# Mail, Database, and Tool Variables Complete Reference **Status**: Complete - All missing variables created and integrated **Created**: 2026-03-20 **Total New Variables**: 90+ This document defines the new SYS_* variables for mail commands, database commands, security tools, and system authentication files that were identified as missing during the system audit. --- ## Mail Command Variables (from lib/service-info.sh) These variables provide platform-agnostic commands for interacting with mail systems. They automatically adapt to Exim, Postfix, or Sendmail. ### Exim Mail System ```bash SYS_MAIL_BIN_EXIM="/usr/sbin/exim" # Exim binary SYS_MAIL_BIN_SENDMAIL="/usr/sbin/sendmail" # Sendmail symlink (usually to exim) SYS_MAIL_SPOOL="/var/spool/exim" # Mail queue directory SYS_MAIL_CMD_QUEUE_COUNT="exim -bpc" # Count queued messages SYS_MAIL_CMD_QUEUE_LIST="exim -bp" # List all queued messages SYS_MAIL_CMD_QUEUE_RETRY="exim -R" # Retry all messages SYS_MAIL_CMD_QUEUE_REMOVE="exim -Mrm" # Remove message by ID SYS_MAIL_CMD_TEST_ADDRESS="exim -bt" # Test email address routing ``` ### Postfix Mail System ```bash SYS_MAIL_BIN_POSTFIX="/usr/sbin/postfix" # Postfix binary SYS_MAIL_BIN_SENDMAIL="/usr/sbin/sendmail" # Postfix sendmail wrapper SYS_MAIL_SPOOL="/var/spool/postfix" # Mail queue directory SYS_MAIL_CMD_QUEUE_COUNT="mailq 2>/dev/null | tail -1" # Count queued messages SYS_MAIL_CMD_QUEUE_LIST="mailq" # List queued messages SYS_MAIL_CMD_QUEUE_RETRY="postqueue -f" # Flush/retry queue SYS_MAIL_CMD_QUEUE_REMOVE="postsuper -d" # Delete queued message SYS_MAIL_CMD_TEST_ADDRESS="postmap -q" # Test address lookup ``` ### Sendmail Mail System ```bash SYS_MAIL_BIN_SENDMAIL="/usr/sbin/sendmail" # Sendmail binary SYS_MAIL_SPOOL="/var/spool/mqueue" # Mail queue directory SYS_MAIL_CMD_QUEUE_COUNT="mailq 2>/dev/null | tail -1" # Count queued messages SYS_MAIL_CMD_QUEUE_LIST="mailq" # List queued messages SYS_MAIL_CMD_QUEUE_RETRY="/usr/sbin/sendmail -q" # Retry queue SYS_MAIL_CMD_QUEUE_REMOVE="rm -f" # Remove queue files SYS_MAIL_CMD_TEST_ADDRESS="" # Not supported in sendmail ``` ### Usage Examples **Count queued emails**: ```bash source lib/system-variables.sh eval "$SYS_MAIL_CMD_QUEUE_COUNT" # Works on any mail system ``` **List and remove a message**: ```bash source lib/system-variables.sh eval "$SYS_MAIL_CMD_QUEUE_LIST" # Get message ID, then: eval "$SYS_MAIL_CMD_QUEUE_REMOVE message_id" ``` --- ## Database Command Variables (from lib/service-info.sh) These variables provide SQL commands for query, dump, admin operations, and status checks. Support MySQL/MariaDB and PostgreSQL. ### MySQL/MariaDB Commands ```bash SYS_DB_CLI_COMMAND="/usr/bin/mysql" # MySQL CLI binary SYS_DB_DUMP_COMMAND="/usr/bin/mysqldump" # Database dump utility SYS_DB_ADMIN_COMMAND="/usr/bin/mysqladmin" # MySQL admin tool SYS_DB_CHECK_COMMAND="/usr/bin/mysqlcheck" # Check/repair tables SYS_DB_REPAIR_COMMAND="/usr/bin/mysqlcheck --repair --all-databases" SYS_DB_OPTIMIZE_COMMAND="/usr/bin/mysqlcheck --optimize --all-databases" SYS_DB_STATUS_COMMAND="mysql -e 'SHOW STATUS' 