diff --git a/ajax.php b/ajax.php
index 5ec8272..10f2419 100644
--- a/ajax.php
+++ b/ajax.php
@@ -1,2113 +1,2116 @@
-" . update_finding_status() . "";
-}
-elseif ($action == 'update_finding_ia_controls') {
- print "" . update_finding_ia_controls() . "";
-}
-elseif ($action == 'update_finding_notes') {
- print "" . update_finding_notes() . "";
-}
-elseif ($action == 'update_risk_status') {
- print update_risk_status();
-}
-elseif ($action == 'update_risk_analysis') {
- print update_risk_analysis();
-}
-elseif ($action == 'update_control_completion') {
- print update_control_completion();
-}
-elseif ($action == 'update_stig_control') {
- print update_stig_control();
-}
-elseif ($action == 'refresh_counts') {
- print "" . refresh_counts() . "";
-}
-elseif ($action == 'get_control_details') {
- if ($_REQUEST['id'] == 'overall') {
- print get_STE_details();
- }
- else {
- print get_control_details();
- }
-}
-elseif ($action == 'update_STE') {
- print update_STE_details();
-}
-elseif ($action == 'update_STE_risk') {
- $conn->real_query(
- "UPDATE `sagacity`.`ste` SET `risk_status`='" .
- strtolower($conn->real_escape_string($_REQUEST['status'])) .
- "' WHERE `id`=" . $conn->real_escape_string($ste));
-}
-elseif ($action == 'get_hosts') {
- $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- if (is_numeric($cat_id)) {
- print get_hosts($cat_id);
- }
- else {
- print json_encode(['error' => 'Invalid category ID']);
- }
-}
-elseif ($action == 'new-get-hosts') {
- $cat_id = filter_input(INPUT_POST, 'cat-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- if (is_numeric($cat_id)) {
- print new_get_hosts($cat_id);
- }
- else {
- print json_encode(['error' => 'Invalid category ID']);
- }
-}
-elseif ($action == 'get_target_data') {
- print get_target_data($_REQUEST['type']);
-}
-elseif ($action == 'save_filter') {
- print $db->save_Filter($_REQUEST['type'], $_REQUEST['name'], $_REQUEST['criteria']);
-}
-elseif ($action == 'target-filter') {
- print header(JSON) . target_filter($ste, $_REQUEST['criteria']);
-}
-elseif ($action == 'scan-filter') {
- print scan_filter($ste, $_REQUEST['criteria']);
-}
-elseif ($action == 'finding-filter') {
- print finding_filter($ste, $_REQUEST['criteria']);
-}
-elseif ($action == 'reference-filter') {
- print reference_filter($ste, $_REQUEST['criteria']);
-}
-elseif ($action == 'get-saved-filter') {
- print get_saved_filter($_REQUEST['type'], $_REQUEST['name']);
-}
-elseif ($action == 'update-target-field') {
- print update_target_field($_REQUEST['field'], $_REQUEST['data']);
-}
-elseif ($action == 'get_category_details') {
- $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT);
- print header(JSON) . get_category_details($cat_id);
-}
-elseif ($action == 'add_scans') {
- $import = new import();
- $import->scan_Result_Files(false);
-
- print header(JSON) . json_encode(array(
- 'success' => 'Thread running'
- ));
-}
-elseif ($action == 'auto-categorize') {
- $db->auto_Catorgize_Targets($ste);
-
- print header(JSON) . json_encode([
- 'success' => 'Categorized Targets'
- ]);
-}
-elseif ($action == 'delete-cat') {
- $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT);
- if ($db->delete_Cat($cat_id)) {
- print header(JSON) . json_encode([
- 'success' => 'Successfully deleted category'
- ]);
- }
-}
-elseif ($action == 'delete-file') {
- $file = TMP . "/" . filter_input(INPUT_POST, 'filename', FILTER_SANITIZE_STRING);
- if (file_exists($file)) {
- if (unlink($file)) {
- print header(JSON) . json_encode([
- 'success' => 'Deleted file'
- ]);
- }
- else {
- print header(JSON) . json_encode([
- 'error' => "Failed to delete $file"
- ]);
- }
- }
- else {
- print header(JSON) . json_encode([
- 'error' => "$file does not exist"
- ]);
- }
-}
-elseif ($action == 'get-cat-data') {
- $fname = filter_input(INPUT_POST, 'fname', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
- $checklist = $db->get_Checklist_By_File($fname);
-
- if (isset($checklist[0])) {
- $checklist[0]->type = ucfirst($checklist[0]->type);
- print header(JSON) . json_encode($checklist[0]);
- }
- else {
- print header(JSON) . json_encode(array('error' => 'Error finding checklist'));
- }
-}
-elseif ($action == 'checklist-remove-software') {
- $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
- $db->help->delete("sagacity.checklist_software_lookup", null, array(
- array(
- 'field' => 'chk_id',
- 'op' => '=',
- 'value' => $chk_id
- ),
- array(
- 'field' => 'sw_id',
- 'op' => '=',
- 'value' => $sw_id,
- 'sql_op' => 'AND'
- )
- ));
-
- if ($db->help->execute()) {
- print header(JSON) . json_encode(array('success' => 'Relationship deleted'));
- }
- else {
- print header(JSON) . json_encode(array('error' => 'Failed to delete relationship'));
- }
-}
-elseif ($action == 'checklist-add-software') {
- $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
- $db->help->insert("checklist_software_lookup", array(
- 'sw_id' => $sw_id,
- 'chk_id' => $chk_id
- ), true);
-
- if (!$db->help->execute()) {
- print header(JSON) . json_encode(array('status' => 'Error adding the software to the checklist'));
- }
- else {
- print header(JSON) . json_encode(array('status' => 'Successfully added the software'));
- }
-}
-elseif ($action == 'save-checklist') {
- $rel_date = new DateTime(filter_input(INPUT_POST, 'rel-date', FILTER_SANITIZE_STRING));
-
- $db->help->update("sagacity.checklist", [
- 'name' => filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING),
- 'description' => filter_input(INPUT_POST, 'desc', FILTER_SANITIZE_STRING),
- 'icon' => filter_input(INPUT_POST, 'icon', FILTER_SANITIZE_STRING),
- 'date' => (is_a($rel_date, 'DateTime') ? $rel_date->format(MYSQL_D_FORMAT) : (new DateTime())->format(MYSQL_D_FORMAT))
- ], [
- [
- 'field' => 'id',
- 'op' => '=',
- 'value' => filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT)
- ]
- ]);
-
- if($db->help->execute()) {
- print json_encode(['success' => 'Successfully updated checklist']);
- }
- else {
- print json_encode(['error' => 'Error updating checklist']);
- }
-}
-elseif ($action == 'export-ckl') {
- $cat_id = filter_input(INPUT_POST, 'cat', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $tgt_id = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $script = null;
-
- if (!is_numeric($ste)) {
- die;
- }
-
- if ($cat_id && is_numeric($cat_id)) {
- $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) .
- " -c " . realpath(PHP_CONF) .
- " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" .
- " -s=$ste" .
- " -c=$cat_id";
- }
- elseif ($tgt_id && is_numeric($tgt_id)) {
- $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) .
- " -c " . realpath(PHP_CONF) .
- " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" .
- " -s=$ste" .
- " -t=$tgt_id";
- }
-
- if (!is_null($script)) {
- if (strtolower(substr(PHP_OS, 0, 3)) == "win") {
- $shell = new COM("WScript.Shell");
- $shell->CurrentDirectory = DOC_ROOT . "/exec";
- $shell->run($script, 0, false);
- }
- elseif (strtolower(substr(PHP_OS, 0, 3)) == 'lin') {
- exec("cd " . realpath(DOC_ROOT . "/exec") . " && {$script} > /dev/null &");
- }
- }
-}
-elseif ($action == 'delete-host') {
- $sel_tgts = json_decode(html_entity_decode(filter_input(INPUT_POST, 'selected_tgts', FILTER_SANITIZE_STRING)));
- if (is_array($sel_tgts) && count($sel_tgts)) {
- foreach ($sel_tgts as $tgt_id) {
- if (!$db->delete_Target($tgt_id)) {
- print header(JSON) . json_encode(array('error' => "Failed to delete target ID $tgt_id"));
- break;
- }
- }
- }
- elseif (is_numeric($sel_tgts)) {
- if (!$db->delete_Target($sel_tgts)) {
- print header(JSON) . json_encode(array('error' => "Failed to delete target ID $sel_tgts"));
- }
- }
-
- print header(JSON) . json_encode(['success' => "Deleted all selected target(s)"]);
-}
-elseif ($action == 'get-target-notes') {
- $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- if (is_numeric($tgt_id) && $tgt_id > 0) {
- $db->help->select("target", ['notes'], [
- [
- 'field' => 'id',
- 'op' => '=',
- 'value' => $tgt_id
- ]
- ]);
- $row = $db->help->execute();
- if (is_array($row) && count($row) && isset($row['notes'])) {
- print header(JSON) . json_encode(['notes' => $row['notes']]);
- }
- }
-}
-elseif ($action == 'save-target-notes') {
- $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $notes = filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
- if (is_numeric($tgt_id) && $tgt_id > 0) {
- $db->help->update("target", [
- 'notes' => htmlentities($notes)
- ], [
- [
- 'field' => 'id',
- 'op' => '=',
- 'value' => $tgt_id
- ]
- ]);
- if ($db->help->execute()) {
- print header(JSON) . json_encode(['success' => 'Updated target notes']);
- }
- else {
- print header(JSON) . json_encode(['error' => $db->help->c->error]);
- }
- }
-}
-elseif ($action == 'get-load-status') {
- $set = $db->get_Settings([
- 'cpe-count', 'cpe-dl-progress', 'cpe-progress',
- 'cve-count', 'cve-dl-progress', 'cve-progress',
- 'nvd-cve-count', 'nvd-cve-dl-progress', 'nvd-cve-progress', 'nvd-year',
- 'stig-count', 'stig-dl-progress', 'stig-progress',
- 'nasl-count', 'nasl-dl-progress', 'nasl-progress'
- ]);
- print json_encode($set);
-}
-elseif ($action == 'delete-scan') {
- $scan_id = filter_input(INPUT_POST, 'scan-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $del_tgts = (bool) filter_input(INPUT_POST, 'delete-targets', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
- if ($scan_id) {
- if ($db->delete_Scan($ste, $scan_id, $del_tgts)) {
- print json_encode(['success' => 'Deleted Scan']);
- }
- else {
- print json_encode(['error' => 'Error deleting scan']);
- }
- }
-}
-
-function update_tgt_notes()
-{
- global $db;
- $notes = str_replace(" ", "", filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING));
- $tgt = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT);
-
- $db->help->update("sagacity.target", array(
- 'notes' => $notes
- ), array(
- array(
- 'field' => 'id',
- 'op' => '=',
- 'value' => $tgt
- )
- ));
-
- if (!$db->help->execute()) {
- return "failure";
- }
- else {
- return "success";
- }
-}
-
-function chk_filter()
-{
- global $db;
- $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $filter = filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
- $hide_old = (boolean) filter_input(INPUT_POST, 'hide_old', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
-
- $ret = array();
- $db->help->create_table("c", true, $db->help->select("sagacity.checklist", null, array(), array(
- 'order' => '`ver` DESC, CONVERT(`release`, DECIMAL(4,2)) DESC'
- )));
- if (!$db->help->execute()) {
- return $ret;
- }
- $where = array();
- $flags = array();
-
- if (!empty($filter)) {
- $where = array(
- array(
- 'field' => 'c.name',
- 'op' => LIKE,
- 'value' => "'%{$filter}%'"
- )
- );
- }
-
- if (!empty($tgt_id)) {
- $where[] = array(
- 'field' => 'tc.chk_id',
- 'op' => IS,
- 'value' => null,
- 'sql_op' => 'AND'
- );
- $flags['table_joins'] = array(
- "LEFT JOIN sagacity.target_checklist tc ON tc.chk_id = c.id AND tc.tgt_id = $tgt_id"
- );
- $flags['order'] = 'c.name';
- }
- if ($hide_old) {
- $flags['group'] = 'c.name, c.type, c.id';
- }
-
- $db->help->select("c", array('c.id'), $where, $flags);
-
- $rows = $db->help->execute();
- if (is_array($rows) && count($rows) && isset($rows['id'])) {
- $rows = array(0 => $rows);
- }
-
- if (is_array($rows) && count($rows) && isset($rows[0])) {
- foreach ($rows as $row) {
- $chk = $db->get_Checklist($row['id']);
- if (is_array($chk) && count($chk) && isset($chk[0]) && is_a($chk[0], 'checklist')) {
- $ret[] = $chk[0];
- }
- }
- }
-
- return json_encode($ret);
-}
-
-function sw_filter($is_os = false)
-{
- global $db;
- $ret = [];
- $filter = "'%" . filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE) . "%'";
- $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
- $db->help->select("sagacity.software s", ['s.id', 's.cpe', 's.sw_string'], [
- [
- 'field' => 's.cpe',
- 'op' => LIKE,
- 'value' => $filter,
- 'open-paren' => true
- ],
- [
- 'field' => 's.sw_string',
- 'op' => LIKE,
- 'value' => $filter,
- 'sql_op' => 'OR'
- ],
- [
- 'field' => 's.short_sw_string',
- 'op' => LIKE,
- 'value' => $filter,
- 'sql_op' => 'OR',
- 'close-paren' => true
- ],
- [
- 'field' => 'ts.sft_id',
- 'op' => IS,
- 'value' => null,
- 'sql_op' => 'AND'
- ],
- [
- 'field' => 's.cpe',
- 'op' => LIKE,
- 'value' => ($is_os ? "'%/o%'" : "'%/a%'"),
- 'sql_op' => 'AND'
- ]
- ], [
- 'table_joins' => [
- "LEFT JOIN `sagacity`.`target_software` ts ON ts.`sft_id` = s.`id`" . ($tgt_id ? " AND ts.`tgt_id` = $tgt_id" : "")
- ],
- 'order' => 's.cpe',
- 'limit' => 25
- ]);
-
- $sw = $db->help->execute();
-
- if (is_array($sw) && count($sw) && isset($sw['id'])) {
- $sw = [0 => $sw];
- }
-
- if (is_array($sw) && count($sw) && isset($sw[0])) {
- foreach ($sw as $row) {
- $ret[] = [
- 'sw_id' => $row['id'],
- 'cpe' => $row['cpe'],
- 'sw_string' => $row['sw_string']
- ];
- }
- }
-
- return header(JSON) . json_encode($ret);
-}
-
-function update_proc_status()
-{
- global $conn, $ste;
- $control_id = str_replace("_", "-", substr(param('control'), 0, -7));
- if (preg_match("/[A-Z]{4}\-\d\-\d/", $control_id)) {
- $proc_id = $control_id;
- $sql = "SELECT `ctrl_id` " .
