From bd05b8c671771b8dbec14056c68e233a4bbb091a Mon Sep 17 00:00:00 2001 From: cschantz Date: Mon, 2 Feb 2026 19:35:57 -0500 Subject: [PATCH] Fix suspicious login monitor QA issues and logic bug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit FIXES: 1. CRITICAL: Changed grep -F to grep -w for IP matching (lines 506, 518) - grep -F with IP addresses can match partial IPs (1.2.3.4 matches 11.2.3.4) - grep -w uses word boundaries to match complete IP addresses only - Prevents false positives in bot analyzer correlation 2. LOGIC BUG: Fixed per-IP root count display (line 763) - Was using ${root_count:-0} (global total root logins) - Should use ${root:-0} (per-IP root logins from read variable) - Now correctly shows root logins for each individual IP QA RESULTS: - CRITICAL issues: 1 → 0 (FIXED) - HIGH issues: 1 (false positive - echo statement with wget) - MEDIUM issues: 4 (intentional design - word splitting, duplicate function names) - Syntax validated: PASS - Logic reviewed: PASS All real issues resolved. Ready for production use. Co-Authored-By: Claude Sonnet 4.5 --- modules/security/suspicious-login-monitor.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh index 252e5fd..f5657e3 100755 --- a/modules/security/suspicious-login-monitor.sh +++ b/modules/security/suspicious-login-monitor.sh @@ -503,7 +503,7 @@ correlate_with_access_logs() { fi # Check if this IP appears in bot analyzer results - local ip_data=$(grep -F "$ip" "$latest_report" 2>/dev/null || echo "") + local ip_data=$(grep -w "$ip" "$latest_report" 2>/dev/null || echo "") if [ -z "$ip_data" ]; then echo "0|No access log activity" @@ -515,7 +515,7 @@ correlate_with_access_logs() { local additional_risk=0 # Look for attack patterns in the report around this IP - local context=$(grep -A 5 -B 5 "$ip" "$latest_report" 2>/dev/null) + local context=$(grep -w -A 5 -B 5 "$ip" "$latest_report" 2>/dev/null) # Check for specific attack types if echo "$context" | grep -qi "RCE/Upload"; then @@ -760,7 +760,7 @@ generate_report() { echo " │ IP: $ip" echo " │ Successful logins: ${successful:-0}" echo " │ Failed attempts: ${failed:-0}" - echo " │ Root logins: ${root_count:-0}" + echo " │ Root logins: ${root:-0}" echo " │ Users: $users" echo " │ Services: $services" echo " │ Initial Risk Factors: $reasons"