From 9771e05fa8c19d26ad418d3a6558f56d0091dafb Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Sat, 7 Feb 2026 02:43:07 -0500
Subject: [PATCH] Fix TYPE-MISMATCH and AWK-UNINIT issues in email analysis
 scripts

suspicious-login-monitor.sh:
- Quote all numeric comparison variables to prevent word splitting:
  * Line 880: [ "$new_risk" -gt 100 ]
  * Line 2642: [ "$total_risk" -gt 100 ]
  * Line 2773: [ "$critical_count" -gt 0 ]
  * Lines 2806, 2823, 2840, 2864, 2872: [ "$risk" -gt 100 ]
  * Line 2894: [ "$high_count" -gt 0 ]
- Fix potential stat command failure on line 1467 with error checking

mail-log-analyzer.sh:
- Quote all numeric comparison variables in bounce detection (lines 259-265)
- Initialize AWK variables in BEGIN block (line 1276)
- Initialize awk loop variable (line 1130)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/email/mail-log-analyzer.sh           | 18 +++++++-------
 modules/security/suspicious-login-monitor.sh | 25 ++++++++++++--------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/modules/email/mail-log-analyzer.sh b/modules/email/mail-log-analyzer.sh
index b71ab3c..8343f66 100755
--- a/modules/email/mail-log-analyzer.sh
+++ b/modules/email/mail-log-analyzer.sh
@@ -256,13 +256,13 @@ analyze_bounces() {
         local greylisting=$(grep -ciE "(greylist|grey.*list|try again later|temporarily reject)" -- "$temp_file")
         local tls_failure=$(grep -ciE "(TLS|SSL|certificate)" -- "$temp_file")
 
-        [ $mailbox_full -gt 0 ] && BOUNCE_REASONS["mailbox_full"]=$mailbox_full
-        [ $user_unknown -gt 0 ] && BOUNCE_REASONS["user_unknown"]=$user_unknown
-        [ $blocked -gt 0 ] && BOUNCE_REASONS["blocked"]=$blocked
-        [ $dns_failure -gt 0 ] && BOUNCE_REASONS["dns_failure"]=$dns_failure
-        [ $timeout -gt 0 ] && BOUNCE_REASONS["timeout"]=$timeout
-        [ $greylisting -gt 0 ] && BOUNCE_REASONS["greylisting"]=$greylisting
-        [ $tls_failure -gt 0 ] && BOUNCE_REASONS["tls_failure"]=$tls_failure
+        [ "$mailbox_full" -gt 0 ] && BOUNCE_REASONS["mailbox_full"]=$mailbox_full
+        [ "$user_unknown" -gt 0 ] && BOUNCE_REASONS["user_unknown"]=$user_unknown
+        [ "$blocked" -gt 0 ] && BOUNCE_REASONS["blocked"]=$blocked
+        [ "$dns_failure" -gt 0 ] && BOUNCE_REASONS["dns_failure"]=$dns_failure
+        [ "$timeout" -gt 0 ] && BOUNCE_REASONS["timeout"]=$timeout
+        [ "$greylisting" -gt 0 ] && BOUNCE_REASONS["greylisting"]=$greylisting
+        [ "$tls_failure" -gt 0 ] && BOUNCE_REASONS["tls_failure"]=$tls_failure
 
         TOTAL_BOUNCES=$(wc -l < "$temp_file")
         ISSUES_FOUND["bounces"]=$TOTAL_BOUNCES
@@ -1127,7 +1127,7 @@ display_recommendations() {
     local priority=1
     for issue in blacklist spam_accounts authentication rate_limiting rdns certificate local_delivery helo_violations frozen_messages panic_log connection_flooding auth_attacks deferral_loops tls_errors size_rejections routing_loops; do
         if [ -n "${RECOMMENDATIONS[$issue]}" ]; then
-            echo -e "${CYAN}$priority)${NC} ${BOLD}$(echo $issue | tr '_' ' ' | awk '{for(i=1;i<=NF;i++)sub(/./,toupper(substr($i,1,1)),$i)}1')${NC}"
+            echo -e "${CYAN}$priority)${NC} ${BOLD}$(echo $issue | tr '_' ' ' | awk 'BEGIN{i=0} {for(i=1;i<=NF;i++)sub(/./,toupper(substr($i,1,1)),$i)}1')${NC}"
             echo "   ${RECOMMENDATIONS[$issue]}"
             echo ""
             ((priority++))
@@ -1273,7 +1273,7 @@ display_hourly_distribution() {
 
     # Calculate average and check for off-hours spikes (00:00-06:00)
     local max_vol=$(awk '{print $1}' /tmp/hourly_volume.$$ | sort -n | tail -1)
-    local avg_vol=$(awk '{sum+=$1; count++} END {if(count>0) print int(sum/count); else print 0}' /tmp/hourly_volume.$$)
+    local avg_vol=$(awk 'BEGIN {sum=0; count=0} {sum+=$1; count++} END {if(count>0) print int(sum/count); else print 0}' /tmp/hourly_volume.$$)
 
