KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59c96113fd299fb49c7d199a6794ccda7a438493
football/tests/security/compliance_comprehensive_test.bats
Charles N Wyble 0807611efe feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC 
Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-02-17 12:24:30 -05:00

165 lines
5.0 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
# Comprehensive security compliance tests
# Reference: CIS Benchmark, FedRAMP, CMMC
@test "Full Disk Encryption configured" {
grep -q "crypto" /workspace/config/preseed.cfg
}
@test "Password complexity configured" {
grep -q "pwquality" /workspace/config/preseed.cfg
}
@test "WiFi blacklisted" {
grep -q "cfg80211" /workspace/src/security-hardening.sh
}
@test "Bluetooth blacklisted" {
grep -q "btusb" /workspace/src/security-hardening.sh
}
@test "Firewall configured" {
grep -q "nftables" /workspace/config/package-lists/knel-football.list.chroot
}
# FR-006: SSH Access - Client Only (no inbound services)
@test "SSH client only (no server)" {
! grep -q "openssh-server" /workspace/config/package-lists/knel-football.list.chroot
}
@test "SSH client installed" {
grep -q "openssh-client" /workspace/config/package-lists/knel-football.list.chroot
}
@test "SSH client configuration exists" {
grep -q "configure_ssh_client" /workspace/src/security-hardening.sh
}
@test "SSH client disables password auth" {
grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
}
# CIS 1.4 - File Integrity Monitoring (FIM)
@test "CIS 1.4/FedRAMP AU-7/CMMC AU.3.059: AIDE package installed" {
grep -q "aide" /workspace/config/package-lists/knel-football.list.chroot
}
@test "CIS 1.4: FIM configuration function exists" {
grep -q "configure_fim" /workspace/src/security-hardening.sh
}
@test "CIS 1.4: FIM monitors /etc" {
grep -q "/etc SECURITY" /workspace/src/security-hardening.sh
}
@test "CIS 1.4: FIM monitors /boot" {
grep -q "/boot SECURITY" /workspace/src/security-hardening.sh
}
@test "CIS 1.4: FIM monitors /usr" {
grep -q "/usr SECURITY" /workspace/src/security-hardening.sh
}
@test "CIS 1.4: FIM uses SHA256/SHA512" {
grep -q "sha256\|sha512" /workspace/src/security-hardening.sh
}
# CIS 5.3 - System Resource Limits
@test "CIS 5.3: System resource limits configured" {
grep -q "hard core 0" /workspace/src/security-hardening.sh
}
@test "CIS 5.3: Process limits configured" {
grep -q "nproc" /workspace/src/security-hardening.sh
}
# CIS 6.2 - Audit Configuration (Comprehensive)
@test "CIS 6.2/FedRAMP AU-2/CMMC AU.2.042: Audit daemon installed" {
grep -q "auditd" /workspace/config/package-lists/knel-football.list.chroot
}
@test "CIS 6.2: Audit rules function exists" {
grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches /etc/passwd" {
grep -q "/etc/passwd.*-k identity" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches /etc/shadow" {
grep -q "/etc/shadow.*-k identity" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches /etc/sudoers" {
grep -q "/etc/sudoers.*-k privilege" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches authentication files" {
grep -q "/etc/pam.d" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches network config" {
grep -q "/etc/hosts" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches WireGuard config" {
grep -q "/etc/wireguard" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches boot configuration" {
grep -q "/boot/" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit watches kernel modules" {
grep -q "init_module\|delete_module" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit monitors privilege escalation" {
grep -q "/usr/bin/sudo.*-k privilege" /workspace/src/security-hardening.sh
}
@test "CIS 6.2: Audit monitors password changes" {
grep -q "/usr/bin/passwd" /workspace/src/security-hardening.sh
}
# CIS 2.1 - Package Management Disabled
@test "CIS 2.1: Package management disable script exists" {
[ -f "/workspace/config/hooks/installed/disable-package-management.sh" ]
}
@test "CIS 2.1: Package management disables apt" {
grep -q "chmod -x.*apt" /workspace/config/hooks/installed/disable-package-management.sh
}
@test "CIS 2.1: Package management disables dpkg" {
grep -q "chmod -x.*dpkg" /workspace/config/hooks/installed/disable-package-management.sh
}
@test "CIS 2.1: Package management makes tools immutable" {
grep -q "chattr +i" /workspace/config/hooks/installed/disable-package-management.sh
}
# CIS 5.4 - Sudo Configuration
@test "CIS 5.4: Sudo package installed" {
grep -q "sudo" /workspace/config/package-lists/knel-football.list.chroot
}
# Network Security - WireGuard
@test "WireGuard installed for VPN access" {
grep -q "wireguard" /workspace/config/package-lists/knel-football.list.chroot
}
@test "Remmina RDP client installed" {
grep -q "remmina" /workspace/config/package-lists/knel-football.list.chroot
}
# CIS 5.7 - Display Manager Privacy
@test "CIS 5.7: Display manager privacy configured" {
grep -q "greeter-hide-users\|hide-users" /workspace/config/hooks/live/desktop-environment.sh
}
@test "CIS 5.7: No auto-login configured" {
grep -q "autologin-user=\|auto-login" /workspace/config/hooks/live/desktop-environment.sh || \
grep -q "# autologin" /workspace/config/hooks/live/desktop-environment.sh
}
Reference in New Issue View Git Blame Copy Permalink