- "FROM `sagacity`.`proc_findings` " .
- "WHERE " .
- "`ste_id`=" . $conn->real_escape_string($ste) . " AND " .
- "`proc_id`='" . $conn->real_escape_string($control_id) . "'";
- if ($res = $conn->query($sql)) {
- if ($res->num_rows) {
- $row = $res->fetch_array(MYSQLI_ASSOC);
-
- $sql = "UPDATE `sagacity`.`proc_findings` " .
- "SET `status`='" . $conn->real_escape_string($_REQUEST['status']) . " " .
- "WHERE `ste_id`=" . $conn->real_escape_string($ste) . " AND " .
- "`proc_id`='" . $conn->real_escape_string($row['ctrl_id']) . "'";
- }
- else {
- $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (" .
- $_REQUEST['ste'] . "," .
- "'" . $conn->real_escape_string(substr($proc_id, 0, 6)) . "'" .
- "'" . $conn->real_escape_string($proc_id) . "'" .
- "'" . $conn->real_escape_string($_REQUEST['status']) . "')";
- }
-
- if (!$conn->real_query($sql)) {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
- }
- }
- }
- else {
- $sql = "SELECT `sub_control_id` FROM `sagacity`.`proc_ia_sub_controls` WHERE `parent_control_id`=?";
-
- $sub_ctrls = db_helper::selectrow_array($conn, db_helper::mysql_escape_string($conn, $sql, $control_id));
-
- foreach ($sub_ctrl as $proc_id) {
- $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?";
- $sql = db_helper::mysql_escape_string($conn, $sql, $_REQUEST['ste'], $proc_id);
- list($cnt) = db_helper::selectrow_array($conn, $sql);
- if ($cnt) {
- db_helper::run($conn, "UPDATE `sagacity`.`proc_findings` SET `status`=? WHERE `ste_id`=? AND `proc_id`=?", $_REQUEST['status'], $_REQUEST['ste'], $proc_id);
- }
- else {
- db_helper::run($conn, "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (?,?,?,?)", $_REQUEST['ste'], $control_id, $proc_id, $_REQUEST['status']);
- }
- }
- }
-}
-
-function update_proc_notes()
-{
- $control_id = $field = $_REQUEST['control'];
- $match = array();
- if (preg_match("/([A-Z]{4}\_\d\_\d)/", $control_id, $match)) {
- $control_id = str_replace("_", "-", $match[1]);
-
- $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?";
-
- switch ($field) {
- case (preg_match("/_test_result/", $field) ? true : false):
- $field = "`test_results`";
- break;
- case (preg_match("/_mit/", $field) ? true : false):
- $field = "`mitigations`";
- break;
- case (preg_match("/_milestone/", $field) ? true : false):
- $field = "`milestones`";
- break;
- case (preg_match("/_ref/", $field) ? true : false):
- $field = "`ref`";
- break;
- case (preg_match("/_notes/", $field) ? true : false):
- $field = "`notes`";
- break;
- default:
- $field = "";
- }
-
- list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id);
- if ($cnt) {
- $sql = "UPDATE `sagacity`.`proc_findings` SET=? WHERE `ste_id`=? AND `proc_id`=?";
-
- db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id);
- }
- else {
- $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`,$field) VALUES (?,?,?,?,?)";
-
- db_helper::run($conn, $sql, $_REQUEST['ste'], substr($control_id, 0, 6), $control_id, "Not Reviewed", $_REQUEST['notes']);
- }
- }
- elseif (preg_match("/([A-Z]{4}\_\d)/", $control_id, $match)) {
- $control_id = str_replace("_", "-", $match[1]);
-
- $sql = "SELECT COUNT(1) FROM `sagacity`.`control_findings` WHERE `ste_id`=? AND `control_id`=?";
- list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id);
-
- switch ($field) {
- case (preg_match("/_vul_desc/", $field) ? true : false):
- $field = "`vul_desc`";
- break;
- case (preg_match("/_mit/", $field) ? true : false):
- $field = "`mitigations`";
- break;
- case (preg_match("/_ref/", $field) ? true : false):
- $field = "`ref`";
- break;
- case (preg_match("/_notes/", $field) ? true : false):
- $field = "`notes`";
- break;
- default:
- $field = "";
- }
-
- if ($cnt) {
- $sql = "UPDATE `sagacity`.`control_findings` SET $field=? WHERE `ste_id`=? AND `control_id`=?";
-
- db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id);
- }
- else {
- $sql = "INSERT INTO `sagacity`.`control_findings` (`control_id`,`ste_id`,$field,`risk_status`) " .
- "VALUES (?,?,?,(SELECT LOWER(`impact`) FROM `sagacity`.`proc_ia_controls` WHERE `control_id`=?))";
-
- db_helper::run($conn, $sql, $control_id, $_REQUEST['ste'], $_REQUEST['notes'], $control_id);
- }
- }
-
- return true;
-}
-
-function refresh_counts()
-{
- $ret = '';
- $sql = "SELECT `id`,`name` FROM `ste_cat` WHERE `ste_id`=?";
-
- $cats = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']);
-
- foreach ($cats as $key => $cat) {
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "fs.`status`='Open' AND " .
- "f.`cat`=?) + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `checklist` c " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "fs.`status`='Open' AND " .
- "f.`cat`=?) AS 'sum_total'";
-
- list($open_cat_1) = db_helper::selectrow_array($conn, $sql2, $row['id'], '1', $row['id'], '1');
- list($open_cat_2) = db_helper::selectrow_array($conn, $sql2, $row['id'], '2', $row['id'], '2');
- list($open_cat_3) = db_helper::selectrow_array($conn, $sql2, $row['id'], '3', $row['id'], '3');
-
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `target` t " .
- "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `checklist` c " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) AS 'sum_total'";
-
- list($not_reviewed) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
-
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `target` t " .
- "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "fs.`status`='Exception') + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `checklist` c " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "fs.`status`='Exception') AS 'sum_total'";
-
- list($exception) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
-
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `target` t " .
- "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "fs.`status`='False Positive') + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `checklist` c " .
- "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "fs.`status`='False Positive') AS 'sum_total'";
-
- list($false_positive) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
-
- $row['name'] = str_replace(array(".", "-", " "), "", $row['name']);
-
- $ret .= "";
- }
-
- return $ret;
-}
-
-function update_finding_status()
-{
- global $conn;
- $sql = "UPDATE `findings` SET " .
- "`findings_status_id`=? " .
- "WHERE " .
- "`tgt_id`=? AND `pdi_id`=?";
-
- db_helper::run($conn, $sql, $_REQUEST['status'], $_REQUEST['host_id'], $_REQUEST['pdi_id']);
-
- return true;
-}
-
-function update_finding_ia_controls()
-{
- $controls = explode(" ", $_REQUEST['ia_controls']);
- $host_ids = explode(",", $_REQUEST['host_id']);
-
- return true;
-}
-
-function update_finding_notes()
-{
- global $conn;
- $host_ids = explode(",", $_REQUEST['host_id']);
-
- $sql = "UPDATE `sagacity`.`findings` SET " .
- "`notes`=? " .
- "WHERE " .
- "`tgt_id` IN (" . implode(",", $host_ids) . ") AND `pdi_id`=?";
-
- db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['pdi_id']);
-
- return true;
-}
-
-/**
- * Function to update the result script parsing status
- *
- * @global db $db
- * @global int $ste
- *
- * @return array
- */
-function update_script_status()
-{
- global $db, $ste;
- $ret = [];
-
- $type = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
- $status = filter_input(INPUT_POST, 'status', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
-
- if (!empty($type) && !empty($status)) {
- $scans = $db->get_ScanData($ste, null, $status, $type);
- }
- elseif (!empty($type)) {
- $scans = $db->get_ScanData($ste, null, null, $type);
- }
- elseif (!empty($status)) {
- $scans = $db->get_ScanData($ste, null, $status);
- }
- else {
- $scans = $db->get_ScanData($ste);
- }
-
- foreach ($scans as $scan) {
- $file_name = str_replace(["(", ")"], "", str_replace(" ", "_", $scan->get_File_Name()));
- $diff = $scan->get_Last_Update()->diff($scan->get_Start_Time());
-
- $ret[] = [
- "scan_id" => $scan->get_ID(),
- "file_name" => $scan->get_File_Name(),
- "id" => $file_name,
- "file_date" => $scan->get_File_DateTime()->format("Y-m-d"),
- "pid" => $scan->get_PID(),
- "source" => $scan->get_Source()->get_Name(),
- 'source_img' => $scan->get_Source()->get_Icon(),
- "status" => $scan->get_Status(),
- "perc_comp" => $scan->get_Percentage_Complete(),
- "last_host" => $scan->get_Last_Host(),
- "start_time" => $scan->get_Start_Time()->format("Y-m-d H:i:s"),
- "update" => $scan->get_Last_Update()->format("Y-m-d H:i:s"),
- "host_count" => $scan->get_Total_Host_Count(),
- "error" => $scan->isScanError(),
- "run_time" => $diff->format("%H:%I:%S")
- ];
- }
-
- return json_encode(['success' => 1, 'results' => $ret]);
-}
-
-/**
- *
- * @global mysqli $conn
- * @global db $db
- */
-function get_STE_details()
-{
- global $conn, $db;
- $ret = '';
- $open_high = $open_med = $open_low = $proc_na = $proc_c = $proc_total = $open_cat_1 = $open_cat_2 = $open_cat_3 = $tech_na = $tech_nf = $tech_total = 0;
-
- list($tech_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`findings` f JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` WHERE t.`ste_id`=?", $_REQUEST['ste_id']);
- list($proc_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=?", $_REQUEST['ste_id']);
-
- $sql = "SELECT COUNT(1) " .
- "FROM `sagacity`.`proc_findings` pf " .
- "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " .
- "WHERE pf.`ste_id`=? " .
- "AND pf.`status`=? " .
