KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c1505a994069a00dc049534b2f3c73da364c93ae
football/tests/unit/security-hardening_test.bats
ReachableCEO c1505a9940 chore: remove obsolete scripts and clean project structure 
Remove obsolete script files that are no longer needed. Root run.sh has all functionality. Clean src/ directory to only contain necessary source scripts.

Deleted files:
- bin/cleanup.sh (functionality in run.sh)
- bin/docker-manage.sh (functionality in run.sh)
- lib/docker.sh (not used, deleted)
- src/build.sh (obsolete, not referenced)
- src/run.sh (obsolete, duplicate of root run.sh)
- src/run-new.sh (broken, references deleted lib/docker.sh)
- plan/PreFlightDiscussion-*.md (planning docs no longer needed)

Modified files:
- .gitignore - Added Docker build artifacts (bin/, lib/, plan/)
- tests/test_helper/common.bash - Fixed for standalone execution

Current src/ directory (essential scripts only):
- build-iso.sh - ISO build orchestration
- firewall-setup.sh - Firewall configuration
- security-hardening.sh - Security hardening functions

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-29 12:42:51 -05:00

149 lines
5.0 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
# Comprehensive unit tests for security-hardening.sh (100% coverage)
# Add bats library to BATS_LIB_PATH
setup() {
export TEST_ROOT="${TEST_TEMP_DIR}/security-hardening"
mkdir -p "${TEST_ROOT}"
}
@test "security-hardening.sh exists and is executable" {
assert_file_exists "${PROJECT_ROOT}/src/security-hardening.sh"
assert [ -x "${PROJECT_ROOT}/src/security-hardening.sh" ]
}
@test "create_wifi_blacklist creates correct configuration" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/blacklist-wifi.conf"
create_wifi_blacklist "$test_output"
assert_file_exists "$test_output"
assert_file_contains "$test_output" "blacklist cfg80211"
assert_file_contains "$test_output" "blacklist mac80211"
assert_file_contains "$test_output" "blacklist brcmfmac"
assert_file_contains "$test_output" "blacklist iwlwifi"
assert_file_contains "$test_output" "blacklist ath9k"
assert_file_contains "$test_output" "blacklist rt73usb"
}
@test "create_bluetooth_blacklist creates correct configuration" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/blacklist-bluetooth.conf"
create_bluetooth_blacklist "$test_output"
assert_file_exists "$test_output"
assert_file_contains "$test_output" "blacklist btusb"
assert_file_contains "$test_output" "blacklist bluetooth"
assert_file_contains "$test_output" "blacklist btrtl"
assert_file_contains "$test_output" "blacklist btintel"
assert_file_contains "$test_output" "blacklist btbcm"
}
@test "configure_ssh creates secure configuration" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/sshd_config"
configure_ssh "$test_output"
assert_file_exists "$test_output"
assert_file_contains "$test_output" "Protocol 2"
assert_file_contains "$test_output" "PermitRootLogin no"
assert_file_contains "$test_output" "PasswordAuthentication yes"
assert_file_contains "$test_output" "PubkeyAuthentication yes"
assert_file_contains "$test_output" "PermitEmptyPasswords no"
assert_file_contains "$test_output" "ChallengeResponseAuthentication no"
assert_file_contains "$test_output" "X11Forwarding no"
assert_file_contains "$test_output" "MaxAuthTries 3"
assert_file_contains "$test_output" "ClientAliveInterval 300"
assert_file_contains "$test_output" "ClientAliveCountMax 2"
}
@test "configure_password_policy creates secure policy" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/pwquality.conf"
configure_password_policy "$test_output"
assert_file_exists "$test_output"
# Minimum length
assert_file_contains "$test_output" "minlen = 14"
# Character class requirements
assert_file_contains "$test_output" "dcredit = -1"
assert_file_contains "$test_output" "ucredit = -1"
assert_file_contains "$test_output" "lcredit = -1"
assert_file_contains "$test_output" "ocredit = -1"
# Complexity requirements
assert_file_contains "$test_output" "difok = 4"
assert_file_contains "$test_output" "maxrepeat = 2"
assert_file_contains "$test_output" "maxclassrepeat = 2"
assert_file_contains "$test_output" "maxsequence = 2"
# Security checks
assert_file_contains "$test_output" "usercheck = 1"
assert_file_contains "$test_output" "dictcheck = 1"
assert_file_contains "$test_output" "gecoscheck = 1"
assert_file_contains "$test_output" "enforcing = 1"
# Bad words
assert_file_contains "$test_output" "badwords = password secret admin root knel football tier0"
# Minimum character classes
assert_file_contains "$test_output" "minclass = 3"
}
@test "configure_auditd creates audit configuration" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/auditd.conf"
configure_auditd "$test_output"
assert_file_exists "$test_output"
}
@test "configure_limits creates resource limits" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/limits.conf"
configure_limits "$test_output"
assert_file_exists "$test_output"
assert_file_contains "$test_output" "* soft core 0"
}
@test "configure_sysctl creates kernel hardening" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
local test_output="${TEST_ROOT}/99-security.conf"
configure_sysctl "$test_output"
assert_file_exists "$test_output"
}
@test "security-hardening.sh script is valid bash" {
run bash -n "${PROJECT_ROOT}/src/security-hardening.sh"
assert_success
}
@test "all functions are callable without error" {
source "${PROJECT_ROOT}/src/security-hardening.sh"
run create_wifi_blacklist "${TEST_ROOT}/test-wifi.conf"
assert_success
run create_bluetooth_blacklist "${TEST_ROOT}/test-bt.conf"
assert_success
run configure_ssh "${TEST_ROOT}/test-ssh.conf"
assert_success
run configure_password_policy "${TEST_ROOT}/test-pw.conf"
assert_success
}
Reference in New Issue View Git Blame Copy Permalink