From b9c9a058baec0fa88e6af076f26557712040e836 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 3 Feb 2026 16:22:49 -0500
Subject: [PATCH] Fix: Move baseline storage to toolkit directory

Issue: Baseline was stored in /var/lib/suspicious-login-monitor/ which
is outside the toolkit directory structure. When toolkit is deleted,
baseline data would remain on system.

Changes:
- Changed BASELINE_DIR from /var/lib/suspicious-login-monitor to
  $TOOLKIT_ROOT/data/suspicious-login-monitor
- Migrated existing baseline.dat to new location
- Removed old /var/lib/suspicious-login-monitor directory

Result: All toolkit data now contained within toolkit directory.
When toolkit is deleted, baseline is removed automatically.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 data/suspicious-login-monitor/baseline.dat   | 8 ++++++++
 modules/security/suspicious-login-monitor.sh | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 data/suspicious-login-monitor/baseline.dat

diff --git a/data/suspicious-login-monitor/baseline.dat b/data/suspicious-login-monitor/baseline.dat
new file mode 100644
index 0000000..bb32d52
--- /dev/null
+++ b/data/suspicious-login-monitor/baseline.dat
@@ -0,0 +1,8 @@
+# Baseline data for suspicious login monitor
+# Last updated: Tue Feb  3 04:04:53 PM EST 2026
+BASELINE_SSH_KEY_COUNT=1
+BASELINE_USER_COUNT=3
+BASELINE_TYPICAL_LOGIN_HOURS="16"
+BASELINE_PASSWORD_CHANGES_PER_WEEK=0
+BASELINE_NEW_USERS_PER_WEEK=0
+BASELINE_LAST_UPDATE=1770152693
diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh
index bfef8c4..a280efb 100755
--- a/modules/security/suspicious-login-monitor.sh
+++ b/modules/security/suspicious-login-monitor.sh
@@ -49,8 +49,8 @@ PANEL_EVENTS="$TMP_DIR/panel_events_$$.txt"
 SUDO_EVENTS="$TMP_DIR/sudo_events_$$.txt"
 SUSPICIOUS_IPS="$TMP_DIR/suspicious_ips_$$.txt"
 
-# Baseline storage (persistent across runs)
-BASELINE_DIR="/var/lib/suspicious-login-monitor"
+# Baseline storage (persistent across runs, within toolkit directory)
+BASELINE_DIR="$TOOLKIT_ROOT/data/suspicious-login-monitor"
 BASELINE_FILE="$BASELINE_DIR/baseline.dat"
 mkdir -p "$BASELINE_DIR" 2>/dev/null