- "AND cf.`risk_status`=? "
- ;
-
- list($open_high) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'high');
- list($open_med) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'medium');
- list($open_low) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'low');
-
- $sql = "SELECT COUNT(1) " .
- "FROM `sagacity`.`proc_findings` pf " .
- "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " .
- "WHERE pf.`ste_id`=? " .
- "AND pf.`status`=? "
- ;
-
- list($proc_na) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Not Applicable');
- list($proc_c) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Compliant');
-
- $sql = "SELECT `ste`.`deviations`,`ste`.`recommendations`,`ste`.`residual_risk`," .
- "`ste`.`conclusion`,`ste`.`risk_status`,sys.`mitigations`,sys.`executive_summary` " .
- "FROM `sagacity`.`ste`,`sagacity`.`system` sys " .
- "WHERE `ste`.`system_id`=sys.`id` AND " .
- "`ste`.`id`=?";
-
- list($dev, $rec, $res, $con, $status, $mit, $exec) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']);
-
- $sql = "SELECT `id`,`name` FROM `sagacity`.`ste_cat` WHERE `ste_id`=?";
-
- $cats = $db->get_STE_Cat_List($_REQUEST['ste_id']);
-
- foreach ($cats as $cat) {
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "f.`cat`=?) + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `sagacity`.`checklist` c " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "f.`cat`=?) AS 'sum_total'";
-
- list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '1', $cat->get_ID(), '1');
- $open_cat_1 += $tmp;
- list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '2', $cat->get_ID(), '2');
- $open_cat_2 += $tmp;
- list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '3', $cat->get_ID(), '3');
- $open_cat_3 += $tmp;
-
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "fs.`status`='Not Applicable') + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `sagacity`.`checklist` c " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "fs.`status`='Not Applicable') AS 'sum_total'";
-
- list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID());
- $tech_na += $tmp;
-
- $sql2 = "SELECT (SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "WHERE t.`cat_id`=? AND " .
- "fs.`status`='Not a Finding') + " .
- "(SELECT COUNT(1) AS 'total' " .
- "FROM `sagacity`.`checklist` c " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
- "WHERE t.`cat_id`=? AND " .
- "c.`name`='Orphan' AND " .
- "fs.`status`='Not a Finding') AS 'sum_total'";
-
- list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID());
- $tech_nf += $tmp;
- }
-
-#'overall_mitigations,deviations,recommendations,residual_risk,conclusion,executive_summary'
- $ret .= "
" .
- "
Overall Mitigations
" .
- "
" .
- "
Deviations
" .
- "
" .
- "
Recommendations
" .
- "
" .
- "
Residual Risk Analysis " .
- "
" .
- "
" .
- "
Conclusion
" .
- "
" .
- "
Executive Summary
" .
- "
" .
- "
" .
- "" .
- "
Procedural ($proc_total)
" .
- "
" .
- "" .
- "H | " .
- "M | " .
- "L | " .
- "NA | " .
- "C | " .
- "
" .
- "" .
- "$open_high | " .
- "$open_med | " .
- "$open_low | " .
- "$proc_na | " .
- "$proc_c | " .
- "
" .
- "" .
- "" . sprintf("%i%%", ($open_high / $proc_total) * 100) . " | " .
- "" . sprintf("%i%%", ($open_med / $proc_total) * 100) . " | " .
- "" . sprintf("%i%%", ($open_low / $proc_total) * 100) . " | " .
- "" . sprintf("%i%%", ($proc_na / $proc_total) * 100) . " | " .
- "" . sprintf("%i%%", ($proc_c / $proc_total) * 100) . " | " .
- "
" .
- "
" .
- "
Technical ($tech_total)
" .
- "
" .
- "" .
- "I | " .
- "II | " .
- "III | " .
- "NA | " .
- "NF | " .
- "
" .
- "" .
- "$open_cat_1 | " .
- "$open_cat_2 | " .
- "$open_cat_3 | " .
- "$tech_na | " .
- "$tech_nf | " .
- "
" .
- "" .
- "" . sprintf("%i%%", ($open_cat_1 / $tech_total) * 100) . " | " .
- "" . sprintf("%i%%", ($open_cat_2 / $tech_total) * 100) . " | " .
- "" . sprintf("%i%%", ($open_cat_3 / $tech_total) * 100) . " | " .
- "" . sprintf("%i%%", ($tech_na / $tech_total) * 100) . " | " .
- "" . sprintf("%i%%", ($tech_nf / $tech_total) * 100) . " | " .
- "
" .
- "
" .
- "
";
-}
-
-function update_STE_details()
-{
- global $conn;
- if ($_REQUEST['id'] == 'deviations') {
- $sql = "UPDATE `sagacity`.`ste` SET `deviations`=? WHERE `id`=?";
- }
- elseif ($_REQUEST['id'] == 'recommendations') {
- $sql = "UPDATE `sagacity`.`ste` SET `recommendations`=? WHERE `id`=?";
- }
- elseif ($_REQUEST['id'] == 'residual_risk') {
- $sql = "UPDATE `sagacity`.`ste` SET `residual_risk`=? WHERE `id`=?";
- }
- elseif ($_REQUEST['id'] == 'conclusion') {
- $sql = "UPDATE `sagacity`.`ste` SET `conclusion`=? WHERE `id`=?";
- }
- elseif ($_REQUEST['id'] == 'overall_mitigations') {
- $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `mitigations`=? WHERE `ste`.`id`=?";
- }
- elseif ($_REQUEST['id'] == 'executive_summary') {
- $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `executive_summary`=? WHERE `ste`.`id`=?";
- }
-
- db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ste_id']);
-}
-
-function get_control_details()
-{
- global $conn, $db;
- $ret = '';
-
- $sql = "SELECT " .
- "pc.`control_id`,pc.`name`,pc.`description`,pc.`impact`," .
- "cf.`vul_desc`,cf.`mitigations`,cf.`risk_analysis`,cf.`risk_status`,cf.`done` " .
- "FROM `sagacity`.`proc_ia_controls` pc " .
- "LEFT JOIN `sagacity`.`control_findings` cf ON cf.`control_id`=pc.`control_id` " .
- "WHERE pc.`control_id`=? AND cf.`ste_id`=?";
-
- $ste = $db->get_STE($_REQUEST['ste'])[0];
-
- $controls = $db->get_Proc_IA_Controls($ste, $_REQUEST['id'])[0];
-
- $risk_analysis = $controls->finding->risk_analysis;
- $ctrl_id = $controls->get_Control_ID();
- $impact = $controls->get_Impact();
-
- $ret .= "" .
- $controls->get_Control_ID() . " - " . $controls->get_Name() .
- "" .
- "" .
- " " .
- "finding->done ? " checked" : "") . " id='done' value='1' onclick='javascript:toggle_control_completion();' />" .
- "" .
- "" .
- ucfirst($controls->get_Worst_Status_String()) .
- "" .
- "" .
- "
" .
- "" . $controls->get_Description() . "
" .
- "" .
- "" .
- "" .
- "Procedure / Validation Step | " .
- "Findings | " .
- "Mitigations | " .
- "
" .
- "" .
- "" .
- "" .
- "" . $controls->get_Control_ID() . " " . $controls->get_Name() . " | " .
- "" . $controls->finding->vul_desc . " | " .
- "" . $controls->finding->mitigations . " | " .
- "
"
- ;
-
- $sql = "SELECT " .
- "psc.`sub_control_id`,psc.`name`,pf.`test_results`,pf.`mitigations`,pf.`status` " .
- "FROM `sagacity`.`proc_ia_sub_controls` psc " .
- "LEFT JOIN `sagacity`.`proc_findings` pf ON psc.`sub_control_id`=pf.`proc_id` " .
- "WHERE pf.`ste_id`=? AND " .
- "psc.`parent_control_id`=? AND " .
- "(pf.`status`='Non-Compliant' OR pf.`status`='Not Applicable')"
- ;
-
- if ($res = $conn->query($sql)) {
- while ($row = $res->fetch_array(MYSQLI_ASSOC)) {
- $status = str_replace(" ", "_", $row['status']);
- $ret .= "" .
- "" . $row['sub_control_id'] . " " . $row['status'] . " " . $row['name'] . " | " .
- "" . $row['test_results'] . " | " .
- "" . $row['mitigations'] . " | " .
- "
"
- ;
- }
- }
-
- $ret .= "
" .
- "" .
- "" . $controls->get_Control_ID() . " - Risk Analysis " .
- "" .
- "" .
- "" .
- "
" .
- "" .
- "
$ctrl_id - Technical Findings" .
- "
" .
- "" .
- "I | " .
- "II | " .
- "III | " .
- "NA | " .
- "NF | " .
- "Unique | " .
- "Hosts | " .
- "Total | " .
- "
";
-
- $cat_1 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 1);
- $cat_2 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 2);
- $cat_3 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 3);
-
- /*
- $sql = "SELECT ".
- "IFNULL((SELECT COUNT(1) ".
- "FROM `sagacity`.`target` t ".
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ".
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ".
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ".
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ".
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
- "WHERE ".
- "(fs.`status`='Open' OR fs.`status`='Exception') AND ".
- "f.`cat`=? AND ".
- "fc.`ia_control`=? AND ".
- "t.`ste_id`=? ".
- "GROUP BY f.`pdi_id`".
- "), 0)".
- " + ".
- "IFNULL((SELECT COUNT(1) ".
- "FROM `sagacity`.`checklist` c ".
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ".
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ".
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ".
- "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ".
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
- "WHERE ".
- "c.`name`='Orphan' AND ".
- "(fs.`status`='Open' OR fs.`status`='Exception') AND ".
- "f.`cat`=? AND ".
- "fc.`ia_control`=? AND ".
- "t.`ste_id`=? ".
- "GROUP BY f.`pdi_id`".
- "), 0) AS 'sum_count'";
-
- ($cat_1) = $dbh->selectrow_array($sql, undef, 1, param('id'), param('ste_id'), 1, param('id'), param('ste_id'));
- ($cat_2) = $dbh->selectrow_array($sql, undef, 2, param('id'), param('ste_id'), 2, param('id'), param('ste_id'));
- ($cat_3) = $dbh->selectrow_array($sql, undef, 3, param('id'), param('ste_id'), 3, param('id'), param('ste_id'));
- */
- $sql = "SELECT " .
- "IFNULL((SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
- "WHERE " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "fc.`ia_control`=? AND " .
- "t.`ste_id`=? " .
- "), 0)" .
- " + " .
- "IFNULL((SELECT COUNT(1) " .
- "FROM `sagacity`.`checklist` c " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
- "WHERE " .
- "c.`name`='Orphan' AND " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "fc.`ia_control`=? AND " .
- "t.`ste_id`=? " .
- "), 0) AS 'sum_count'";
-
- $unique = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']);
- /*
- $sql = "SELECT ".
- "IFNULL((SELECT COUNT(1) ".
- "FROM `sagacity`.`target` t ".
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ".
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ".
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ".
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ".
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
- "WHERE ".
- "fs.`status`=? AND ".
- "fc.`ia_control`=? AND ".
- "t.`ste_id`=? ".
- "GROUP BY f.`pdi_id`".
- "), 0)".
- " + ".
- "IFNULL((SELECT COUNT(1) ".
- "FROM `sagacity`.`checklist` c ".
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ".
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ".
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ".
- "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ".
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
- "WHERE ".
- "c.`name`='Orphan' AND ".
- "fs.`status`=? AND ".
- "fc.`ia_control`=? AND ".
- "t.`ste_id`=? ".
- "GROUP BY f.`pdi_id`".
- "), 0) AS 'sum_count'";
-
- ($na) = $dbh->selectrow_array($sql, undef, "Not Applicable", param('id'), param('ste_id'), "Not Applicable", param('id'), param('ste_id'));
- ($nf) = $dbh->selectrow_array($sql, undef, "Not a Finding", param('id'), param('ste_id'), "Not a Finding", param('id'), param('ste_id'));
- */
- $na = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not Applicable");
- $nf = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not a Finding");
-
- $sql = "SELECT " .
- "IFNULL((SELECT COUNT(1) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
- "WHERE " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "fc.`ia_control`=? AND " .
- "t.`ste_id`=? " .
- "GROUP BY f.`tgt_id`" .
- "), 0)" .
- " + " .
- "IFNULL((SELECT COUNT(1) " .
- "FROM `sagacity`.`checklist` c " .
- "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
- "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
- "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
- "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
- "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
- "WHERE " .
