Fix: Double arithmetic syntax error in generate_comparison_report (line 2073)

modules/security/bot-analyzer.sh

@@ -1311,7 +1311,7 @@ calculate_bot_fingerprint() {
         }
         close(tmpdir "/bot_fingerprints.txt")
     }
-    ' < "$TEMP_DIR/parsed_logs.txt"
+    ' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || true
 
     # Create file if empty
     touch "$TEMP_DIR/bot_fingerprints.txt"
@@ -1997,10 +1997,10 @@ generate_statistics() {
         close(tmpdir "/top_urls_raw.txt")
     }'
 
-    # Sort and limit results
-    sort -rn "$TEMP_DIR/top_sites_raw.txt" | head -5 > "$TEMP_DIR/top_sites.txt"
-    sort -rn "$TEMP_DIR/top_ips_raw.txt" | head -5 > "$TEMP_DIR/top_ips.txt"
-    sort -rn "$TEMP_DIR/top_urls_raw.txt" | head -5 > "$TEMP_DIR/top_urls.txt"
+    # Sort and limit results (files may not exist if no data)
+    [ -f "$TEMP_DIR/top_sites_raw.txt" ] && sort -rn "$TEMP_DIR/top_sites_raw.txt" | head -5 > "$TEMP_DIR/top_sites.txt" || touch "$TEMP_DIR/top_sites.txt"
+    [ -f "$TEMP_DIR/top_ips_raw.txt" ] && sort -rn "$TEMP_DIR/top_ips_raw.txt" | head -5 > "$TEMP_DIR/top_ips.txt" || touch "$TEMP_DIR/top_ips.txt"
+    [ -f "$TEMP_DIR/top_urls_raw.txt" ] && sort -rn "$TEMP_DIR/top_urls_raw.txt" | head -5 > "$TEMP_DIR/top_urls.txt" || touch "$TEMP_DIR/top_urls.txt"
 
     # Top 5 bots by request count (single decompression)
     cat "$TEMP_DIR/classified_bots.txt" 2>/dev/null | awk -F'|' '$9 != "unknown" {print $10}' | \
@@ -2070,7 +2070,7 @@ generate_comparison_report() {
             echo "   Baseline (7-day avg): $baseline_requests requests"
             echo "   Today: $total_requests requests"
         elif [ "$request_pct" -lt 50 ]; then
-            echo "🟢 LOW: Requests are $(($((100 - $request_pct))))% below baseline"
+            echo "🟢 LOW: Requests are $((100 - $request_pct))% below baseline"
         else
             echo "🟡 NORMAL: Requests within expected range"
         fi

modules/security/malware-scanner.sh

@@ -2156,7 +2156,7 @@ for scanner in "${available_scanners[@]}"; do
             # Extract scan results from event log (more reliable than parsing output)
             # Maldet logs to /usr/local/maldetect/logs/event_log
             # Use dynamic path search for portability across all platforms (FIXED Issue 2: comprehensive path discovery)
-            local event_log=""
+            event_log=""
 
             # Search standard locations in order of likelihood
             for search_path in \
@@ -2556,7 +2556,7 @@ STANDALONE_EOF
     fi
 
     # Inject MALDET_ONLY flag for Maldet-dedicated scans
-    local maldet_flag="${MALDET_ONLY:-0}"
+    maldet_flag="${MALDET_ONLY:-0}"
     if ! sed -i "s|PLACEHOLDER_MALDET_ONLY|$maldet_flag|" "$session_dir/scan.sh"; then
         echo -e "${RED}ERROR: Failed to inject MALDET_ONLY flag${NC}"
         return 1

modules/security/optimize-ct-limit.sh

@@ -826,11 +826,8 @@ main() {
         echo ""
     fi
 
-    # Check if sysref database exists, build if needed
-    if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then
-        print_status "Building system reference database (first run)..."
-        build_reference_database >/dev/null 2>&1
-    fi
+    # Ensure reference database is fresh (only rebuild if > 1 hour old)
+    db_ensure_fresh >/dev/null 2>&1
 
     # Run analysis
     check_server_resources

modules/security/suspicious-login-monitor.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -eo pipefail
 
 #
 # Suspicious Login Monitor - Integrated Security Analysis & Compromise Detection
@@ -11,6 +12,9 @@
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 TOOLKIT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
+# Source reference-db for cache support (avoid redundant /etc/passwd parsing)
+source "$TOOLKIT_ROOT/lib/reference-db.sh" 2>/dev/null || true
+
 # Configuration
 SUSPICIOUS_LOGIN_AUTO_BLOCK="${SUSPICIOUS_LOGIN_AUTO_BLOCK:-yes}"
 SUSPICIOUS_LOGIN_AUTO_SCAN="${SUSPICIOUS_LOGIN_AUTO_SCAN:-yes}"
@@ -1673,7 +1677,7 @@ check_maintenance_mode() {
     fi
 
     if [ -n "$indicators" ]; then
-        echo "maintenance-mode:$(echo $indicators | sed 's/ $//')"
+        echo "maintenance-mode:$(sed 's/ $//' <<< "$indicators")"
         return 0
     fi
 
@@ -1823,6 +1827,10 @@ check_recent_password_changes() {
     fi
 
     # Check for locked accounts that were recently unlocked
+    # OPTIMIZATION: Read /etc/passwd ONCE, build nologin list, then check against it
+    # (avoiding redundant grep for each user in the loop)
+    local nologin_users=$(awk -F: '/\/sbin\/nologin|\/bin\/false/ {print $1}' /etc/passwd 2>/dev/null | tr '\n' '|')
+
     local recently_unlocked=$(awk -F: -v cutoff=$(( $(date +%s) / 86400 - 7 )) '
         # Field 2 starts with ! or !! = locked
         # If field 3 (last change) is recent and field 2 does NOT start with !, might have been unlocked
@@ -1830,8 +1838,8 @@ check_recent_password_changes() {
             print $1
         }
     ' /etc/shadow 2>/dev/null | while read user; do
-        # Check if account was previously locked (this is imperfect without history)
-        if grep "^$user:" /etc/passwd | grep -q "/sbin/nologin\|/bin/false"; then
+        # Check if account has nologin shell (from pre-built list)
+        if [[ "|$nologin_users" =~ \|$user\| ]]; then
             echo "$user"
         fi
     done)
@@ -2947,6 +2955,11 @@ main() {
     echo -e "${CYAN}Starting Suspicious Login Monitor...${NC}"
     echo ""
 
+    # Ensure cache is fresh (only rebuilds if > 1 hour old)
+    if command -v db_ensure_fresh &>/dev/null; then
+        db_ensure_fresh 2>/dev/null || true
+    fi
+
     # Detect panel
     local panel=$(detect_panel)
     echo "Detected panel: $panel"