From af510e7fb5a3595ee849210fa8f987313b25599e Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 6 Jan 2026 22:03:18 -0500
Subject: [PATCH] Move all persistent data to /tmp (no system pollution)

Moved from /var/lib/server-toolkit/ to /tmp/:
- Threat intelligence cache
- Whitelist IPs
- Attack pattern logs
- Incident reports
- Shared threat coordination logs
- Live monitor snapshots

Philosophy: Deleting toolkit directory should remove ALL data.
System directories (/var/lib/) caused stale data to persist.
Using /tmp/ ensures auto-cleanup on reboot and complete removal.
---
 lib/threat-intelligence.sh                 | 18 +++++++++---------
 modules/security/live-attack-monitor-v2.sh |  2 +-
 modules/security/live-attack-monitor.sh    |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/threat-intelligence.sh b/lib/threat-intelligence.sh
index 98158c2..da4c0e4 100644
--- a/lib/threat-intelligence.sh
+++ b/lib/threat-intelligence.sh
@@ -9,7 +9,7 @@
 ################################################################################
 
 # Cache directory for threat intelligence
-THREAT_CACHE_DIR="/var/lib/server-toolkit/threat-cache"
+THREAT_CACHE_DIR="/tmp/server-toolkit-threat-cache"
 mkdir -p "$THREAT_CACHE_DIR" 2>/dev/null
 
 # Cache TTL (24 hours)
@@ -135,7 +135,7 @@ is_high_risk_country() {
 # Check if IP should be whitelisted (legitimate services)
 is_whitelisted_service() {
     local ip="$1"
-    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
+    local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
 
     # Check static whitelist
     if [ -f "$whitelist_file" ]; then
@@ -173,7 +173,7 @@ is_whitelisted_service() {
 add_to_whitelist() {
     local ip="$1"
     local reason="$2"
-    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
+    local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
 
     if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
         echo "$ip  # $reason" >> "$whitelist_file"
@@ -253,7 +253,7 @@ record_attack_pattern() {
     local uri="$3"
     local user_agent="$4"
 
-    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+    local pattern_file="/tmp/server-toolkit-attack-patterns.log"
     mkdir -p "$(dirname "$pattern_file")" 2>/dev/null
 
     # Format: timestamp|ip|attack_type|uri|user_agent
@@ -269,7 +269,7 @@ matches_known_pattern() {
     local attack_type="$1"
     local uri="$2"
 
-    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+    local pattern_file="/tmp/server-toolkit-attack-patterns.log"
 
     if [ ! -f "$pattern_file" ]; then
         return 1
@@ -324,7 +324,7 @@ is_server_stressed() {
 # Generate incident report for an IP
 generate_incident_report() {
     local ip="$1"
-    local report_file="/var/lib/server-toolkit/incident-reports/report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
+    local report_file="/tmp/server-toolkit-incident-report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
 
     mkdir -p "$(dirname "$report_file")" 2>/dev/null
 
@@ -365,7 +365,7 @@ generate_incident_report() {
         echo "─────────────────────────────────────────────────────────────"
 
         # Get attacks from pattern log
-        local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+        local pattern_file="/tmp/server-toolkit-attack-patterns.log"
         if [ -f "$pattern_file" ]; then
             echo "Recent attacks from this IP:"
             grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
@@ -408,7 +408,7 @@ share_threat_data() {
     local attack_type="$2"
     local score="$3"
 
-    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
+    local coordination_file="/tmp/server-toolkit-shared-threats.log"
 
     # Log for potential sharing
     echo "$(date +%s)|$(hostname)|$ip|$attack_type|$score" >> "$coordination_file"
@@ -421,7 +421,7 @@ share_threat_data() {
 # Check if IP is flagged by other servers
 check_shared_threats() {
     local ip="$1"
-    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
+    local coordination_file="/tmp/server-toolkit-shared-threats.log"
 
     if [ -f "$coordination_file" ]; then
         local count=$(grep "|$ip|" "$coordination_file" | wc -l)
diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index ac691a2..82e5ac8 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -57,7 +57,7 @@ TERMINAL_HEIGHT=$(tput lines 2>/dev/null || echo "24")
 
 # Temporary files for tracking
 TEMP_DIR="/tmp/live-monitor-$$"
-SNAPSHOT_DIR="/var/lib/server-toolkit/live-monitor"
+SNAPSHOT_DIR="/tmp/server-toolkit-live-monitor"
 mkdir -p "$TEMP_DIR" "$SNAPSHOT_DIR" 2>/dev/null
 touch "$TEMP_DIR/recent_events"
 touch "$TEMP_DIR/ip_data"
diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 89ca32e..f21a73b 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -57,7 +57,7 @@ TERMINAL_HEIGHT=$(tput lines 2>/dev/null || echo "24")
 
 # Temporary files for tracking
 TEMP_DIR="/tmp/live-monitor-$$"
-SNAPSHOT_DIR="/var/lib/server-toolkit/live-monitor"
+SNAPSHOT_DIR="/tmp/server-toolkit-live-monitor"
 mkdir -p "$TEMP_DIR" "$SNAPSHOT_DIR" 2>/dev/null
 touch "$TEMP_DIR/recent_events"
 touch "$TEMP_DIR/ip_data"