- "c.`name`='Orphan' AND " .
- "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
- "fc.`ia_control`=? AND " .
- "t.`ste_id`=? " .
- "GROUP BY f.`tgt_id`" .
- "), 0) AS 'sum_count'";
-
- $host_count = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']);
-
- $ret .= "" .
- "$cat_1 | " .
- "$cat_2 | " .
- "$cat_3 | " .
- "$na | " .
- "$nf | " .
- "" . $unique['sum_count'] . " | " .
- "" . $host_count['sum_count'] . " | " .
- "" . ($cat_1 + $cat_2 + $cat_3) . " | " .
- "
";
-
- $ret .= "
" .
- "
" .
- "" .
- "
" .
- "" .
- "" .
- "STIG ID" .
- " | Cat" .
- " | M" .
- " | Vulnerability Title" .
- " | Affected Hosts" .
- " | Notes (inc.)" .
- " |
" .
- "" .
- ""
- ;
-
- $sql = "SELECT " .
- "f.`pdi_id`,s.`stig_id`,f.`cat`,pdi.`short_title`," .
- "(SELECT GROUP_CONCAT(fc.`ia_control` SEPARATOR ' ') " .
- "FROM `sagacity`.`finding_controls` fc " .
- "WHERE " .
- "fc.`finding_id`=f.`id` " .
- ") AS ia_controls " .
- "FROM `sagacity`.`findings` f " .
- "JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
- "JOIN `sagacity`.`stigs` s ON s.`pdi_id`=f.`pdi_id` " .
- "JOIN `sagacity`.`pdi_catalog` pdi ON pdi.`id`=f.`pdi_id` " .
- "WHERE (fs.`status`='Open' OR fs.`status`='Exception') " .
- "GROUP BY f.`pdi_id` " .
- "HAVING ia_controls LIKE '%" . $_REQUEST['id'] . "%' " .
- "ORDER BY s.`stig_id`"
- ;
-
- if ($res = $conn->query($sql)) {
- while ($row = $res->fetch_assoc()) {
- $cat = str_repeat("I", $row['cat']);
- $ias = explode(" ", $row['ia_controls']);
- $ia_cnt = (is_array($ias) ? count($ias) : 0);
- $stig = str_replace(".", "", $row['stig_id']);
-
- $sql2 = "SELECT " .
- "GROUP_CONCAT(DISTINCT f.`id` SEPARATOR ',') AS 'finding_ids'," .
- "GROUP_CONCAT(DISTINCT t.`name` SEPARATOR ', ') AS 'affected_hosts',f.`notes` " .
- "FROM `sagacity`.`target` t " .
- "JOIN `sagacity`.`findings` f ON f.`tgt_id`=t.`id` " .
- "JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
- "WHERE t.`ste_id`=? AND f.`pdi_id`=?";
-
- $row = db_helper::selectrow_array($conn, $sql2, $_REQUEST['ste_id'], $row['pdi_id'])[0];
- $ids = $row['finding_ids'];
- $hosts = $row['affected_hosts'];
- $notes = $row['notes'];
-
- $ret .= "" .
- "" . $row['stig_id'] . " | " .
- "$cat | " .
- "" .
- ($ia_cnt > 1 ? " " : "") .
- "" .
- " | " .
- "" . $row['short_title'] . " | " .
- "$hosts | " .
- "$notes | " .
- "
";
- }
- }
-
-
- $ret .= "
";
-
- return $ret;
-}
-
-function update_risk_status()
-{
- global $conn;
- $sql = "UPDATE `sagacity`.`control_findings` SET `risk_status`=? WHERE `ste_id`=? AND `control_id`=?";
- db_helper::run($conn, $sql, strtolower($_REQUEST['status']), $_REQUEST['ste_id'], $_REQUEST['ctrl_id']);
-}
-
-function update_risk_analysis()
-{
- global $conn;
- $sql = "UPDATE `sagacity`.`control_findings` SET `risk_analysis`=? WHERE `control_id`=? AND `ste_id`=?";
- db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ctrl_id'], $_REQUEST['ste_id']);
-}
-
-function update_control_completion()
-{
- global $conn;
- $sql = "UPDATE `sagacity`.`control_findings` SET `done`=IF(`done`=1,0,1) WHERE `control_id`=? AND `ste_id`=?";
- db_helper::run($conn, $sql, $_REQUEST['ctrl_id'], $_REQUEST['ste_id']);
-}
-
-function update_stig_control()
-{
- global $conn;
- $sql = "DELETE FROM `sagacity`.`finding_controls` WHERE `finding_id` IN (" . $_REQUEST['ids'] . ")";
- $conn->real_query($sql);
-
- $sql = "INSERT INTO `sagacity`.`finding_controls` (`finding_id`,`ia_control`) VALUES ";
- $ids = explode(",", $_REQUEST['ids']);
- for ($x = 0; $x < count($ids); $x++) {
- $sql .= "(" . $ids[$x] . ",'" . $_REQUEST['ctrl_id'] . "'),";
- }
- $sql = substr($sql, 0, -1);
- $conn->real_query($sql);
-}
-
-/**
- * Function to get targets from the category
- *
- * @global db $db
- *
- * @param int $cat_id
- *
- * @return type
- */
-function get_hosts($cat_id = null)
-{
- global $db;
- $ret = ['cat_id' => $cat_id];
- $ste_id = filter_input(INPUT_COOKIE, 'ste', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
- $tgts = [];
-
- if ($cat_id) {
- $ste_cat = $db->get_Category($cat_id)[0];
- $tgts = $db->get_Target_By_Category($cat_id);
- }
- elseif (is_numeric($ste_id)) {
- $tgts = $db->get_Unassigned_Targets($ste_id);
- }
- else {
- return json_encode(['error' => "Invalid info"]);
- }
-
- foreach ($tgts as $key => $tgt) {
- $chks = $db->get_Target_Checklists($tgt->get_ID());
- if ($cat_id) {
- $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat);
- }
- else {
- $exp_scan_srcs = null;
- }
- $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs);
- $icons = [];
- $icon_str = '';
- $src_str = '';
-
- foreach ($chks as $chk) {
- if (!in_array($chk->get_Icon(), array_keys($icons))) {
- $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon();
- $icons[$chk->get_Icon()]['name'] = '';
- }
- $icons[$chk->get_Icon()]['name'] .= "{$chk->get_Name()} V{$chk->get_Version()}R{$chk->get_Release()} ({$chk->get_type()})" . PHP_EOL;
- }
-
- foreach ($icons as $icon => $data) {
- $icon_str .= "
";
- }
-
- foreach ($scan_srcs as $key => $src) {
- $icon = $src['src']->get_Icon();
- if($src['scan_error']) {
- $icon = strtolower($src['src']->get_Name()) . "-failed.png";
- }
-
- $src_str .= "
get_Name()}";
- if (isset($src['count']) && $src['count']) {
- $src_str .= " ({$src['count']})";
- }
- $src_str .= "' class='checklist_image' />";
- }
-
- $ret['targets'][] = array_merge([
- 'id' => $tgt->get_ID(),
- 'ste_id' => $tgt->get_STE_ID(),
- 'name' => $tgt->get_Name(),
- 'os' => $tgt->get_OS_String(),
- 'location' => $tgt->get_Location(),
- 'auto' => $tgt->get_Task_Status($tgt->get_Auto_Status_ID()),
- 'man' => $tgt->get_Task_Status($tgt->get_Man_Status_ID()),
- 'data' => $tgt->get_Task_Status($tgt->get_Data_Status_ID()),
- 'fp' => $tgt->get_Task_Status($tgt->get_FP_Cat1_Status_ID()),
- 'ip' => (count($tgt->interfaces) ? array_keys($tgt->interfaces)[0] : ''),
- 'notes' => $tgt->getDisplayNotes(),
- 'scans' => $src_str,
- 'chk' => $icon_str,
- 'nr' => $tgt->getNotReviewedCount(),
- 'na' => $tgt->getNotApplicableCount(),
- 'nf' => $tgt->getNotAFindingCount(),
- 'cat_1' => $tgt->getCat1Count(),
- 'cat_2' => $tgt->getCat2Count(),
- 'cat_3' => $tgt->getCat3Count(),
- 'comp' => $tgt->getCompliantPercent(),
- 'assessed' => $tgt->getAssessedPercent()
- ]);
- }
-
- return json_encode($ret);
-}
-
-function get_target_data()
-{
- global $db;
-
- $tgt = $db->get_Target_Details($_REQUEST['ste_id'], $_REQUEST['tgt_id'])[0];
-
- switch ($_REQUEST['type']) {
- case 'netstat':
- return $tgt->get_Netstat_Connections();
- case 'routes':
- return $tgt->get_Routes();
- case 'firewall':
- return $tgt->get_Firewall_Config();
- case 'shares':
- return $tgt->get_Shares();
- case 'mounted':
- return $tgt->get_Mounted();
- case 'process_list':
- return $tgt->get_Process_List();
- case 'autorun':
- return $tgt->get_Autorun();
- case 'services':
- return $tgt->get_Services();
- case 'remote_registry':
- return $tgt->get_Remote_Registry();
- case 'system':
- return $tgt->get_System();
- case 'bios':
- return $tgt->get_BIOS();
- case 'copyright':
- return $tgt->get_Copyright();
- case 'missing_patches':
- return $tgt->get_Missing_Patches();
- case 'user_list':
- return $tgt->get_User_List();
- case 'disabled_accts':
- return $tgt->get_Disabled_Accts();
- case 'stag_pwds':
- return $tgt->get_Stag_Pwds();
- case 'never_logged_in':
- return $tgt->get_Never_Logged_In();
- case 'pwds_never_expire':
- return $tgt->get_Pwds_Never_Expire();
- }
-
- return null;
-}
-
-function target_filter($ste_id, $criteria)
-{
- global $db, $conn;
- $where = array();
- $tgts = array();
- $idx = 0;
- $like = false;
- $ret = array();
-
- $search = explode("\n", $criteria);
- unset($search[count($search) - 1]);
-
- foreach ($search as $str) {
- if (!$str) {
- continue;
- }
- switch ($str) {
- case (preg_match("/name /i", $str) ? true : false):
- $where[] = "t.`name`";
- break;
- case (preg_match("/sw /i", $str) ? true : false):
- $where[] = "sw.`cpe`";
- break;
- case (preg_match("/os /i", $str) ? true : false):
- $where[] = "os.`cpe`";
- break;
- case (preg_match("/auto status /i", $str) ? true : false):
- $where[] = "`as`.`status`";
- break;
- case (preg_match("/manual status /i", $str) ? true : false):
- $where[] = "ms.`status`";
- break;
- case (preg_match("/data gathering status /i", $str) ? true : false):
- $where[] = "ds.`status`";
- break;
- case (preg_match("/fp\/cat i status /i", $str) ? true : false):
- $where[] = "fp.`status`";
- break;
- case (preg_match("/category /i", $str) ? true : false):
- $where[] = "t.`cat_id`";
- break;
- case (preg_match("/open port /i", $str) ? true : false):
- $where[] = "CONCAT(pps.`proto`,'/',pps.`port`)";
- break;
- default:
- continue 2;
- }
-
- if (($pos = strpos($str, "!~")) !== false) {
- $where[$idx] .= " NOT LIKE ";
- $like = true;
- }
- elseif (($pos = strpos($str, "~=")) !== false) {
- $where[$idx] .= " LIKE ";
- $like = true;
- }
- elseif (($pos = strpos($str, "!=")) !== false) {
- $where[$idx] .= " != ";
- }
- elseif (($pos = strpos($str, "=")) !== false) {
- $where[$idx] .= " = ";
- $pos--;
- }
-
- $where[$idx] .= "'" . ($like ? "%" : "") .
- $conn->real_escape_string(substr($str, $pos + 4, -1)) .
- ($like ? "%" : "") . "'";
-
- $idx++;
- $like = false;
- }
-
- $where_str = implode(" AND ", $where);
-
- $sql = "SELECT COUNT(DISTINCT(t.`id`)) as 'cnt' " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " .
- "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " .
- "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " .
- "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " .
- "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " .
- "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " .
- "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " .
- "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " .
- "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " .
- "WHERE " .
- $where_str
- ;
- $cnt = 0;
- if ($res = $conn->query($sql)) {
- $cnt = $res->fetch_array()[0];
- }
- else {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
- }
- $ret['count'] = $cnt;
-
- $sql = "SELECT DISTINCT(t.`id`) " .
