KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3b331d960bad7d9b9ea0b9487993299efb199137
football/tests/unit/security-hardening_comprehensive_test.bats
reachableceo 62d20604a6 fix: resolve critical build bugs and add missing PRD requirements 
Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00

227 lines
9.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
# Behavioral tests for security-hardening.sh functions
# Reference: PRD FR-005, FR-006, FR-007
setup() {
export TEST_TMPDIR=$(mktemp -d)
}
teardown() {
rm -rf "$TEST_TMPDIR"
}
# =============================================================================
# WiFi Blacklist - PRD FR-005
# =============================================================================
@test "create_wifi_blacklist generates file with correct content" {
source /workspace/src/security-hardening.sh
create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
[ -f "$TEST_TMPDIR/blacklist-wifi.conf" ]
grep -q "blacklist cfg80211" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "blacklist mac80211" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "blacklist iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "blacklist brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
}
@test "WiFi blacklist includes PRD-specified driver families" {
source /workspace/src/security-hardening.sh
create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "rtl8" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "iwlwifi" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "ath9k" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "brcmfmac" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "mwifiex" "$TEST_TMPDIR/blacklist-wifi.conf"
grep -q "rt2x00" "$TEST_TMPDIR/blacklist-wifi.conf"
}
@test "create_wifi_blacklist outputs completion message" {
source /workspace/src/security-hardening.sh
run create_wifi_blacklist "$TEST_TMPDIR/blacklist-wifi.conf"
[ "$status" -eq 0 ]
[[ "$output" == *"created at"* ]]
}
# =============================================================================
# Bluetooth Blacklist - PRD FR-005
# =============================================================================
@test "create_bluetooth_blacklist generates file with correct content" {
source /workspace/src/security-hardening.sh
create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
[ -f "$TEST_TMPDIR/blacklist-bt.conf" ]
grep -q "blacklist btusb" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist bluetooth" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist btrtl" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist btintel" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist btbcm" "$TEST_TMPDIR/blacklist-bt.conf"
}
@test "Bluetooth blacklist includes additional modules (bnep, rfcomm, hidp)" {
source /workspace/src/security-hardening.sh
create_bluetooth_blacklist "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist bnep" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist rfcomm" "$TEST_TMPDIR/blacklist-bt.conf"
grep -q "blacklist hidp" "$TEST_TMPDIR/blacklist-bt.conf"
}
# =============================================================================
# SSH Client Config - PRD FR-006
# =============================================================================
@test "configure_ssh_client generates correct ssh_config" {
source /workspace/src/security-hardening.sh
configure_ssh_client "$TEST_TMPDIR/ssh_config"
[ -f "$TEST_TMPDIR/ssh_config" ]
grep -q "PasswordAuthentication no" "$TEST_TMPDIR/ssh_config"
grep -q "PubkeyAuthentication yes" "$TEST_TMPDIR/ssh_config"
}
@test "SSH client uses modern key exchange algorithms" {
source /workspace/src/security-hardening.sh
configure_ssh_client "$TEST_TMPDIR/ssh_config"
grep -q "KexAlgorithms" "$TEST_TMPDIR/ssh_config"
grep -q "curve25519-sha256" "$TEST_TMPDIR/ssh_config"
}
@test "SSH client uses modern ciphers" {
source /workspace/src/security-hardening.sh
configure_ssh_client "$TEST_TMPDIR/ssh_config"
grep -q "Ciphers" "$TEST_TMPDIR/ssh_config"
grep -q "chacha20-poly1305" "$TEST_TMPDIR/ssh_config"
}
@test "SSH client enables strict host key checking" {
source /workspace/src/security-hardening.sh
configure_ssh_client "$TEST_TMPDIR/ssh_config"
grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config"
}
# =============================================================================
# Password Policy - PRD FR-007
# =============================================================================
@test "configure_password_policy generates correct pwquality.conf" {
source /workspace/src/security-hardening.sh
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
