common weak passwords" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/pwquality.conf" configure_password_policy "$test_output" assert_file_contains "$test_output" "badwords = password secret admin root" } @test "Security: Password policy has dictionary checking enabled" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/pwquality.conf" configure_password_policy "$test_output" assert_file_contains "$test_output" "dictcheck = 1" } @test "Security: Password policy rejects weak passwords for root" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/pwquality.conf" configure_password_policy "$test_output" assert_file_contains "$test_output" "enforcing = 1" } @test "Security: WiFi is permanently disabled" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/blacklist-wifi.conf" create_wifi_blacklist "$test_output" assert_file_contains "$test_output" "blacklist cfg80211" assert_file_contains "$test_output" "blacklist mac80211" } @test "Security: Bluetooth is permanently disabled" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/blacklist-bluetooth.conf" create_bluetooth_blacklist "$test_output" assert_file_contains "$test_output" "blacklist btusb" assert_file_contains "$test_output" "blacklist bluetooth" } @test "Security: SSH disallows root login" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "PermitRootLogin no" } @test "Security: SSH has maximum authentication tries" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "MaxAuthTries 3" } @test "Security: SSH has client alive settings" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "ClientAliveInterval 300" assert_file_contains "$test_output" "ClientAliveCountMax 2" } @test "Security: Firewall blocks inbound traffic by default" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local test_output="${TEST_ROOT}/firewall.rules" configure_nftables "$test_output" assert_file_contains "$test_output" "policy input drop" } @test "Security: Firewall allows outbound traffic" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local test_output="${TEST_ROOT}/firewall.rules" configure_nftables "$test_output" assert_file_contains "$test_output" "policy output accept" } @test "Security: Firewall allows SSH inbound" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local test_output="${TEST_ROOT}/firewall.rules" configure_nftables "$test_output" assert_file_contains "$test_output" "tcp dport 22" } @test "Security: Firewall allows WireGuard" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local test_output="${TEST_ROOT}/firewall.rules" configure_nftables "$test_output" assert_file_contains "$test_output" "udp dport 51820" } @test "Security: Encryption setup hook exists" { assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh" assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh" ] } @test "Security: Encryption validation hook exists" { assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh" assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh" ] } @test "Security: cryptsetup is included in packages" { assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup" } @test "Security: cryptsetup-initramfs is included in packages" { assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup-initramfs" } @test "Security: pam-pwquality is included in packages" { assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "libpam-pwquality" } @test "Security: dmsetup is included in preseed packages" { assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "dmsetup" } @test "Security: nftables is included in packages" { assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "nftables" } @test "Security: WireGuard is included in packages" { assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "wireguard" } @test "Security: No plain-text passwords in configuration files" { skip "Manual review required - check for passwords in config files" } @test "Security: SSH uses protocol 2 only" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "Protocol 2" } @test "Security: SSH disallows empty passwords" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "PermitEmptyPasswords no" } @test "Security: SSH disables challenge-response authentication" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "ChallengeResponseAuthentication no" } @test "Security: SSH disables X11 forwarding" { source "${PROJECT_ROOT}/src/security-hardening.sh" local test_output="${TEST_ROOT}/sshd_config" configure_ssh "$test_output" assert_file_contains "$test_output" "X11Forwarding no" }