- "FROM `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " .
- "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " .
- "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " .
- "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " .
- "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " .
- "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " .
- "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " .
- "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " .
- "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " .
- "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " .
- "WHERE " .
- $where_str . " " .
- ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "")
- ;
-
- if ($res = $conn->query($sql)) {
- while ($row = $res->fetch_assoc()) {
- $tgts[] = $db->get_Target_Details($_REQUEST['ste'], $row['id'])[0];
- }
- }
- else {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
- }
-
- foreach ($tgts as $tgt) {
- $cat_id = $tgt->get_Cat_ID();
- $ste_cat = $db->get_Category($cat_id);
- $chks = $db->get_Target_Checklists($tgt->get_ID());
- if (isset($cat_id)) {
- $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat);
- }
- else {
- $exp_scan_srcs = null;
- }
- $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs);
- $icons = array();
- $icon_str = '';
- $src_str = '';
-
- foreach ($chks as $chk) {
- if (!in_array($chk->get_Icon(), array_keys($icons))) {
- $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon();
- $icons[$chk->get_Icon()]['name'] = '';
- }
- $icons[$chk->get_Icon()]['name'] .= $chk->get_Name() . " V" . $chk->get_Version() . "R" . $chk->get_Release() . " (" . $chk->get_type() . ")" . PHP_EOL;
- }
-
- foreach ($icons as $icon => $data) {
- $icon_str .= "
";
- }
-
- foreach ($scan_srcs as $src) {
- $src_str .= "
get_Icon() . "' title='" . $src['src']->get_Name();
- if (isset($src['count']) && $src['count']) {
- $src_str .= " (" . $src['count'] . ")";
- }
- $src_str .= "' class='checklist_image' />";
- }
-
- $ret['targets'][] = array_merge($tgt->get_JSON(), array(
- 'scans' => $src_str,
- 'chk' => $icon_str
- ));
- }
-
- if (isset($ret['targets']) && is_array($ret['targets']) && count($ret['targets'])) {
- return json_encode($ret);
- }
- else {
- return json_encode(array('count' => 0));
- }
-}
-
-function reference_filter($criteria)
-{
- global $db, $conn;
- $where = array();
- $ref = array();
- $idx = 0;
- $ret = '';
- $like = false;
- $odd = true;
-
- $sql = "SELECT * FROM `sagacity`.`pdi_catalog` pdi ";
-
- $query = array(
- 'cce' => array(
- 'sql' => "LEFT JOIN `sagacity`.`cce` ON cce.`pdi_id`=pdi.`id` ",
- 'added' => false
- ),
- 'cve' => array(
- 'sql' => "LEFT JOIN `sagacity`.`cve` ON cve.`pdi_id`=pdi.`id` " .
- "LEFT JOIN `sagacity`.`cve_db` ON cve_db.`cve_id`=cve.`cve_id` " .
- "LEFT JOIN `sagacity`.`cve_references` ref ON ref.`cve_seq`=cve_db.`cve_id` " .
- "LEFT JOIN `sagacity`.`cve_web` web ON web.`cve_id`=cve_db.`cve_id` ",
- 'added' => false,
- ),
- 'vms' => array(
- 'sql' => "LEFT JOIN `sagacity`.`golddisk` gd ON gd.`pdi_id`=pdi.`id` ",
- 'added' => false,
- ),
- 'iavm' => array(
- 'sql' => "LEFT JOIN `sagacity`.`iavm_notices` iavm ON iavm.`pdi_id`=pdi.`id` ",
- 'added' => false,
- )
- );
-
- $xml = new DOMDocument();
- $xml->appendChild($root = xml_helper($xml, "root"));
-
- $search = explode("\n", $criteria);
- unset($search[count($search) - 1]);
-
- foreach ($search as $str) {
- switch ($str) {
- case (preg_match("/cce /i", $str) ? true : false):
- if (!$query['cce']['added']) {
- $sql .= $query['cce']['sql'];
- }
- $query['cce']['added'] = true;
- $where[] = "";
- break;
- case (preg_match("/cpe /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/cve /i", $str) ? true : false):
- if (!$query['cve']['added']) {
- $sql .= $query['cve']['sql'];
- }
- $query['cve']['added'] = true;
- $where[] = "";
- break;
- case (preg_match("/ia control /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/iavm /i", $str) ? true : false):
- if (!$query['iavm']['added']) {
- $sql .= $query['iavm']['sql'];
- }
- $query['iavm']['added'] = true;
- $where[] = "";
- break;
- case (preg_match("/nessus plugin id /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/oval /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/reference /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/stig id /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/sv rule /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/vms id /i", $str) ? true : false):
- if (!$query['vms']['added']) {
- $sql .= $query['vms']['sql'];
- }
- $query['vms']['added'] = true;
- $where[] = "";
- break;
- case (preg_match("/vendor advisory /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/check contents /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/short title /i", $str) ? true : false):
- $where[] = "";
- break;
- case (preg_match("/description /i", $str) ? true : false):
- $where[] = "";
- break;
- default:
- continue 2;
- }
-
- if (($pos = strpos($str, "!~")) !== false) {
- $where[$idx] .= " NOT LIKE ";
- $like = true;
- }
- elseif (($pos = strpos($str, "~=")) !== false) {
- $where[$idx] .= " LIKE ";
- $like = true;
- }
- elseif (($pos = strpos($str, "!=")) !== false) {
- $where[$idx] .= " != ";
- }
- elseif (($pos = strpos($str, "=")) !== false) {
- $where[$idx] .= " = ";
- $pos--;
- }
-
- $where[$idx] .= "'" . ($like ? "%" : "") .
- $conn->real_escape_string(substr($str, $pos + 4, -1)) .
- ($like ? "%" : "") . "'";
-
- $idx++;
- $like = false;
- }
-
- $where_str = implode(" AND ", $where);
-
- $sql = "SELECT COUNT(t.`id`) as 'cnt' " .
- "WHERE " .
- $where_str;
-
- $cnt = 0;
- if ($res = $conn->query($sql)) {
- $cnt = $res->fetch_array()[0];
- }
- else {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
- }
- $root->setAttribute('count', $cnt);
-
- $sql = "SELECT t.`id` " .
- " " .
- "WHERE " .
- $where_str . " " .
- ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "")
- ;
-
- if ($res = $conn->query($sql)) {
- while ($row = $res->fetch_assoc()) {
-
- }
- }
- else {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
- }
-
- return $xml->saveXML();
-}
-
-function scan_filter($ste_id, $criteria)
-{
-
-}
-
-function finding_filter($ste_id, $criteria)
-{
-
-}
-
-function get_saved_filter($type, $filter_name)
-{
- global $db;
- $filter = $db->get_Filters($type, $filter_name);
- $ret = array();
-
- if (is_array($filter) && count($filter)) {
- $filter = $filter[0];
- foreach (explode("\n", $filter['criteria']) as $cri) {
- if ($cri)
- $ret[] = $cri;
- }
- }
-
- return json_encode($ret);
-}
-
-function update_target_field($field, $data)
-{
- global $db, $conn;
-
- $sql = "UPDATE `sagacity`.`target` t " .
- "LEFT JOIN `sagacity`.`target_software` ts ON t.`id`=ts.`tgt_id` " .
- "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
- "LEFT JOIN `sagacity`.`target_net_meta` tnm ON t.`id`=tnm.`tgt_id` " .
- "LEFT JOIN `sagacity`.`target_sys_meta` tsm ON t.`id`=tsm.`tgt_id` " .
- "LEFT JOIN `sagacity`.`target_user_meta` tum ON t.`id`=tum.`tgt_id` " .
- "SET ";
-
- switch ($field) {
- case 'name':
- $sql .= "t.`name`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'location':
- $sql .= "t.`location`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'wmi_pid':
- $sql .= "tsm.`wmi_listening_pid`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'last_login':
- $sql .= "tum.`last_login`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'login':
- $sql .= "tum.`login`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'notes':
- $sql .= "t.`notes`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'auto_status':
- $sql .= "t.`auto_status_id`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'man_status':
- $sql .= "t.`man_status_id`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'data_status':
- $sql .= "t.`data_status_id`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'fp-cat1_status':
- $sql .= "t.`fp_cat1_status_id`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'vm':
- $sql .= "tsm.`is_vm`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'pp_on':
- $sql .= "t.`pp_off`=" . ($data == '1' ? '0' : '1');
- break;
- case 'netstat_data':
- $sql .= "tnm.`netstat_connections`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'routes_data':
- $sql .= "tnm.`routes`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'shares_data':
- $sql .= "tnm.`shares`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'firewall_data':
- $sql .= "tnm.`firewall_config`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'mounted_data':
- $sql .= "tsm.`mounted`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'process_list_data':
- $sql .= "tsm.`process_list`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'autorun_data':
- $sql .= "tsm.`autorun`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'services_data':
- $sql .= "tsm.`services`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'remote_registry_data':
- $sql .= "tsm.`remote_registry`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'copyright_data':
- $sql .= "tsm.`copyrighted`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'system_data':
- $sql .= "tsm.`system`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'bios_data':
- $sql .= "tsm.`bios`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'missing_patches_data':
- $sql .= "t.`missing_patches`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'user_list_data':
- $sql .= "tum.`user_list`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'disabled_accts_data':
- $sql .= "tum.`disabled_accts`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'stag_pwds_data':
- $sql .= "tum.`stag_pwds`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'never_logged_in_data':
- $sql .= "tum.`never_logged_in`='" . $conn->real_escape_string($data) . "'";
- break;
- case 'pwds_never_expire_data':
- $sql .= "tum.`pwd_never_expires`='" . $conn->real_escape_string($data) . "'";
- break;
- case '':
- $sql .= "='" . $conn->real_escape_string($data) . "'";
- break;
- }
-
- $sql .= " WHERE t.`id`=" . $conn->real_escape_string($_REQUEST['tgt_id']);
-
- if (!$conn->real_query($sql)) {
- error_log($conn->error);
- Sagacity_Error::sql_handler($sql);
-
- return 'false';
- }
-
- return 'true';
-}
-
-function get_category_details($cat_id)
-{
- global $db;
- $cat = $db->get_Category($cat_id);
- if (is_array($cat) && count($cat) && isset($cat[0]) && is_a($cat[0], 'ste_cat')) {
- $cat = $cat[0];
- }
- else {
- return 'no category found';
- }
-
- return json_encode([
- 'id' => $cat->get_ID(),
- 'name' => $cat->get_Name(),
- 'analyst' => $cat->get_Analyst(),
- 'sources' => $cat->get_Sources()
- ]);
-}
+" . update_finding_status() . "";
+}
+elseif ($action == 'update_finding_ia_controls') {
+ print "" . update_finding_ia_controls() . "";
+}
+elseif ($action == 'update_finding_notes') {
+ print "" . update_finding_notes() . "";
+}
+elseif ($action == 'update_risk_status') {
+ print update_risk_status();
+}
+elseif ($action == 'update_risk_analysis') {
+ print update_risk_analysis();
+}
+elseif ($action == 'update_control_completion') {
+ print update_control_completion();
+}
+elseif ($action == 'update_stig_control') {
+ print update_stig_control();
+}
+elseif ($action == 'refresh_counts') {
+ print "" . refresh_counts() . "";
+}
+elseif ($action == 'get_control_details') {
+ if ($_REQUEST['id'] == 'overall') {
+ print get_STE_details();
+ }
+ else {
+ print get_control_details();
+ }
+}
+elseif ($action == 'update_STE') {
+ print update_STE_details();
+}
+elseif ($action == 'update_STE_risk') {
+ $conn->real_query(
+ "UPDATE `sagacity`.`ste` SET `risk_status`='" .
+ strtolower($conn->real_escape_string($_REQUEST['status'])) .
