From 5e31a1584ae6d2a189aeb69a4e42fabf08fca57f Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Wed, 22 Apr 2026 00:23:47 -0400
Subject: [PATCH] Fix: Apply MEDIUM priority improvements to malware scanner
 ecosystem

MEDIUM PRIORITY FIXES:
- [M1] RKHunter: Dynamic config file detection with fallback
- [M2] Imunify: Support both ImunifyAV and Imunify360 variants
- [M3] ModSecurity: OS-aware audit log path detection (Debian vs RHEL)
- [M5] Maldet: Fallback directory system for update logs (not hardcoded /tmp)

IMPROVEMENTS:
- Robustness: More resilient to different installation paths and configurations
- Cross-platform: Better handling of OS-specific paths and tools
- Reliability: Respects filesystem permissions when writing logs

Tested:
- Both files pass bash -n syntax validation
- Multi-platform compatibility verified
- All previous CRITICAL and HIGH fixes intact
---
 lib/security-tools.sh               | 24 ++++++++++++++++++------
 modules/security/malware-scanner.sh | 13 ++++++++++++-
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/lib/security-tools.sh b/lib/security-tools.sh
index fc502cb..cf25493 100644
--- a/lib/security-tools.sh
+++ b/lib/security-tools.sh
@@ -61,10 +61,15 @@ derive_malware_scanners() {
         export SYS_SCANNER_MALDET_LOG=""
     fi
 
-    # RKHunter (Rootkit Hunter)
+    # RKHunter (Rootkit Hunter) - Detect paths dynamically
     if command -v rkhunter &>/dev/null; then
         export SYS_SCANNER_RKHUNTER="$(command -v rkhunter)"
-        export SYS_SCANNER_RKHUNTER_CONFIG="/etc/rkhunter.conf"
+        # Try to find config file
+        if [ -f "/etc/rkhunter.conf" ]; then
+            export SYS_SCANNER_RKHUNTER_CONFIG="/etc/rkhunter.conf"
+        else
+            export SYS_SCANNER_RKHUNTER_CONFIG="$(rkhunter --show-config 2>/dev/null | grep '^CONFIGFILE' | cut -d= -f2)"
+        fi
         export SYS_SCANNER_RKHUNTER_DB="/var/lib/rkhunter/db"
         export SYS_SCANNER_RKHUNTER_LOG="/var/log/rkhunter.log"
     else
@@ -74,8 +79,13 @@ derive_malware_scanners() {
         export SYS_SCANNER_RKHUNTER_LOG=""
     fi
 
-    # Imunify360
-    if command -v imunify360-agent &>/dev/null; then
+    # Imunify (both ImunifyAV and Imunify360) - Check both variants
+    if command -v imunify-antivirus &>/dev/null; then
+        export SYS_SCANNER_IMUNIFY="$(command -v imunify-antivirus)"
+        export SYS_SCANNER_IMUNIFY_CONFIG="/etc/sysconfig/imunify360"
+        export SYS_SCANNER_IMUNIFY_DB="/var/lib/imunify360"
+        export SYS_SCANNER_IMUNIFY_LOG="/var/log/imunify360/imunify360.log"
+    elif command -v imunify360-agent &>/dev/null; then
         export SYS_SCANNER_IMUNIFY="$(command -v imunify360-agent)"
         export SYS_SCANNER_IMUNIFY_CONFIG="/etc/sysconfig/imunify360"
         export SYS_SCANNER_IMUNIFY_DB="/var/lib/imunify360"
@@ -148,16 +158,18 @@ derive_system_security_tools() {
         export SYS_FAIL2BAN_JAIL=""
     fi
 
-    # ModSecurity
+    # ModSecurity - Detect paths based on OS type
     if [ -f "/etc/apache2/mods-enabled/security.load" ] || [ -f "/etc/httpd/conf.modules.d/10-mod_security.conf" ]; then
         export SYS_MODSECURITY_ENABLED="1"
         if [ "$SYS_OS_TYPE" = "ubuntu" ] || [ "$SYS_OS_TYPE" = "debian" ]; then
             export SYS_MODSECURITY_CONF="/etc/apache2/mods-available/security.conf"
+            export SYS_MODSECURITY_AUDIT_LOG="/var/log/apache2/modsec_audit.log"
         else
+            # CentOS/RHEL/other
             export SYS_MODSECURITY_CONF="/etc/httpd/conf.d/mod_security.conf"
+            export SYS_MODSECURITY_AUDIT_LOG="/var/log/httpd/modsec_audit.log"
         fi
         export SYS_MODSECURITY_RULES="/etc/modsecurity"
-        export SYS_MODSECURITY_AUDIT_LOG="/var/log/apache2/modsec_audit.log"
     else
         export SYS_MODSECURITY_ENABLED=""
         export SYS_MODSECURITY_CONF=""
diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index e76eb4f..3daa271 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -3330,12 +3330,23 @@ maldet_update_signatures() {
     echo "(This may take a few moments)"
     echo ""
 
-    if timeout 120 "$maldet_bin" -u 2>&1 | tee /tmp/maldet-update.log | grep -E "updated|completed|signatures" || true; then
+    # Use fallback directory system for log file (not hardcoded /tmp)
+    local update_log_dir="/tmp"
+    if [ ! -w "$update_log_dir" ]; then
+        update_log_dir="/var/tmp"
+    fi
+    if [ ! -w "$update_log_dir" ]; then
+        update_log_dir="${HOME}"
+    fi
+
+    if timeout 120 "$maldet_bin" -u 2>&1 | tee "$update_log_dir/maldet-update.log" | grep -E "updated|completed|signatures" || true; then
         echo ""
         echo -e "${GREEN}✓ Signatures updated successfully${NC}"
+        rm -f "$update_log_dir/maldet-update.log" 2>/dev/null || true
     else
         echo ""
         echo -e "${YELLOW}⚠ Signature update may have completed (check output above)${NC}"
+        rm -f "$update_log_dir/maldet-update.log" 2>/dev/null || true
     fi
 
     echo ""