2>/dev/null" SYS_DB_SHOW_DATABASES="mysql -e 'SHOW DATABASES' 2>/dev/null" SYS_DB_SHOW_TABLES="mysql DATABASE -e 'SHOW TABLES' 2>/dev/null" ``` ### PostgreSQL Commands ```bash SYS_DB_CLI_COMMAND="/usr/bin/psql" # PostgreSQL CLI SYS_DB_DUMP_COMMAND="/usr/bin/pg_dump" # Database dump SYS_DB_ADMIN_COMMAND="/usr/bin/pg_isready" # Admin check SYS_DB_CHECK_COMMAND="/usr/bin/pg_check" # Table check SYS_DB_REPAIR_COMMAND="VACUUM FULL ANALYZE" # Repair command SYS_DB_OPTIMIZE_COMMAND="ANALYZE" # Optimize command SYS_DB_STATUS_COMMAND="/usr/bin/pg_isready" # Status check SYS_DB_SHOW_DATABASES="psql -l" # List databases SYS_DB_SHOW_TABLES="psql -c '\dt'" # List tables ``` ### Usage Examples **Dump a database**: ```bash source lib/system-variables.sh $SYS_DB_DUMP_COMMAND -u root database_name > backup.sql ``` **Check database integrity**: ```bash source lib/system-variables.sh $SYS_DB_CHECK_COMMAND -u root ``` **List all databases**: ```bash source lib/system-variables.sh eval "$SYS_DB_SHOW_DATABASES" ``` --- ## Security Scanner Tools (from lib/security-tools.sh) ### ClamAV (Antivirus) ```bash SYS_SCANNER_CLAMAV="/usr/bin/clamscan" # ClamAV scanner binary SYS_SCANNER_CLAMUPDATE="/usr/bin/freshclam" # Database update tool SYS_SCANNER_CLAMSCAN="clamscan" # Scanner command SYS_SCANNER_CLAMAV_DB="/var/lib/clamav" # Signature database dir SYS_SCANNER_CLAMAV_LOG="/var/log/clamav/scan.log" # Scan log ``` ### Maldet (Linux Malware Detect) ```bash SYS_SCANNER_MALDET="/usr/local/maldetect/maldet" # Maldet binary SYS_SCANNER_MALDET_DIR="/usr/local/maldetect" # Installation dir SYS_SCANNER_MALDET_QUARANTINE="/usr/local/maldetect/quarantine" SYS_SCANNER_MALDET_LOG="/var/log/maldet.log" # Maldet log ``` ### RKHunter (Rootkit Hunter) ```bash SYS_SCANNER_RKHUNTER="/usr/bin/rkhunter" # RKHunter binary SYS_SCANNER_RKHUNTER_CONFIG="/etc/rkhunter.conf" # Config file SYS_SCANNER_RKHUNTER_DB="/var/lib/rkhunter/db" # Database dir SYS_SCANNER_RKHUNTER_LOG="/var/log/rkhunter.log" # Scan log ``` ### Imunify360 (Security Suite) ```bash SYS_SCANNER_IMUNIFY="/usr/bin/imunify360-agent" # Imunify CLI SYS_SCANNER_IMUNIFY_CONFIG="/etc/sysconfig/imunify360" # Config dir SYS_SCANNER_IMUNIFY_DB="/var/lib/imunify360" # Database dir SYS_SCANNER_IMUNIFY_LOG="/var/log/imunify360/imunify360.log" ``` ### Control Panel Security Tools **cPanel**: ```bash SYS_CPANEL_WHMAPI="/usr/local/cpanel/whostmgr/docroot/cgi/whmapi1" SYS_CPANEL_UAPI="/usr/local/cpanel/uapi" SYS_CPANEL_HULK="/usr/sbin/csf" # CSF is primary on cPanel SYS_CPANEL_SCAN_TOOL="/usr/local/cpanel/scripts/checkfiles" SYS_CPANEL_MALWARE_SCANNER="/usr/local/cpanel/scripts/scan_malware" ``` **Plesk**: ```bash SYS_PLESK_API="/usr/local/psa/bin/plesk" SYS_PLESK_ADMIN_API="/usr/local/psa/admin/bin/api.sh" SYS_PLESK_EXTENSION_API="/usr/local/psa/admin/bin/extension" SYS_PLESK_MTA_SCAN="/usr/local/psa/bin/postfix_control" ``` **InterWorx**: ```bash SYS_INTERWORX_BIN="/home/interworx/bin" SYS_INTERWORX_NODEWORX="/home/interworx/bin/nodeworx" SYS_INTERWORX_SITEWORX="/home/interworx/bin/siteworx" ``` ### System Security Tools **Fail2Ban** (if installed): ```bash SYS_FAIL2BAN_CLIENT="/usr/bin/fail2ban-client" # Fail2Ban CLI SYS_FAIL2BAN_CONFIG="/etc/fail2ban" # Config dir SYS_FAIL2BAN_JAIL="/etc/fail2ban/jail.local" # Jail config ``` **ModSecurity** (if enabled): ```bash SYS_MODSECURITY_ENABLED="1" # Is it enabled? SYS_MODSECURITY_CONF="/etc/apache2/mods-available/security.conf" SYS_MODSECURITY_RULES="/etc/modsecurity" # Rules directory SYS_MODSECURITY_AUDIT_LOG="/var/log/apache2/modsec_audit.log" ``` **SELinux** (if available): ```bash SYS_SELINUX_ENABLED="1" # Is SELinux present? SYS_SELINUX_STATUS="enforcing" # Current status SYS_SELINUX_CONFIG="/etc/selinux/config" # Config file ``` **AppArmor** (if available - Ubuntu/Debian): ```bash SYS_APPARMOR_ENABLED="1" # Is AppArmor present? SYS_APPARMOR_CONFIG="/etc/apparmor" # Config dir ``` ### Usage Examples **Scan for malware with ClamAV**: ```bash source lib/system-variables.sh if [ -n "$SYS_SCANNER_CLAMAV" ]; then $SYS_SCANNER_CLAMAV -r /home fi ``` **Check ClamAV signature database freshness**: ```bash source lib/system-variables.sh if [ -n "$SYS_SCANNER_CLAMUPDATE" ]; then $SYS_SCANNER_CLAMUPDATE fi ``` --- ## System Authentication Variables (from lib/system-authentication.sh) ### System Authentication Files ```bash SYS_AUTH_PASSWD_FILE="/etc/passwd" # User database SYS_AUTH_SHADOW_FILE="/etc/shadow" # Password hashes SYS_AUTH_GROUP_FILE="/etc/group" # Group database SYS_AUTH_GSHADOW_FILE="/etc/gshadow" # Group passwords SYS_AUTH_SUDOERS_FILE="/etc/sudoers" # Sudo config SYS_AUTH_SUDOERS_DIR="/etc/sudoers.d" # Sudoers extras SYS_AUTH_PAM_DIR="/etc/pam.d" # PAM configs SYS_AUTH_SSH_CONFIG="/etc/ssh/sshd_config" # SSH config SYS_AUTH_HOSTS_ALLOW="/etc/hosts.allow" # TCP wrappers allow SYS_AUTH_HOSTS_DENY="/etc/hosts.deny" # TCP wrappers deny SYS_AUTH_CRONTAB_DIR="/var/spool/cron" # Cron jobs SYS_LOG_CRON="/var/log/cron" # Cron logs (RHEL) # or /var/log/syslog (Debian) ``` ### Web Server User & Group IDs ```bash SYS_WEB_UID=33 # www-data (Debian) or apache (RHEL): uid SYS_WEB_GID=33 # www-data (Debian) or apache (RHEL): gid # Values vary by OS: Debian uses www-data (33), RHEL uses apache (48) ``` ### Database User & Group IDs ```bash SYS_DB_UID=986 # mysql user uid SYS_DB_GID=986 # mysql group gid # PostgreSQL uses postgres (uid 999) ``` ### Mail System User & Group IDs ```bash SYS_MAIL_UID=8 # mail user (Exim/Postfix) SYS_MAIL_GID=12 # mail group # Values vary: Debian-exim (101), Postfix (89), Sendmail (209) ``` ### Control Panel User & Group IDs ```bash SYS_CPANEL_SYSTEM_UID=65534 # nobody on cPanel SYS_CPANEL_SYSTEM_GID=65534 SYS_PLESK_SYSTEM_UID=52 # psaadm on Plesk SYS_PLESK_SYSTEM_GID=52 SYS_INTERWORX_SYSTEM_UID=99 # iworx on InterWorx SYS_INTERWORX_SYSTEM_GID=99 ``` ### Usage Examples **Check if a user exists**: ```bash source lib/system-variables.sh grep "^username:" "$SYS_AUTH_PASSWD_FILE" && echo "User exists" ``` **List users in sudo group**: ```bash source lib/system-variables.sh getent group sudo | cut -d: -f4 ``` **Get web server user UID for permission checks**: ```bash source lib/system-variables.sh if [ "$user_uid" -eq "$SYS_WEB_UID" ]; then echo "File is owned by web server" fi ``` **Find all files owned by database user**: ```bash source lib/system-variables.sh find /var/lib/mysql -user mysql # Alternative to: find ... -uid $SYS_DB_UID ``` --- ## How Modules Should Use These Variables ### Before (Hardcoded - NOT portable): ```bash #!