[ -f "$TEST_TMPDIR/pwquality.conf" ]
grep -q "minlen = 14" "$TEST_TMPDIR/pwquality.conf"
grep -q "dcredit = -1" "$TEST_TMPDIR/pwquality.conf"
grep -q "ucredit = -1" "$TEST_TMPDIR/pwquality.conf"
grep -q "lcredit = -1" "$TEST_TMPDIR/pwquality.conf"
grep -q "ocredit = -1" "$TEST_TMPDIR/pwquality.conf"
}
@test "Password policy requires 3 of 4 character classes" {
source /workspace/src/security-hardening.sh
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
grep -q "minclass = 3" "$TEST_TMPDIR/pwquality.conf"
}
@test "Password policy enforces complexity (enforcing=1)" {
source /workspace/src/security-hardening.sh
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
grep -q "enforcing = 1" "$TEST_TMPDIR/pwquality.conf"
}
@test "Password policy rejects common bad words" {
source /workspace/src/security-hardening.sh
configure_password_policy "$TEST_TMPDIR/pwquality.conf"
grep -q "badwords" "$TEST_TMPDIR/pwquality.conf"
}
# =============================================================================
# FIM (AIDE) - CIS 1.4
# =============================================================================
@test "configure_fim generates valid AIDE config" {
source /workspace/src/security-hardening.sh
configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
[ -f "$TEST_TMPDIR/aide.conf" ]
grep -q "SECURITY = " "$TEST_TMPDIR/aide.conf"
grep -q "/etc SECURITY" "$TEST_TMPDIR/aide.conf"
grep -q "/boot SECURITY" "$TEST_TMPDIR/aide.conf"
grep -q "/usr SECURITY" "$TEST_TMPDIR/aide.conf"
}
@test "FIM config excludes volatile paths" {
source /workspace/src/security-hardening.sh
configure_fim "$TEST_TMPDIR/aide.conf" "$TEST_TMPDIR/aide.db"
grep -q "!/proc" "$TEST_TMPDIR/aide.conf"
grep -q "!/sys" "$TEST_TMPDIR/aide.conf"
grep -q "!/dev" "$TEST_TMPDIR/aide.conf"
grep -q "!/tmp" "$TEST_TMPDIR/aide.conf"
}
# =============================================================================
# System Limits - PRD FR-007
# =============================================================================
@test "configure_system_limits disables core dumps" {
source /workspace/src/security-hardening.sh
configure_system_limits "$TEST_TMPDIR/limits.conf"
[ -f "$TEST_TMPDIR/limits.conf" ]
grep -q "hard core 0" "$TEST_TMPDIR/limits.conf"
}
# =============================================================================
# Audit Rules - CIS 6.2, FedRAMP AU-2
# =============================================================================
@test "configure_audit_rules generates comprehensive audit config" {
source /workspace/src/security-hardening.sh
configure_audit_rules "$TEST_TMPDIR/audit.rules"
[ -f "$TEST_TMPDIR/audit.rules" ]
grep -q "/etc/passwd" "$TEST_TMPDIR/audit.rules"
grep -q "/etc/shadow" "$TEST_TMPDIR/audit.rules"
grep -q "/etc/sudoers" "$TEST_TMPDIR/audit.rules"
grep -q "/etc/wireguard/" "$TEST_TMPDIR/audit.rules"
grep -q "init_module" "$TEST_TMPDIR/audit.rules"
}
@test "Audit rules monitor privilege escalation" {
source /workspace/src/security-hardening.sh
configure_audit_rules "$TEST_TMPDIR/audit.rules"
grep -q "privilege_escalation" "$TEST_TMPDIR/audit.rules"
}
@test "Audit rules monitor network configuration" {
source /workspace/src/security-hardening.sh
configure_audit_rules "$TEST_TMPDIR/audit.rules"
grep -q "network_config" "$TEST_TMPDIR/audit.rules"
}
# =============================================================================
# apply_security_hardening - PRD FR-007
# =============================================================================
@test "apply_security_hardening calls all config functions" {
grep -q "create_wifi_blacklist" /workspace/src/security-hardening.sh
grep -q "create_bluetooth_blacklist" /workspace/src/security-hardening.sh
grep -q "configure_ssh" /workspace/src/security-hardening.sh
grep -q "configure_password_policy" /workspace/src/security-hardening.sh
grep -q "configure_system_limits" /workspace/src/security-hardening.sh
grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
}
# =============================================================================
# Script Structure
# =============================================================================
@test "security-hardening.sh uses strict mode" {
head -5 /workspace/src/security-hardening.sh | grep -q "set -euo pipefail"
}
@test "security-hardening.sh is executable" {
[ -x "/workspace/src/security-hardening.sh" ]
}
@test "security-hardening.sh has valid bash syntax" {
run bash -n /workspace/src/security-hardening.sh
[ "$status" -eq 0 ]
}
@test "security-hardening.sh runs main when executed directly" {
grep -q 'BASH_SOURCE\[0\]' /workspace/src/security-hardening.sh
}
Reference in New Issue View Git Blame Copy Permalink