From 3407580422fbc96c1d25ee337e98b7fe27ee46a6 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 23:55:14 -0500 Subject: [PATCH] BUG FIX #16: Missing error handling for critical system file backups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ISSUE: Two locations in the code attempt to backup critical CSF (ConfigServer Firewall) configuration files WITHOUT verifying the backup succeeds. If the backup fails, the original file is still modified, risking data loss. ROOT CAUSE: Lines 1805 and 1861: ``` cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S) # ... then immediately modify the original file ``` If cp fails (no write permission, full disk, /etc/csf inaccessible, etc.), bash continues to next command due to lack of error checking. Original file is then modified WITHOUT a backup. FAILURE SCENARIOS: 1. SYNFLOOD Protection Enablement (line 1805-1808): - cp fails due to permission denied - SYNFLOOD = "1" is still written to /etc/csf/csf.conf - No backup exists if something goes wrong - sed -i modifies original without safety net 2. SSH Hardening (line 1861-1864): - cp fails due to disk full - LF_SSHD = "3" is still written - No recovery mechanism if config becomes corrupt IMPACT: - HIGH: If any sed modification causes syntax error, config is corrupted with no backup to restore - CSF service might fail to start - Firewall rules become non-functional - Manual intervention required on production server - No audit trail of what the original value was FIX: Add explicit error checking: 1. Save backup filename to variable 2. Check if cp succeeds with: if ! cp ... 2>/dev/null 3. If backup fails: print error and return 1 early 4. Only proceed with sed modifications if backup confirmed This ensures: - Backup is verified before touching original file - Clear error message if backup fails - Function returns error code for caller to handle - Original file remains unmodified if backup fails LOCATIONS FIXED: - Line 1805: SYNFLOOD protection setup - Line 1861: SSH hardening configuration VERIFICATION: - Syntax: ✓ Pass - Error handling: ✓ Proper early return on backup failure - Safety: ✓ Original file untouched if backup fails - Auditability: ✓ Error message logged to console Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index f190767..5b94355 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -1802,7 +1802,15 @@ apply_synflood_fix() { echo "Enabling SYNFLOOD protection..." # Backup config - cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S) + # CRITICAL FIX: Check if backup succeeds before modifying + # Bug: If cp fails (no write permission), script continues anyway + # Result: Original file modified without backup - data loss if something goes wrong + local backup_file="/etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)" + if ! cp /etc/csf/csf.conf "$backup_file" 2>/dev/null; then + echo "ERROR: Failed to backup /etc/csf/csf.conf to $backup_file" + echo "Aborting SYNFLOOD configuration to prevent data loss" + return 1 + fi # Enable SYNFLOOD sed -i 's/^SYNFLOOD\s*=.*/SYNFLOOD = "1"/' /etc/csf/csf.conf @@ -1850,7 +1858,15 @@ apply_ssh_hardening() { echo "Lowering threshold to 3 failed attempts..." # Backup config - cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S) + # CRITICAL FIX: Check if backup succeeds before modifying + # Bug: If cp fails (no write permission), script continues anyway + # Result: Original file modified without backup - data loss if something goes wrong + local backup_file="/etc/csf/csf.conf.bak.$(date +%Y%m%d_%H%M%S)" + if ! cp /etc/csf/csf.conf "$backup_file" 2>/dev/null; then + echo "ERROR: Failed to backup /etc/csf/csf.conf to $backup_file" + echo "Aborting SSH hardening configuration to prevent data loss" + return 1 + fi # Update LF_SSHD sed -i 's/^LF_SSHD\s*=.*/LF_SSHD = "3"/' /etc/csf/csf.conf