/bin/bash # Old way - hardcoded paths # Mail queue check (only works on Exim) count=$(exim -bpc) # Database backup (hardcoded mysql path) mysqldump -u root --all-databases > backup.sql # ClamAV scan (hardcoded path) /usr/bin/clamscan -r /home ``` ### After (Using SYS_* Variables - Portable): ```bash #!/bin/bash # New way - works on any platform source "$SCRIPT_DIR/lib/system-variables.sh" # Mail queue check (works on any mail system) eval "$SYS_MAIL_CMD_QUEUE_COUNT" # Database backup (works on MySQL or PostgreSQL) $SYS_DB_DUMP_COMMAND --all-databases > backup.sql # ClamAV scan (only runs if ClamAV installed) if [ -n "$SYS_SCANNER_CLAMAV" ]; then $SYS_SCANNER_CLAMAV -r /home fi ``` --- ## Variable Availability by Platform ### CentOS/RHEL Systems - Mail: Exim (most common), Postfix, Sendmail - Database: MySQL/MariaDB - Web: Apache (httpd) or Nginx - Security: CSF, firewalld, Imunify360 - UIDs: mail=8, apache=48, mysql=986 ### Ubuntu/Debian Systems - Mail: Postfix (most common), Exim, Sendmail - Database: MySQL/MariaDB or PostgreSQL - Web: Apache (apache2) or Nginx - Security: UFW, Fail2Ban, AppArmor - UIDs: mail=8, www-data=33, mysql=106 ### Empty Variables Variables are EMPTY on systems where the tool is not installed. Always check: ```bash if [ -n "$SYS_SCANNER_CLAMAV" ]; then # ClamAV is installed, use it $SYS_SCANNER_CLAMAV -r /home fi ``` --- ## Integration Checklist **When updating scripts to use these variables:** 1. ✅ Source lib/system-variables.sh (or lib/service-info.sh) 2. ✅ Replace hardcoded mail commands with SYS_MAIL_CMD_* variables 3. ✅ Replace hardcoded database commands with SYS_DB_CLI_* variables 4. ✅ Replace hardcoded scanner paths with SYS_SCANNER_* variables 5. ✅ Use SYS_AUTH_* for file paths, not hardcoded /etc/passwd 6. ✅ Check SYS_*_UID/GID before doing permission checks 7. ✅ Check that variables are not empty before using (some tools optional) --- ## Summary - **90+ new variables created** covering mail, database, tools, and authentication - **Multi-platform**: Variables adapt to detected Exim/Postfix/Sendmail, MySQL/PostgreSQL - **Control panel aware**: InterWorx, Plesk, cPanel specific tools included - **Auto-populated**: Launcher.sh detects and derives all variables automatically - **Zero hardcoding**: Modules no longer need hardcoded paths for mail, DB, or tools - **Optional tools**: Variables empty if tool not installed - safe to check before use --- **Next Steps for Script Developers:** 1. Update modules/email/* scripts to use SYS_MAIL_CMD_* variables 2. Update modules/performance/mysql-query-analyzer.sh to use SYS_DB_* variables 3. Update modules/security/* to use SYS_SCANNER_* variables 4. Use SYS_AUTH_* for any file/permission checks