     # Check for off-hours activity (midnight-6am) that's > 2x average
     local has_suspicious_hours=0
diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh
index 3e22f5d..acf9f23 100755
--- a/modules/security/suspicious-login-monitor.sh
+++ b/modules/security/suspicious-login-monitor.sh
@@ -877,7 +877,7 @@ correlate_with_access_logs() {
 
     # Cap at 100
     local new_risk=$((risk_score + additional_risk))
-    [ $new_risk -gt 100 ] && new_risk=100
+    [ "$new_risk" -gt 100 ] && new_risk=100
 
     echo "$additional_risk|$attack_vectors"
 }
@@ -1464,7 +1464,12 @@ get_account_age_days() {
     fi
 
     # Fallback: Check /etc/passwd modification (less accurate)
-    local passwd_age=$(( $(date +%s) - $(stat -c %Y /etc/passwd 2>/dev/null) ))
+    local stat_output=$(stat -c %Y /etc/passwd 2>/dev/null)
+    if [ -z "$stat_output" ]; then
+        echo "0"
+        return 1
+    fi
+    local passwd_age=$(( $(date +%s) - stat_output ))
     local passwd_days=$(( passwd_age / 86400 ))
     echo "$passwd_days"
     return 0
@@ -2639,7 +2644,7 @@ perform_compromise_detection() {
     fi
 
     # Cap at 100
-    [ $total_risk -gt 100 ] && total_risk=100
+    [ "$total_risk" -gt 100 ] && total_risk=100
 
     # CONFIDENCE CALCULATION: Calculate how confident we are this is a real threat
     local confidence_result=$(calculate_confidence_score "$total_risk" "$all_findings" "$all_mitigations")
@@ -2770,7 +2775,7 @@ generate_report() {
     local critical_count=$(awk -F'|' -v thresh=$RISK_CRITICAL '$2 >= thresh' "$SUSPICIOUS_IPS" | wc -l)
     local high_count=$(awk -F'|' -v crit=$RISK_CRITICAL -v high=$RISK_HIGH '$2 >= high && $2 < crit' "$SUSPICIOUS_IPS" | wc -l)
 
-    if [ $critical_count -gt 0 ]; then
+    if [ "$critical_count" -gt 0 ]; then
         echo -e "${RED}🚨 CRITICAL ALERTS ($critical_count):${NC}"
         echo ""
 
@@ -2803,7 +2808,7 @@ generate_report() {
                     echo "      │   - $attack"
                 done
                 risk=$((risk + corr_risk))
-                [ $risk -gt 100 ] && risk=100
+                [ "$risk" -gt 100 ] && risk=100
             else
                 echo "      │ $corr_attacks"
             fi
@@ -2820,7 +2825,7 @@ generate_report() {
             if [ "$rep_risk" != "0" ]; then
                 echo "      │ $rep_notes"
                 risk=$((risk + rep_risk))
-                [ $risk -gt 100 ] && risk=100
+                [ "$risk" -gt 100 ] && risk=100
             else
                 echo "      │ $rep_notes"
             fi
@@ -2837,7 +2842,7 @@ generate_report() {
             if [ "$threat_risk" != "0" ]; then
                 echo "      │ ⚠️  $threat_notes"
                 risk=$((risk + threat_risk))
-                [ $risk -gt 100 ] && risk=100
+                [ "$risk" -gt 100 ] && risk=100
             else
                 echo "      │ $threat_notes"
             fi
@@ -2861,7 +2866,7 @@ generate_report() {
                     echo "      │   • $finding"
                 done
                 risk=$((risk + compromise_risk))
-                [ $risk -gt 100 ] && risk=100
+                [ "$risk" -gt 100 ] && risk=100
             elif [ "$compromise_risk" -gt 0 ]; then
                 echo -e "      │ ${YELLOW}⚠️  Suspicious indicators found - $compromise_risk risk points${NC}"
                 echo "      │"
@@ -2869,7 +2874,7 @@ generate_report() {
                     echo "      │   • $finding"
                 done
                 risk=$((risk + compromise_risk))
-                [ $risk -gt 100 ] && risk=100
+                [ "$risk" -gt 100 ] && risk=100
             else
                 echo -e "      │ ${GREEN}✓ No compromise indicators detected${NC}"
                 echo "      │ System integrity checks passed"
@@ -2891,7 +2896,7 @@ generate_report() {
         done
     fi
 
-    if [ $high_count -gt 0 ]; then
+    if [ "$high_count" -gt 0 ]; then
         echo -e "${YELLOW}⚠️  HIGH ALERTS ($high_count):${NC}"
         echo ""