+ "' WHERE `id`=" . $conn->real_escape_string($ste));
+}
+elseif ($action == 'get_hosts') {
+ $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ if (is_numeric($cat_id)) {
+ print get_hosts($cat_id);
+ }
+ else {
+ print json_encode(['error' => 'Invalid category ID']);
+ }
+}
+elseif ($action == 'new-get-hosts') {
+ $cat_id = filter_input(INPUT_POST, 'cat-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ if (is_numeric($cat_id)) {
+ print new_get_hosts($cat_id);
+ }
+ else {
+ print json_encode(['error' => 'Invalid category ID']);
+ }
+}
+elseif ($action == 'get_target_data') {
+ print get_target_data($_REQUEST['type']);
+}
+elseif ($action == 'save_filter') {
+ print $db->save_Filter($_REQUEST['type'], $_REQUEST['name'], $_REQUEST['criteria']);
+}
+elseif ($action == 'target-filter') {
+ print header(JSON) . target_filter($ste, $_REQUEST['criteria']);
+}
+elseif ($action == 'scan-filter') {
+ print scan_filter($ste, $_REQUEST['criteria']);
+}
+elseif ($action == 'finding-filter') {
+ print finding_filter($ste, $_REQUEST['criteria']);
+}
+elseif ($action == 'reference-filter') {
+ print reference_filter($ste, $_REQUEST['criteria']);
+}
+elseif ($action == 'get-saved-filter') {
+ print get_saved_filter($_REQUEST['type'], $_REQUEST['name']);
+}
+elseif ($action == 'update-target-field') {
+ print update_target_field($_REQUEST['field'], $_REQUEST['data']);
+}
+elseif ($action == 'get_category_details') {
+ $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT);
+ print header(JSON) . get_category_details($cat_id);
+}
+elseif ($action == 'add_scans') {
+ $import = new import();
+ $import->scan_Result_Files(false);
+
+ print header(JSON) . json_encode(array(
+ 'success' => 'Thread running'
+ ));
+}
+elseif ($action == 'auto-categorize') {
+ $db->auto_Catorgize_Targets($ste);
+
+ print header(JSON) . json_encode([
+ 'success' => 'Categorized Targets'
+ ]);
+}
+elseif ($action == 'delete-cat') {
+ $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT);
+ if ($db->delete_Cat($cat_id)) {
+ print header(JSON) . json_encode([
+ 'success' => 'Successfully deleted category'
+ ]);
+ }
+}
+elseif ($action == 'delete-file') {
+ $file = filter_input(INPUT_POST, 'filename', FILTER_SANITIZE_STRING);
+ $file = realpath($file);
+
+ if ($file && preg_match("/^" . preg_quote(TMP, '/') . "/", $file)) {
+ if (unlink($file)) {
+ print header(JSON) . json_encode([
+ 'success' => 'Deleted file'
+ ]);
+ }
+ else {
+ print header(JSON) . json_encode([
+ 'error' => "Failed to delete $file"
+ ]);
+ }
+ }
+ else {
+ $file = filter_input(INPUT_POST, 'filename', FILTER_SANITIZE_STRING);
+ print header(JSON) . json_encode([
+ 'error' => "$file does not exist"
+ ]);
+ }
+}
+elseif ($action == 'get-cat-data') {
+ $fname = filter_input(INPUT_POST, 'fname', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
+ $checklist = $db->get_Checklist_By_File($fname);
+
+ if (isset($checklist[0])) {
+ $checklist[0]->type = ucfirst($checklist[0]->type);
+ print header(JSON) . json_encode($checklist[0]);
+ }
+ else {
+ print header(JSON) . json_encode(array('error' => 'Error finding checklist'));
+ }
+}
+elseif ($action == 'checklist-remove-software') {
+ $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+ $db->help->delete("sagacity.checklist_software_lookup", null, array(
+ array(
+ 'field' => 'chk_id',
+ 'op' => '=',
+ 'value' => $chk_id
+ ),
+ array(
+ 'field' => 'sw_id',
+ 'op' => '=',
+ 'value' => $sw_id,
+ 'sql_op' => 'AND'
+ )
+ ));
+
+ if ($db->help->execute()) {
+ print header(JSON) . json_encode(array('success' => 'Relationship deleted'));
+ }
+ else {
+ print header(JSON) . json_encode(array('error' => 'Failed to delete relationship'));
+ }
+}
+elseif ($action == 'checklist-add-software') {
+ $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+ $db->help->insert("checklist_software_lookup", array(
+ 'sw_id' => $sw_id,
+ 'chk_id' => $chk_id
+ ), true);
+
+ if (!$db->help->execute()) {
+ print header(JSON) . json_encode(array('status' => 'Error adding the software to the checklist'));
+ }
+ else {
+ print header(JSON) . json_encode(array('status' => 'Successfully added the software'));
+ }
+}
+elseif ($action == 'save-checklist') {
+ $rel_date = new DateTime(filter_input(INPUT_POST, 'rel-date', FILTER_SANITIZE_STRING));
+
+ $db->help->update("sagacity.checklist", [
+ 'name' => filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING),
+ 'description' => filter_input(INPUT_POST, 'desc', FILTER_SANITIZE_STRING),
+ 'icon' => filter_input(INPUT_POST, 'icon', FILTER_SANITIZE_STRING),
+ 'date' => (is_a($rel_date, 'DateTime') ? $rel_date->format(MYSQL_D_FORMAT) : (new DateTime())->format(MYSQL_D_FORMAT))
+ ], [
+ [
+ 'field' => 'id',
+ 'op' => '=',
+ 'value' => filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT)
+ ]
+ ]);
+
+ if($db->help->execute()) {
+ print json_encode(['success' => 'Successfully updated checklist']);
+ }
+ else {
+ print json_encode(['error' => 'Error updating checklist']);
+ }
+}
+elseif ($action == 'export-ckl') {
+ $cat_id = filter_input(INPUT_POST, 'cat', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $tgt_id = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $script = null;
+
+ if (!is_numeric($ste)) {
+ die;
+ }
+
+ if ($cat_id && is_numeric($cat_id)) {
+ $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) .
+ " -c " . realpath(PHP_CONF) .
+ " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" .
+ " -s=$ste" .
+ " -c=$cat_id";
+ }
+ elseif ($tgt_id && is_numeric($tgt_id)) {
+ $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) .
+ " -c " . realpath(PHP_CONF) .
+ " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" .
+ " -s=$ste" .
+ " -t=$tgt_id";
+ }
+
+ if (!is_null($script)) {
+ if (strtolower(substr(PHP_OS, 0, 3)) == "win") {
+ $shell = new COM("WScript.Shell");
+ $shell->CurrentDirectory = DOC_ROOT . "/exec";
+ $shell->run($script, 0, false);
+ }
+ elseif (strtolower(substr(PHP_OS, 0, 3)) == 'lin') {
+ exec("cd " . realpath(DOC_ROOT . "/exec") . " && {$script} > /dev/null &");
+ }
+ }
+}
+elseif ($action == 'delete-host') {
+ $sel_tgts = json_decode(html_entity_decode(filter_input(INPUT_POST, 'selected_tgts', FILTER_SANITIZE_STRING)));
+ if (is_array($sel_tgts) && count($sel_tgts)) {
+ foreach ($sel_tgts as $tgt_id) {
+ if (!$db->delete_Target($tgt_id)) {
+ print header(JSON) . json_encode(array('error' => "Failed to delete target ID $tgt_id"));
+ break;
+ }
+ }
+ }
+ elseif (is_numeric($sel_tgts)) {
+ if (!$db->delete_Target($sel_tgts)) {
+ print header(JSON) . json_encode(array('error' => "Failed to delete target ID $sel_tgts"));
+ }
+ }
+
+ print header(JSON) . json_encode(['success' => "Deleted all selected target(s)"]);
+}
+elseif ($action == 'get-target-notes') {
+ $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ if (is_numeric($tgt_id) && $tgt_id > 0) {
+ $db->help->select("target", ['notes'], [
+ [
+ 'field' => 'id',
+ 'op' => '=',
+ 'value' => $tgt_id
+ ]
+ ]);
+ $row = $db->help->execute();
+ if (is_array($row) && count($row) && isset($row['notes'])) {
+ print header(JSON) . json_encode(['notes' => $row['notes']]);
+ }
+ }
+}
+elseif ($action == 'save-target-notes') {
+ $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $notes = filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
+ if (is_numeric($tgt_id) && $tgt_id > 0) {
+ $db->help->update("target", [
+ 'notes' => htmlentities($notes)
+ ], [
+ [
+ 'field' => 'id',
+ 'op' => '=',
+ 'value' => $tgt_id
+ ]
+ ]);
+ if ($db->help->execute()) {
+ print header(JSON) . json_encode(['success' => 'Updated target notes']);
+ }
+ else {
+ print header(JSON) . json_encode(['error' => $db->help->c->error]);
+ }
+ }
+}
+elseif ($action == 'get-load-status') {
+ $set = $db->get_Settings([
+ 'cpe-count', 'cpe-dl-progress', 'cpe-progress',
+ 'cve-count', 'cve-dl-progress', 'cve-progress',
+ 'nvd-cve-count', 'nvd-cve-dl-progress', 'nvd-cve-progress', 'nvd-year',
+ 'stig-count', 'stig-dl-progress', 'stig-progress',
+ 'nasl-count', 'nasl-dl-progress', 'nasl-progress'
+ ]);
+ print json_encode($set);
+}
+elseif ($action == 'delete-scan') {
+ $scan_id = filter_input(INPUT_POST, 'scan-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $del_tgts = (bool) filter_input(INPUT_POST, 'delete-targets', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+ if ($scan_id) {
+ if ($db->delete_Scan($ste, $scan_id, $del_tgts)) {
+ print json_encode(['success' => 'Deleted Scan']);
+ }
+ else {
+ print json_encode(['error' => 'Error deleting scan']);
+ }
+ }
+}
+
+function update_tgt_notes()
+{
+ global $db;
+ $notes = str_replace(" ", "", filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING));
+ $tgt = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT);
+
+ $db->help->update("sagacity.target", array(
+ 'notes' => $notes
+ ), array(
+ array(
+ 'field' => 'id',
+ 'op' => '=',
+ 'value' => $tgt
+ )
+ ));
+
+ if (!$db->help->execute()) {
+ return "failure";
+ }
+ else {
+ return "success";
+ }
+}
+
+function chk_filter()
+{
+ global $db;
+ $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $filter = filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
+ $hide_old = (boolean) filter_input(INPUT_POST, 'hide_old', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+
+ $ret = array();
+ $db->help->create_table("c", true, $db->help->select("sagacity.checklist", null, array(), array(
+ 'order' => '`ver` DESC, CONVERT(`release`, DECIMAL(4,2)) DESC'
+ )));
+ if (!$db->help->execute()) {
+ return $ret;
+ }
+ $where = array();
+ $flags = array();
+
+ if (!empty($filter)) {
+ $where = array(
+ array(
+ 'field' => 'c.name',
+ 'op' => LIKE,
+ 'value' => "'%{$filter}%'"
+ )
+ );
+ }
+
+ if (!empty($tgt_id)) {
+ $where[] = array(
+ 'field' => 'tc.chk_id',
+ 'op' => IS,
+ 'value' => null,
+ 'sql_op' => 'AND'
+ );
+ $flags['table_joins'] = array(
+ "LEFT JOIN sagacity.target_checklist tc ON tc.chk_id = c.id AND tc.tgt_id = $tgt_id"
+ );
+ $flags['order'] = 'c.name';
+ }
+ if ($hide_old) {
+ $flags['group'] = 'c.name, c.type, c.id';
+ }
+
+ $db->help->select("c", array('c.id'), $where, $flags);
+
+ $rows = $db->help->execute();
+ if (is_array($rows) && count($rows) && isset($rows['id'])) {
+ $rows = array(0 => $rows);
+ }
+
+ if (is_array($rows) && count($rows) && isset($rows[0])) {
+ foreach ($rows as $row) {
+ $chk = $db->get_Checklist($row['id']);
+ if (is_array($chk) && count($chk) && isset($chk[0]) && is_a($chk[0], 'checklist')) {
+ $ret[] = $chk[0];
+ }
+ }
+ }
+
+ return json_encode($ret);
+}
+
+function sw_filter($is_os = false)
+{
+ global $db;
+ $ret = [];
+ $filter = "'%" . filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE) . "%'";
+ $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+ $db->help->select("sagacity.software s", ['s.id', 's.cpe', 's.sw_string'], [
+ [
+ 'field' => 's.cpe',
+ 'op' => LIKE,
+ 'value' => $filter,
+ 'open-paren' => true
+ ],
+ [
+ 'field' => 's.sw_string',
+ 'op' => LIKE,
+ 'value' => $filter,
+ 'sql_op' => 'OR'
+ ],
+ [
+ 'field' => 's.short_sw_string',
+ 'op' => LIKE,
+ 'value' => $filter,
+ 'sql_op' => 'OR',
+ 'close-paren' => true
+ ],
+ [
+ 'field' => 'ts.sft_id',
+ 'op' => IS,
+ 'value' => null,
+ 'sql_op' => 'AND'
+ ],
+ [
+ 'field' => 's.cpe',
+ 'op' => LIKE,
+ 'value' => ($is_os ? "'%/o%'" : "'%/a%'"),
+ 'sql_op' => 'AND'
+ ]
+ ], [
+ 'table_joins' => [
+ "LEFT JOIN `sagacity`.`target_software` ts ON ts.`sft_id` = s.`id`" . ($tgt_id ? " AND ts.`tgt_id` = $tgt_id" : "")
+ ],
+ 'order' => 's.cpe',
+ 'limit' => 25
+ ]);
+
+ $sw = $db->help->execute();
+
+ if (is_array($sw) && count($sw) && isset($sw['id'])) {
+ $sw = [0 => $sw];
+ }
+
+ if (is_array($sw) && count($sw) && isset($sw[0])) {
+ foreach ($sw as $row) {
+ $ret[] = [
+ 'sw_id' => $row['id'],
+ 'cpe' => $row['cpe'],
+ 'sw_string' => $row['sw_string']
+ ];
+ }
+ }
+
+ return header(JSON) . json_encode($ret);
+}
+
+function update_proc_status()
+{
+ global $conn, $ste;
+ $control_id = str_replace("_", "-", substr(param('control'), 0, -7));
+ if (preg_match("/[A-Z]{4}\-\d\-\d/", $control_id)) {
+ $proc_id = $control_id;
+ $sql = "SELECT `ctrl_id` " .
