Coderabit suggestions

install/production-filesystem/services/check-cap.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
-# check_nmap_caps.sh - Uses a real nmap command to detect missing container
+# check-cap.sh - Uses a real nmap command to detect missing container
 # privileges and warns the user. It is silent on success.
 
 # Run a fast nmap command that requires raw sockets, capturing only stderr.
-ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1 >/dev/null)
+ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1)
 EXIT_CODE=$?
 
 # Flag common capability errors regardless of exact exit code.

install/production-filesystem/services/check-first-run-db.sh

@@ -19,7 +19,7 @@ EOF
 >&2 printf "%s" "${RESET}"
 
 # Write all text to db file until we see "end-of-database-schema"
-cat << end-of-database-schema > ${NETALERTX_DB_FILE}
+cat << end-of-database-schema > "${NETALERTX_DB_FILE}"
 CREATE TABLE sqlite_stat1(tbl,idx,stat);
 CREATE TABLE Events (eve_MAC STRING (50) NOT NULL COLLATE NOCASE, eve_IP STRING (50) NOT NULL COLLATE NOCASE, eve_DateTime DATETIME NOT NULL, eve_EventType STRING (30) NOT NULL COLLATE NOCASE, eve_AdditionalInfo STRING (250) DEFAULT (''), eve_PendingAlertEmail BOOLEAN NOT NULL CHECK (eve_PendingAlertEmail IN (0, 1)) DEFAULT (1), eve_PairEventRowid INTEGER);
 CREATE TABLE Sessions (ses_MAC STRING (50) COLLATE NOCASE, ses_IP STRING (50) COLLATE NOCASE, ses_EventTypeConnection STRING (30) COLLATE NOCASE, ses_DateTimeConnection DATETIME, ses_EventTypeDisconnection STRING (30) COLLATE NOCASE, ses_DateTimeDisconnection DATETIME, ses_StillConnected BOOLEAN, ses_AdditionalInfo STRING (250));
@@ -433,5 +433,10 @@ CREATE TRIGGER "trg_delete_devices"
             END;
 end-of-database-schema
 
+if [ $? -ne 0 ]; then
+  >&2 echo "Error: Failed to write database schema to ${NETALERTX_DB_FILE}"
+  exit 1
+fi
+
 # Import the database schema into the new database file
-sqlite3 ${NETALERTX_DB_FILE} < ${NETALERTX_DB}/db.sql
+sqlite3 "${NETALERTX_DB_FILE}" < "${NETALERTX_DB}/db.sql"

install/production-filesystem/services/config/nginx/conf.active/netalertx.conf

@@ -16,8 +16,8 @@ events {
 http {
 
 	# Mapping of temp paths for various nginx modules.
-    client_body_temp_path /services/run/tmp/client_body;
-    proxy_temp_path /services/run/tmp/proxy;
+	client_body_temp_path /services/run/tmp/client_body;
+	proxy_temp_path /services/run/tmp/proxy;
 	fastcgi_temp_path /services/run/tmp/fastcgi;
 	uwsgi_temp_path /services/run/tmp/uwsgi;
 	scgi_temp_path /services/run/tmp/scgi;
@@ -74,7 +74,7 @@ http {
 
 
 	# Enable gzipping of responses.
-	#gzip on;
+	gzip on;
 
 	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
 	gzip_vary on;
@@ -102,8 +102,11 @@ http {
         root /app/front;
         index index.php;
         add_header X-Forwarded-Prefix "/app" always;
-
-        location ~* \.php$ {
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        location ~ \.php$ {
+            try_files $uri =404;
             # Set Cache-Control header to prevent caching on the first load
             add_header Cache-Control "no-store";
             fastcgi_pass unix:/services/run/php.sock;

install/production-filesystem/services/config/nginx/netalertx.conf.template

@@ -74,7 +74,7 @@ http {
 
 
 	# Enable gzipping of responses.
-	#gzip on;
+	gzip on;
 
 	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
 	gzip_vary on;
@@ -96,7 +96,7 @@ http {
         root /app/front;
         index index.php;
         add_header X-Forwarded-Prefix "/app" always;
-    	proxy_set_header X-Forwarded-Prefix "/app";
+
 
         location ~* \.php$ {
             # Set Cache-Control header to prevent caching on the first load

install/production-filesystem/services/start-nginx.sh

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-LOG_DIR=${NETALERTX_APP}
+LOG_DIR=${NETALERTX_LOG}
 RUN_DIR=${SYSTEM_SERVICES_RUN}
 TMP_DIR=${SYSTEM_SERVICES_RUN_TMP}
 SYSTEM_NGINX_CONFIG_TEMPLATE="/services/config/nginx/netalertx.conf.template"
@@ -28,17 +28,17 @@ forward_signal() {
 
 
 # When in devcontainer we must kill any existing nginx processes
-while $(ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null); do
+while ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null 2>&1; do
 	killall nginx &>/dev/null || true
 	sleep 0.2
 done
 
 TEMP_CONFIG_FILE=$(mktemp "${TMP_DIR}/netalertx.conf.XXXXXX")
 if envsubst '${LISTEN_ADDR} ${PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
-	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_NGINX_CONFIG_FILE}" 2>/dev/null || true
+	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_NGINX_CONFIG_FILE}" 
 else
 	echo "Note: Unable to write to ${SYSTEM_NGINX_CONFIG_FILE}. Using default configuration."
-	rm -f "${TEMP_CONFIG_FILE}" 2>/dev/null || true
+	rm -f "${TEMP_CONFIG_FILE}" 
 fi
 
 trap cleanup EXIT

install/production-filesystem/services/update_vendors.sh

@@ -15,7 +15,7 @@
 # ----------------------------------------------------------------------
 
 # Download the file using wget to stdout and process it
-wget -q "http://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
+wget -q "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
     sed -E 's/ *\(base 16\)//' | \
     awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
     sort | \