#!/usr/bin/env bats # Behavioral tests for security-hardening.sh functions # Reference: PRD FR-005, FR-006, FR-007 setup() { export TEST_TMPDIR=$(mktemp -d) } teardown() { rm -rf "$TEST_TMPDIR" } # ============================================================================= # WiFi Blacklist - PRD FR-005 # ============================================================================= @test "create_wifi_blacklist generates file with correct content" { source /workspace/src/security-hardening.sh create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf" [ -f "$TEST_TMPDIR/blacklist-wifi.conf" ] grep -q "blacklist cfg80211" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "blacklist mac80211" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "blacklist iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "blacklist brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf" } @test "WiFi blacklist includes PRD-specified driver families" { source /workspace/src/security-hardening.sh create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "rtl8" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "ath9k" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "mwifiex" "$TEST_TMPDIR/blacklist-wifi.conf" grep -q "rt2x00" "$TEST_TMPDIR/blacklist-wifi.conf" } @test "create_wifi_blacklist outputs completion message" { source /workspace/src/security-hardening.sh run create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf" [ "$status" -eq 0 ] [[ "$output" == *"created at"* ]] } # ============================================================================= # Bluetooth Blacklist - PRD FR-005 # ============================================================================= @test "create_bluetooth_blacklist generates file with correct content" { source /workspace/src/security-hardening.sh create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf" [ -f "$TEST_TMPDIR/blacklist-bt.conf" ] grep -q "blacklist btusb" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist bluetooth" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist btrtl" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist btintel" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist btbcm" "$TEST_TMPDIR/blacklist-bt.conf" } @test "Bluetooth blacklist includes additional modules (bnep, rfcomm, hidp)" { source /workspace/src/security-hardening.sh create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist bnep" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist rfcomm" "$TEST_TMPDIR/blacklist-bt.conf" grep -q "blacklist hidp" "$TEST_TMPDIR/blacklist-bt.conf" } # ============================================================================= # SSH Client Config - PRD FR-006 # ============================================================================= @test "configure_ssh_client generates correct ssh_config" { source /workspace/src/security-hardening.sh configure_ssh_client "$TEST_TMPDIR/ssh_config" [ -f "$TEST_TMPDIR/ssh_config" ] grep -q "PasswordAuthentication no" "$TEST_TMPDIR/ssh_config" grep -q "PubkeyAuthentication yes" "$TEST_TMPDIR/ssh_config" } @test "SSH client uses modern key exchange algorithms" { source /workspace/src/security-hardening.sh configure_ssh_client "$TEST_TMPDIR/ssh_config" grep -q "KexAlgorithms" "$TEST_TMPDIR/ssh_config" grep -q "curve25519-sha256" "$TEST_TMPDIR/ssh_config" } @test "SSH client uses modern ciphers" { source /workspace/src/security-hardening.sh configure_ssh_client "$TEST_TMPDIR/ssh_config" grep -q "Ciphers" "$TEST_TMPDIR/ssh_config" grep -q "chacha20-poly1305" "$TEST_TMPDIR/ssh_config" } @test "SSH client enables strict host key checking" { source /workspace/src/security-hardening.sh configure_ssh_client "$TEST_TMPDIR/ssh_config" grep -q "StrictHostKeyChecking yes" "$TEST_TMPDIR/ssh_config" } # ============================================================================= # Password Policy - PRD FR-007 # ============================================================================= @test "configure_password_policy generates correct pwquality.conf" { source /workspace/src/security-hardening.sh configure_password_policy "$TEST_TMPDIR/pwquality.conf" [ -f "$TEST_TMPDIR/pwquality.conf" ] grep -q "minlen = 14" "$TEST_TMPDIR/pwquality.conf" grep -q "dcredit = -1" "$TEST_TMPDIR/pwquality.conf" grep -q "ucredit = -1" "$TEST_TMPDIR/pwquality.conf" grep -q "lcredit = -1" "$TEST_TMPDIR/pwquality.conf" grep -q "ocredit = -1" "$TEST_TMPDIR/pwquality.conf" } @test "Password policy requires 3 of 4 character classes" { source /workspace/src/security-hardening.sh configure_password_policy "$TEST_TMPDIR/pwquality.conf" grep -q "minclass = 3" "$TEST_TMPDIR/pwquality.conf" } @test "Password policy enforces complexity (enforcing=1)" { source /workspace/src/security-hardening.sh configure_password_policy "$TEST_TMPDIR/pwquality.conf" grep -q "enforcing = 1" "$TEST_TMPDIR/pwquality.conf" } @test "Password policy rejects common bad words" { source /workspace/src/security-hardening.sh configure_password_policy "$TEST_TMPDIR/pwquality.conf" grep -q "badwords" "$TEST_TMPDIR/pwquality.conf" } # ============================================================================= # FIM (AIDE) - CIS 1.4 # ============================================================================= @test "configure_fim generates valid AIDE config" { source /workspace/src/security-hardening.sh configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db" [ -f "$TEST_TMPDIR/aide.conf" ] grep -q "SECURITY = " "$TEST_TMPDIR/aide.conf" grep -q "/etc SECURITY" "$TEST_TMPDIR/aide.conf" grep -q "/boot SECURITY" "$TEST_TMPDIR/aide.conf" grep -q "/usr SECURITY" "$TEST_TMPDIR/aide.conf" } @test "FIM config excludes volatile paths" { source /workspace/src/security-hardening.sh configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db" grep -q "!/proc" "$TEST_TMPDIR/aide.conf" grep -q "!/sys" "$TEST_TMPDIR/aide.conf" grep -q "!/dev" "$TEST_TMPDIR/aide.conf" grep -q "!/tmp" "$TEST_TMPDIR/aide.conf" } # ============================================================================= # System Limits - PRD FR-007 # ============================================================================= @test "configure_system_limits disables core dumps" { source /workspace/src/security-hardening.sh configure_system_limits "$TEST_TMPDIR/limits.conf" [ -f "$TEST_TMPDIR/limits.conf" ] grep -q "hard core 0" "$TEST_TMPDIR/limits.conf" } # ============================================================================= # Audit Rules - CIS 6.2, FedRAMP AU-2 # ============================================================================= @test "configure_audit_rules generates comprehensive audit config" { source /workspace/src/security-hardening.sh configure_audit_rules "$TEST_TMPDIR/audit.rules" [ -f "$TEST_TMPDIR/audit.rules" ] grep -q "/etc/passwd" "$TEST_TMPDIR/audit.rules" grep -q "/etc/shadow" "$TEST_TMPDIR/audit.rules" grep -q "/etc/sudoers" "$TEST_TMPDIR/audit.rules" grep -q "/etc/wireguard/" "$TEST_TMPDIR/audit.rules" grep -q "init_module" "$TEST_TMPDIR/audit.rules" } @test "Audit rules monitor privilege escalation" { source /workspace/src/security-hardening.sh configure_audit_rules "$TEST_TMPDIR/audit.rules" grep -q "privilege_escalation" "$TEST_TMPDIR/audit.rules" } @test "Audit rules monitor network configuration" { source /workspace/src/security-hardening.sh configure_audit_rules "$TEST_TMPDIR/audit.rules" grep -q "network_config" "$TEST_TMPDIR/audit.rules" } # ============================================================================= # apply_security_hardening - PRD FR-007 # ============================================================================= @test "apply_security_hardening calls all config functions" { grep -q "create_wifi_blacklist" /workspace/src/security-hardening.sh grep -q "create_bluetooth_blacklist" /workspace/src/security-hardening.sh grep -q "configure_ssh" /workspace/src/security-hardening.sh grep -q "configure_password_policy" /workspace/src/security-hardening.sh grep -q "configure_system_limits" /workspace/src/security-hardening.sh grep -q "configure_audit_rules" /workspace/src/security-hardening.sh } # ============================================================================= # Script Structure # ============================================================================= @test "security-hardening.sh uses strict mode" { head -5 /workspace/src/security-hardening.sh | grep -q "set -euo pipefail" } @test "security-hardening.sh is executable" { [ -x "/workspace/src/security-hardening.sh" ] } @test "security-hardening.sh has valid bash syntax" { run bash -n /workspace/src/security-hardening.sh [ "$status" -eq 0 ] } @test "security-hardening.sh runs main when executed directly" { grep -q 'BASH_SOURCE\[0\]' /workspace/src/security-hardening.sh }