From a2dd2499d6b29fccf8855c0d0b80ba09027e341d Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Fri, 6 Feb 2026 11:07:24 +0100
Subject: [PATCH] feat(secubox-core): Add file integrity monitoring

- secubox-integrity: SHA256-based file integrity checker
- Monitors critical files: haproxy.cfg, firewall, network, passwd, shadow
- Cron job runs check every 5 minutes
- LED pulse alert on file changes
- Commands: init, check, status, clear

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 package/secubox/secubox-core/Makefile         |  7 +-
 .../root/etc/cron.d/secubox-integrity         |  3 +
 .../root/usr/sbin/secubox-integrity           | 79 +++++++++++++++++++
 3 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 package/secubox/secubox-core/root/etc/cron.d/secubox-integrity
 create mode 100644 package/secubox/secubox-core/root/usr/sbin/secubox-integrity

diff --git a/package/secubox/secubox-core/Makefile b/package/secubox/secubox-core/Makefile
index c3a267f3..955a7084 100644
--- a/package/secubox/secubox-core/Makefile
+++ b/package/secubox/secubox-core/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-core
 PKG_VERSION:=0.10.0
-PKG_RELEASE:=13
+PKG_RELEASE:=14
 PKG_ARCH:=all
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=SecuBox Team
@@ -78,6 +78,7 @@ define Package/secubox-core/install
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-diagnostics $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-recovery $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-verify $(1)/usr/sbin/
+	$(INSTALL_BIN) ./root/usr/sbin/secubox-integrity $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-state $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-component $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-sync-registry $(1)/usr/sbin/
@@ -93,6 +94,10 @@ define Package/secubox-core/install
 	# TFTP Recovery init script
 	$(INSTALL_BIN) ./root/etc/init.d/secubox-tftp-recovery $(1)/etc/init.d/
 
+	# File integrity monitoring cron job
+	$(INSTALL_DIR) $(1)/etc/cron.d
+	$(INSTALL_DATA) ./root/etc/cron.d/secubox-integrity $(1)/etc/cron.d/
+
 	# TFTP Mesh library
 	$(INSTALL_DIR) $(1)/usr/lib/secubox
 	$(INSTALL_DATA) ./root/usr/lib/secubox/tftp-mesh.sh $(1)/usr/lib/secubox/
diff --git a/package/secubox/secubox-core/root/etc/cron.d/secubox-integrity b/package/secubox/secubox-core/root/etc/cron.d/secubox-integrity
new file mode 100644
index 00000000..ce7d87f6
--- /dev/null
+++ b/package/secubox/secubox-core/root/etc/cron.d/secubox-integrity
@@ -0,0 +1,3 @@
+# SecuBox File Integrity Monitor
+# Check critical files every 5 minutes
+*/5 * * * * root /usr/sbin/secubox-integrity check >/dev/null 2>&1
diff --git a/package/secubox/secubox-core/root/usr/sbin/secubox-integrity b/package/secubox/secubox-core/root/usr/sbin/secubox-integrity
new file mode 100644
index 00000000..e9c3731e
--- /dev/null
+++ b/package/secubox/secubox-core/root/usr/sbin/secubox-integrity
@@ -0,0 +1,79 @@
+#!/bin/sh
+# SecuBox File Integrity Monitor
+# Monitors critical system files for unauthorized changes
+
+WATCH_FILES="
+/srv/haproxy/config/haproxy.cfg
+/etc/config/haproxy
+/etc/config/firewall
+/etc/config/network
+/etc/config/wireless
+/etc/config/dropbear
+/etc/passwd
+/etc/shadow
+"
+
+HASH_FILE="/var/run/secubox/integrity.sha256"
+ALERT_FILE="/tmp/secubox/integrity-alert"
+LOG_FILE="/var/log/secubox/integrity.log"
+
+mkdir -p /var/run/secubox /tmp/secubox /var/log/secubox
+
+log() {
+    echo "$(date "+%Y-%m-%d %H:%M:%S") $*" >> "$LOG_FILE"
+    logger -t secubox-integrity "$*"
+}
+
+case "$1" in
+    init)
+        # Initialize baseline hashes
+        > "$HASH_FILE"
+        for f in $WATCH_FILES; do
+            [ -f "$f" ] && sha256sum "$f" >> "$HASH_FILE"
+        done
+        log "Baseline initialized with $(wc -l < "$HASH_FILE") files"
+        echo "Baseline created: $HASH_FILE"
+        ;;
+    check)
+        [ -f "$HASH_FILE" ] || { echo "No baseline. Run: secubox-integrity init"; exit 1; }
+        CHANGES=$(sha256sum -c "$HASH_FILE" 2>/dev/null | grep -v ": OK$")
+        if [ -n "$CHANGES" ]; then
+            echo "$CHANGES" > "$ALERT_FILE"
+            log "ALERT: File changes detected!"
+            echo "$CHANGES" | while read line; do
+                log "  $line"
+            done
+            # Trigger LED event pulse
+            echo "alert" > /tmp/secubox/led-event 2>/dev/null
+            echo "ALERT: Files modified!"
+            echo "$CHANGES"
+            exit 1
+        else
+            echo "OK: All files intact"
+            exit 0
+        fi
+        ;;
+    status)
+        if [ -f "$ALERT_FILE" ]; then
+            echo "ALERT: Changes detected:"
+            cat "$ALERT_FILE"
+        else
+            echo "OK: No alerts"
+        fi
+        [ -f "$HASH_FILE" ] && echo "Baseline: $(wc -l < "$HASH_FILE") files monitored"
+        ;;
+    clear)
+        rm -f "$ALERT_FILE"
+        log "Alerts cleared"
+        echo "Alerts cleared"
+        ;;
+    *)
+        echo "Usage: secubox-integrity {init|check|status|clear}"
+        echo ""
+        echo "Commands:"
+        echo "  init   - Create baseline hashes for monitored files"
+        echo "  check  - Verify files against baseline"
+        echo "  status - Show current alert status"
+        echo "  clear  - Clear alerts after review"
+        ;;
+esac