cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move all persistent data to /tmp (no system pollution)

Browse Source 
Moved from /var/lib/server-toolkit/ to /tmp/:
- Threat intelligence cache
- Whitelist IPs
- Attack pattern logs
- Incident reports
- Shared threat coordination logs
- Live monitor snapshots

Philosophy: Deleting toolkit directory should remove ALL data.
System directories (/var/lib/) caused stale data to persist.
Using /tmp/ ensures auto-cleanup on reboot and complete removal.
This commit is contained in:
cschantz
2026-01-06 22:03:18 -05:00
parent 2391ded8e4
commit 3a3b8dbda7
3 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/threat-intelligence.sh
+9 -9
View File
@@ -9,7 +9,7 @@
################################################################################
# Cache directory for threat intelligence
THREAT_CACHE_DIR="/var/lib/server-toolkit/threat-cache"
THREAT_CACHE_DIR="/tmp/server-toolkit-threat-cache"
mkdir -p "$THREAT_CACHE_DIR" 2>/dev/null
# Cache TTL (24 hours)
@@ -135,7 +135,7 @@ is_high_risk_country() {
# Check if IP should be whitelisted (legitimate services)
is_whitelisted_service() {
local ip="$1"
local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
# Check static whitelist
if [ -f "$whitelist_file" ]; then
@@ -173,7 +173,7 @@ is_whitelisted_service() {
add_to_whitelist() {
local ip="$1"
local reason="$2"
local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
echo "$ip # $reason" >> "$whitelist_file"
@@ -253,7 +253,7 @@ record_attack_pattern() {
local uri="$3"
local user_agent="$4"
local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
local pattern_file="/tmp/server-toolkit-attack-patterns.log"
mkdir -p "$(dirname "$pattern_file")" 2>/dev/null
# Format: timestamp|ip|attack_type|uri|user_agent
@@ -269,7 +269,7 @@ matches_known_pattern() {
local attack_type="$1"
local uri="$2"
local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
local pattern_file="/tmp/server-toolkit-attack-patterns.log"
if [ ! -f "$pattern_file" ]; then
return 1
@@ -324,7 +324,7 @@ is_server_stressed() {
# Generate incident report for an IP
generate_incident_report() {
local ip="$1"
local report_file="/var/lib/server-toolkit/incident-reports/report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
local report_file="/tmp/server-toolkit-incident-report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
mkdir -p "$(dirname "$report_file")" 2>/dev/null
@@ -365,7 +365,7 @@ generate_incident_report() {
echo "─────────────────────────────────────────────────────────────"
# Get attacks from pattern log
local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
local pattern_file="/tmp/server-toolkit-attack-patterns.log"
if [ -f "$pattern_file" ]; then
echo "Recent attacks from this IP:"
grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
@@ -408,7 +408,7 @@ share_threat_data() {
local attack_type="$2"
local score="$3"
local coordination_file="/var/lib/server-toolkit/shared-threats.log"
local coordination_file="/tmp/server-toolkit-shared-threats.log"
# Log for potential sharing
echo "$(date +%s)|$(hostname)|$ip|$attack_type|$score" >> "$coordination_file"
@@ -421,7 +421,7 @@ share_threat_data() {
# Check if IP is flagged by other servers
check_shared_threats() {
local ip="$1"
local coordination_file="/var/lib/server-toolkit/shared-threats.log"
local coordination_file="/tmp/server-toolkit-shared-threats.log"
if [ -f "$coordination_file" ]; then
local count=$(grep "|$ip|" "$coordination_file" | wc -l)