+ "FROM `sagacity`.`proc_findings` " .
+ "WHERE " .
+ "`ste_id`=" . $conn->real_escape_string($ste) . " AND " .
+ "`proc_id`='" . $conn->real_escape_string($control_id) . "'";
+ if ($res = $conn->query($sql)) {
+ if ($res->num_rows) {
+ $row = $res->fetch_array(MYSQLI_ASSOC);
+
+ $sql = "UPDATE `sagacity`.`proc_findings` " .
+ "SET `status`='" . $conn->real_escape_string($_REQUEST['status']) . " " .
+ "WHERE `ste_id`=" . $conn->real_escape_string($ste) . " AND " .
+ "`proc_id`='" . $conn->real_escape_string($row['ctrl_id']) . "'";
+ }
+ else {
+ $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (" .
+ $_REQUEST['ste'] . "," .
+ "'" . $conn->real_escape_string(substr($proc_id, 0, 6)) . "'" .
+ "'" . $conn->real_escape_string($proc_id) . "'" .
+ "'" . $conn->real_escape_string($_REQUEST['status']) . "')";
+ }
+
+ if (!$conn->real_query($sql)) {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+ }
+ }
+ }
+ else {
+ $sql = "SELECT `sub_control_id` FROM `sagacity`.`proc_ia_sub_controls` WHERE `parent_control_id`=?";
+
+ $sub_ctrls = db_helper::selectrow_array($conn, db_helper::mysql_escape_string($conn, $sql, $control_id));
+
+ foreach ($sub_ctrl as $proc_id) {
+ $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?";
+ $sql = db_helper::mysql_escape_string($conn, $sql, $_REQUEST['ste'], $proc_id);
+ list($cnt) = db_helper::selectrow_array($conn, $sql);
+ if ($cnt) {
+ db_helper::run($conn, "UPDATE `sagacity`.`proc_findings` SET `status`=? WHERE `ste_id`=? AND `proc_id`=?", $_REQUEST['status'], $_REQUEST['ste'], $proc_id);
+ }
+ else {
+ db_helper::run($conn, "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (?,?,?,?)", $_REQUEST['ste'], $control_id, $proc_id, $_REQUEST['status']);
+ }
+ }
+ }
+}
+
+function update_proc_notes()
+{
+ $control_id = $field = $_REQUEST['control'];
+ $match = array();
+ if (preg_match("/([A-Z]{4}\_\d\_\d)/", $control_id, $match)) {
+ $control_id = str_replace("_", "-", $match[1]);
+
+ $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?";
+
+ switch ($field) {
+ case (preg_match("/_test_result/", $field) ? true : false):
+ $field = "`test_results`";
+ break;
+ case (preg_match("/_mit/", $field) ? true : false):
+ $field = "`mitigations`";
+ break;
+ case (preg_match("/_milestone/", $field) ? true : false):
+ $field = "`milestones`";
+ break;
+ case (preg_match("/_ref/", $field) ? true : false):
+ $field = "`ref`";
+ break;
+ case (preg_match("/_notes/", $field) ? true : false):
+ $field = "`notes`";
+ break;
+ default:
+ $field = "";
+ }
+
+ list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id);
+ if ($cnt) {
+ $sql = "UPDATE `sagacity`.`proc_findings` SET=? WHERE `ste_id`=? AND `proc_id`=?";
+
+ db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id);
+ }
+ else {
+ $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`,$field) VALUES (?,?,?,?,?)";
+
+ db_helper::run($conn, $sql, $_REQUEST['ste'], substr($control_id, 0, 6), $control_id, "Not Reviewed", $_REQUEST['notes']);
+ }
+ }
+ elseif (preg_match("/([A-Z]{4}\_\d)/", $control_id, $match)) {
+ $control_id = str_replace("_", "-", $match[1]);
+
+ $sql = "SELECT COUNT(1) FROM `sagacity`.`control_findings` WHERE `ste_id`=? AND `control_id`=?";
+ list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id);
+
+ switch ($field) {
+ case (preg_match("/_vul_desc/", $field) ? true : false):
+ $field = "`vul_desc`";
+ break;
+ case (preg_match("/_mit/", $field) ? true : false):
+ $field = "`mitigations`";
+ break;
+ case (preg_match("/_ref/", $field) ? true : false):
+ $field = "`ref`";
+ break;
+ case (preg_match("/_notes/", $field) ? true : false):
+ $field = "`notes`";
+ break;
+ default:
+ $field = "";
+ }
+
+ if ($cnt) {
+ $sql = "UPDATE `sagacity`.`control_findings` SET $field=? WHERE `ste_id`=? AND `control_id`=?";
+
+ db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id);
+ }
+ else {
+ $sql = "INSERT INTO `sagacity`.`control_findings` (`control_id`,`ste_id`,$field,`risk_status`) " .
+ "VALUES (?,?,?,(SELECT LOWER(`impact`) FROM `sagacity`.`proc_ia_controls` WHERE `control_id`=?))";
+
+ db_helper::run($conn, $sql, $control_id, $_REQUEST['ste'], $_REQUEST['notes'], $control_id);
+ }
+ }
+
+ return true;
+}
+
+function refresh_counts()
+{
+ $ret = '';
+ $sql = "SELECT `id`,`name` FROM `ste_cat` WHERE `ste_id`=?";
+
+ $cats = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']);
+
+ foreach ($cats as $key => $cat) {
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "fs.`status`='Open' AND " .
+ "f.`cat`=?) + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `checklist` c " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "fs.`status`='Open' AND " .
+ "f.`cat`=?) AS 'sum_total'";
+
+ list($open_cat_1) = db_helper::selectrow_array($conn, $sql2, $row['id'], '1', $row['id'], '1');
+ list($open_cat_2) = db_helper::selectrow_array($conn, $sql2, $row['id'], '2', $row['id'], '2');
+ list($open_cat_3) = db_helper::selectrow_array($conn, $sql2, $row['id'], '3', $row['id'], '3');
+
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `target` t " .
+ "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `checklist` c " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) AS 'sum_total'";
+
+ list($not_reviewed) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
+
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `target` t " .
+ "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "fs.`status`='Exception') + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `checklist` c " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "fs.`status`='Exception') AS 'sum_total'";
+
+ list($exception) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
+
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `target` t " .
+ "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "fs.`status`='False Positive') + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `checklist` c " .
+ "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "fs.`status`='False Positive') AS 'sum_total'";
+
+ list($false_positive) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']);
+
+ $row['name'] = str_replace(array(".", "-", " "), "", $row['name']);
+
+ $ret .= "";
+ }
+
+ return $ret;
+}
+
+function update_finding_status()
+{
+ global $conn;
+ $sql = "UPDATE `findings` SET " .
+ "`findings_status_id`=? " .
+ "WHERE " .
+ "`tgt_id`=? AND `pdi_id`=?";
+
+ db_helper::run($conn, $sql, $_REQUEST['status'], $_REQUEST['host_id'], $_REQUEST['pdi_id']);
+
+ return true;
+}
+
+function update_finding_ia_controls()
+{
+ $controls = explode(" ", $_REQUEST['ia_controls']);
+ $host_ids = explode(",", $_REQUEST['host_id']);
+
+ return true;
+}
+
+function update_finding_notes()
+{
+ global $conn;
+ $host_ids = explode(",", $_REQUEST['host_id']);
+
+ $sql = "UPDATE `sagacity`.`findings` SET " .
+ "`notes`=? " .
+ "WHERE " .
+ "`tgt_id` IN (" . implode(",", $host_ids) . ") AND `pdi_id`=?";
+
+ db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['pdi_id']);
+
+ return true;
+}
+
+/**
+ * Function to update the result script parsing status
+ *
+ * @global db $db
+ * @global int $ste
+ *
+ * @return array
+ */
+function update_script_status()
+{
+ global $db, $ste;
+ $ret = [];
+
+ $type = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
+ $status = filter_input(INPUT_POST, 'status', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
+
+ if (!empty($type) && !empty($status)) {
+ $scans = $db->get_ScanData($ste, null, $status, $type);
+ }
+ elseif (!empty($type)) {
+ $scans = $db->get_ScanData($ste, null, null, $type);
+ }
+ elseif (!empty($status)) {
+ $scans = $db->get_ScanData($ste, null, $status);
+ }
+ else {
+ $scans = $db->get_ScanData($ste);
+ }
+
+ foreach ($scans as $scan) {
+ $file_name = str_replace(["(", ")"], "", str_replace(" ", "_", $scan->get_File_Name()));
+ $diff = $scan->get_Last_Update()->diff($scan->get_Start_Time());
+
+ $ret[] = [
+ "scan_id" => $scan->get_ID(),
+ "file_name" => $scan->get_File_Name(),
+ "id" => $file_name,
+ "file_date" => $scan->get_File_DateTime()->format("Y-m-d"),
+ "pid" => $scan->get_PID(),
+ "source" => $scan->get_Source()->get_Name(),
+ 'source_img' => $scan->get_Source()->get_Icon(),
+ "status" => $scan->get_Status(),
+ "perc_comp" => $scan->get_Percentage_Complete(),
+ "last_host" => $scan->get_Last_Host(),
+ "start_time" => $scan->get_Start_Time()->format("Y-m-d H:i:s"),
+ "update" => $scan->get_Last_Update()->format("Y-m-d H:i:s"),
+ "host_count" => $scan->get_Total_Host_Count(),
+ "error" => $scan->isScanError(),
+ "run_time" => $diff->format("%H:%I:%S")
+ ];
+ }
+
+ return json_encode(['success' => 1, 'results' => $ret]);
+}
+
+/**
+ *
+ * @global mysqli $conn
+ * @global db $db
+ */
+function get_STE_details()
+{
+ global $conn, $db;
+ $ret = '';
+ $open_high = $open_med = $open_low = $proc_na = $proc_c = $proc_total = $open_cat_1 = $open_cat_2 = $open_cat_3 = $tech_na = $tech_nf = $tech_total = 0;
+
+ list($tech_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`findings` f JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` WHERE t.`ste_id`=?", $_REQUEST['ste_id']);
+ list($proc_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=?", $_REQUEST['ste_id']);
+
+ $sql = "SELECT COUNT(1) " .
+ "FROM `sagacity`.`proc_findings` pf " .
+ "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " .
+ "WHERE pf.`ste_id`=? " .
+ "AND pf.`status`=? " .
+ "AND cf.`risk_status`=? "
+ ;
+
+ list($open_high) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'high');
+ list($open_med) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'medium');
+ list($open_low) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'low');
+
+ $sql = "SELECT COUNT(1) " .
+ "FROM `sagacity`.`proc_findings` pf " .
+ "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " .
+ "WHERE pf.`ste_id`=? " .
