football/tests/unit/security-hardening_test.bats

#!/usr/bin/env bats
# Unit tests for security-hardening.sh
# Reference: PRD.md FR-001, FR-006, FR-007

@test "security-hardening.sh exists and is executable" {
    [ -f "/workspace/src/security-hardening.sh" ]
    [ -x "/workspace/src/security-hardening.sh" ]
}

@test "WiFi blacklist function exists" {
    grep -q "create_wifi_blacklist()" /workspace/src/security-hardening.sh
}

@test "WiFi blacklist includes cfg80211" {
    grep -q "blacklist cfg80211" /workspace/src/security-hardening.sh
}

@test "WiFi blacklist includes mac80211" {
    grep -q "blacklist mac80211" /workspace/src/security-hardening.sh
}

@test "Bluetooth blacklist function exists" {
    grep -q "create_bluetooth_blacklist()" /workspace/src/security-hardening.sh
}

@test "Bluetooth blacklist includes btusb" {
    grep -q "blacklist btusb" /workspace/src/security-hardening.sh
}

@test "SSH client configuration function exists" {
    grep -q "configure_ssh_client()" /workspace/src/security-hardening.sh
}

@test "SSH client disables password authentication" {
    grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
}

@test "SSH client enables pubkey authentication" {
    grep -q "PubkeyAuthentication yes" /workspace/src/security-hardening.sh
}

@test "Password policy function exists" {
    grep -q "configure_password_policy()" /workspace/src/security-hardening.sh
}

@test "Password policy requires 14 character minimum" {
    grep -q "minlen = 14" /workspace/src/security-hardening.sh
}

@test "Password policy requires digits" {
    grep -q "dcredit = -1" /workspace/src/security-hardening.sh
}

@test "Password policy requires uppercase" {
    grep -q "ucredit = -1" /workspace/src/security-hardening.sh
}

@test "Password policy requires lowercase" {
    grep -q "lcredit = -1" /workspace/src/security-hardening.sh
}

@test "Password policy requires special characters" {
    grep -q "ocredit = -1" /workspace/src/security-hardening.sh
}

@test "Password policy enforces complexity (enforcing=1)" {
    grep -q "enforcing = 1" /workspace/src/security-hardening.sh
}

@test "FIM configuration function exists" {
    grep -q "configure_fim()" /workspace/src/security-hardening.sh
}

@test "FIM monitors /etc" {
    grep -q "/etc SECURITY" /workspace/src/security-hardening.sh
}

@test "FIM monitors /boot" {
    grep -q "/boot SECURITY" /workspace/src/security-hardening.sh
}

@test "FIM uses SHA256/SHA512" {
    grep -q "sha256\|sha512" /workspace/src/security-hardening.sh
}

@test "System limits function exists" {
    grep -q "configure_system_limits()" /workspace/src/security-hardening.sh
}

@test "System limits disable core dumps" {
    grep -q "hard core 0" /workspace/src/security-hardening.sh
}

@test "Audit rules function exists" {
    grep -q "configure_audit_rules()" /workspace/src/security-hardening.sh
}

@test "Audit rules watch /etc/passwd" {
    grep -q "/etc/passwd.*-k identity" /workspace/src/security-hardening.sh
}

@test "Audit rules watch /etc/shadow" {
    grep -q "/etc/shadow.*-k identity" /workspace/src/security-hardening.sh
}

@test "Audit rules watch /etc/sudoers" {
    grep -q "/etc/sudoers.*-k privilege_escalation" /workspace/src/security-hardening.sh
}

@test "Audit rules watch WireGuard config" {
    grep -q "/etc/wireguard" /workspace/src/security-hardening.sh
}

@test "Audit rules monitor module loading" {
    grep -q "init_module\|delete_module" /workspace/src/security-hardening.sh
}

@test "apply_security_hardening function exists" {
    grep -q "apply_security_hardening()" /workspace/src/security-hardening.sh
}