+ "AND pf.`status`=? "
+ ;
+
+ list($proc_na) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Not Applicable');
+ list($proc_c) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Compliant');
+
+ $sql = "SELECT `ste`.`deviations`,`ste`.`recommendations`,`ste`.`residual_risk`," .
+ "`ste`.`conclusion`,`ste`.`risk_status`,sys.`mitigations`,sys.`executive_summary` " .
+ "FROM `sagacity`.`ste`,`sagacity`.`system` sys " .
+ "WHERE `ste`.`system_id`=sys.`id` AND " .
+ "`ste`.`id`=?";
+
+ list($dev, $rec, $res, $con, $status, $mit, $exec) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']);
+
+ $sql = "SELECT `id`,`name` FROM `sagacity`.`ste_cat` WHERE `ste_id`=?";
+
+ $cats = $db->get_STE_Cat_List($_REQUEST['ste_id']);
+
+ foreach ($cats as $cat) {
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "f.`cat`=?) + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `sagacity`.`checklist` c " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "f.`cat`=?) AS 'sum_total'";
+
+ list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '1', $cat->get_ID(), '1');
+ $open_cat_1 += $tmp;
+ list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '2', $cat->get_ID(), '2');
+ $open_cat_2 += $tmp;
+ list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '3', $cat->get_ID(), '3');
+ $open_cat_3 += $tmp;
+
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "fs.`status`='Not Applicable') + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `sagacity`.`checklist` c " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "fs.`status`='Not Applicable') AS 'sum_total'";
+
+ list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID());
+ $tech_na += $tmp;
+
+ $sql2 = "SELECT (SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "fs.`status`='Not a Finding') + " .
+ "(SELECT COUNT(1) AS 'total' " .
+ "FROM `sagacity`.`checklist` c " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
+ "WHERE t.`cat_id`=? AND " .
+ "c.`name`='Orphan' AND " .
+ "fs.`status`='Not a Finding') AS 'sum_total'";
+
+ list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID());
+ $tech_nf += $tmp;
+ }
+
+#'overall_mitigations,deviations,recommendations,residual_risk,conclusion,executive_summary'
+ $ret .= "" .
+ "
Overall Mitigations
" .
+ "
" .
+ "
Deviations
" .
+ "
" .
+ "
Recommendations
" .
+ "
" .
+ "
Residual Risk Analysis " .
+ "
" .
+ "
" .
+ "
Conclusion
" .
+ "
" .
+ "
Executive Summary
" .
+ "
" .
+ "
" .
+ "" .
+ "
Procedural ($proc_total)
" .
+ "
" .
+ "" .
+ "H | " .
+ "M | " .
+ "L | " .
+ "NA | " .
+ "C | " .
+ "
" .
+ "" .
+ "$open_high | " .
+ "$open_med | " .
+ "$open_low | " .
+ "$proc_na | " .
+ "$proc_c | " .
+ "
" .
+ "" .
+ "" . sprintf("%i%%", ($open_high / $proc_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($open_med / $proc_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($open_low / $proc_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($proc_na / $proc_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($proc_c / $proc_total) * 100) . " | " .
+ "
" .
+ "
" .
+ "
Technical ($tech_total)
" .
+ "
" .
+ "" .
+ "I | " .
+ "II | " .
+ "III | " .
+ "NA | " .
+ "NF | " .
+ "
" .
+ "" .
+ "$open_cat_1 | " .
+ "$open_cat_2 | " .
+ "$open_cat_3 | " .
+ "$tech_na | " .
+ "$tech_nf | " .
+ "
" .
+ "" .
+ "" . sprintf("%i%%", ($open_cat_1 / $tech_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($open_cat_2 / $tech_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($open_cat_3 / $tech_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($tech_na / $tech_total) * 100) . " | " .
+ "" . sprintf("%i%%", ($tech_nf / $tech_total) * 100) . " | " .
+ "
" .
+ "
" .
+ "
";
+}
+
+function update_STE_details()
+{
+ global $conn;
+ if ($_REQUEST['id'] == 'deviations') {
+ $sql = "UPDATE `sagacity`.`ste` SET `deviations`=? WHERE `id`=?";
+ }
+ elseif ($_REQUEST['id'] == 'recommendations') {
+ $sql = "UPDATE `sagacity`.`ste` SET `recommendations`=? WHERE `id`=?";
+ }
+ elseif ($_REQUEST['id'] == 'residual_risk') {
+ $sql = "UPDATE `sagacity`.`ste` SET `residual_risk`=? WHERE `id`=?";
+ }
+ elseif ($_REQUEST['id'] == 'conclusion') {
+ $sql = "UPDATE `sagacity`.`ste` SET `conclusion`=? WHERE `id`=?";
+ }
+ elseif ($_REQUEST['id'] == 'overall_mitigations') {
+ $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `mitigations`=? WHERE `ste`.`id`=?";
+ }
+ elseif ($_REQUEST['id'] == 'executive_summary') {
+ $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `executive_summary`=? WHERE `ste`.`id`=?";
+ }
+
+ db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ste_id']);
+}
+
+function get_control_details()
+{
+ global $conn, $db;
+ $ret = '';
+
+ $sql = "SELECT " .
+ "pc.`control_id`,pc.`name`,pc.`description`,pc.`impact`," .
+ "cf.`vul_desc`,cf.`mitigations`,cf.`risk_analysis`,cf.`risk_status`,cf.`done` " .
+ "FROM `sagacity`.`proc_ia_controls` pc " .
+ "LEFT JOIN `sagacity`.`control_findings` cf ON cf.`control_id`=pc.`control_id` " .
+ "WHERE pc.`control_id`=? AND cf.`ste_id`=?";
+
+ $ste = $db->get_STE($_REQUEST['ste'])[0];
+
+ $controls = $db->get_Proc_IA_Controls($ste, $_REQUEST['id'])[0];
+
+ $risk_analysis = $controls->finding->risk_analysis;
+ $ctrl_id = $controls->get_Control_ID();
+ $impact = $controls->get_Impact();
+
+ $ret .= "" .
+ $controls->get_Control_ID() . " - " . $controls->get_Name() .
+ "" .
+ "" .
+ " " .
+ "finding->done ? " checked" : "") . " id='done' value='1' onclick='javascript:toggle_control_completion();' />" .
+ "" .
+ "" .
+ ucfirst($controls->get_Worst_Status_String()) .
+ "" .
+ "" .
+ "
" .
+ "" . $controls->get_Description() . "
" .
+ "" .
+ "" .
+ "" .
+ "Procedure / Validation Step | " .
+ "Findings | " .
+ "Mitigations | " .
+ "
" .
+ "" .
+ "" .
+ "" .
+ "" . $controls->get_Control_ID() . " " . $controls->get_Name() . " | " .
+ "" . $controls->finding->vul_desc . " | " .
+ "" . $controls->finding->mitigations . " | " .
+ "
"
+ ;
+
+ $sql = "SELECT " .
+ "psc.`sub_control_id`,psc.`name`,pf.`test_results`,pf.`mitigations`,pf.`status` " .
+ "FROM `sagacity`.`proc_ia_sub_controls` psc " .
+ "LEFT JOIN `sagacity`.`proc_findings` pf ON psc.`sub_control_id`=pf.`proc_id` " .
+ "WHERE pf.`ste_id`=? AND " .
+ "psc.`parent_control_id`=? AND " .
+ "(pf.`status`='Non-Compliant' OR pf.`status`='Not Applicable')"
+ ;
+
+ if ($res = $conn->query($sql)) {
+ while ($row = $res->fetch_array(MYSQLI_ASSOC)) {
+ $status = str_replace(" ", "_", $row['status']);
+ $ret .= "" .
+ "" . $row['sub_control_id'] . " " . $row['status'] . " " . $row['name'] . " | " .
+ "" . $row['test_results'] . " | " .
+ "" . $row['mitigations'] . " | " .
+ "
"
+ ;
+ }
+ }
+
+ $ret .= "
" .
+ "" .
+ "" . $controls->get_Control_ID() . " - Risk Analysis " .
+ "" .
+ "" .
+ "" .
+ "
" .
+ "" .
+ "
$ctrl_id - Technical Findings" .
+ "
" .
+ "" .
+ "I | " .
+ "II | " .
+ "III | " .
+ "NA | " .
+ "NF | " .
+ "Unique | " .
+ "Hosts | " .
+ "Total | " .
+ "
";
+
+ $cat_1 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 1);
+ $cat_2 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 2);
+ $cat_3 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 3);
+
+ /*
+ $sql = "SELECT ".
+ "IFNULL((SELECT COUNT(1) ".
+ "FROM `sagacity`.`target` t ".
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ".
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ".
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
+ "WHERE ".
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND ".
+ "f.`cat`=? AND ".
+ "fc.`ia_control`=? AND ".
+ "t.`ste_id`=? ".
+ "GROUP BY f.`pdi_id`".
+ "), 0)".
+ " + ".
+ "IFNULL((SELECT COUNT(1) ".
+ "FROM `sagacity`.`checklist` c ".
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ".
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ".
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ".
+ "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
+ "WHERE ".
+ "c.`name`='Orphan' AND ".
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND ".
+ "f.`cat`=? AND ".
+ "fc.`ia_control`=? AND ".
+ "t.`ste_id`=? ".
+ "GROUP BY f.`pdi_id`".
+ "), 0) AS 'sum_count'";
+
+ ($cat_1) = $dbh->selectrow_array($sql, undef, 1, param('id'), param('ste_id'), 1, param('id'), param('ste_id'));
+ ($cat_2) = $dbh->selectrow_array($sql, undef, 2, param('id'), param('ste_id'), 2, param('id'), param('ste_id'));
+ ($cat_3) = $dbh->selectrow_array($sql, undef, 3, param('id'), param('ste_id'), 3, param('id'), param('ste_id'));
+ */
+ $sql = "SELECT " .
+ "IFNULL((SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
+ "WHERE " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "fc.`ia_control`=? AND " .
+ "t.`ste_id`=? " .
+ "), 0)" .
+ " + " .
+ "IFNULL((SELECT COUNT(1) " .
+ "FROM `sagacity`.`checklist` c " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
+ "WHERE " .
+ "c.`name`='Orphan' AND " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "fc.`ia_control`=? AND " .
+ "t.`ste_id`=? " .
+ "), 0) AS 'sum_count'";
+
+ $unique = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']);
+ /*
+ $sql = "SELECT ".
+ "IFNULL((SELECT COUNT(1) ".
+ "FROM `sagacity`.`target` t ".
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ".
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ".
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
+ "WHERE ".
+ "fs.`status`=? AND ".
+ "fc.`ia_control`=? AND ".
+ "t.`ste_id`=? ".
+ "GROUP BY f.`pdi_id`".
+ "), 0)".
+ " + ".
+ "IFNULL((SELECT COUNT(1) ".
+ "FROM `sagacity`.`checklist` c ".
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ".
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ".
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ".
+ "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ".
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ".
+ "WHERE ".
+ "c.`name`='Orphan' AND ".
+ "fs.`status`=? AND ".
+ "fc.`ia_control`=? AND ".
+ "t.`ste_id`=? ".
+ "GROUP BY f.`pdi_id`".
+ "), 0) AS 'sum_count'";
+
+ ($na) = $dbh->selectrow_array($sql, undef, "Not Applicable", param('id'), param('ste_id'), "Not Applicable", param('id'), param('ste_id'));
+ ($nf) = $dbh->selectrow_array($sql, undef, "Not a Finding", param('id'), param('ste_id'), "Not a Finding", param('id'), param('ste_id'));
+ */
+ $na = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not Applicable");
+ $nf = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not a Finding");
+
+ $sql = "SELECT " .
+ "IFNULL((SELECT COUNT(1) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
+ "WHERE " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "fc.`ia_control`=? AND " .
+ "t.`ste_id`=? " .
+ "GROUP BY f.`tgt_id`" .
+ "), 0)" .
+ " + " .
+ "IFNULL((SELECT COUNT(1) " .
+ "FROM `sagacity`.`checklist` c " .
+ "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " .
+ "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " .
+ "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " .
+ "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
+ "WHERE " .
+ "c.`name`='Orphan' AND " .
+ "(fs.`status`='Open' OR fs.`status`='Exception') AND " .
+ "fc.`ia_control`=? AND " .
+ "t.`ste_id`=? " .
+ "GROUP BY f.`tgt_id`" .
+ "), 0) AS 'sum_count'";
+
+ $host_count = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']);
+
+ $ret .= "" .
+ "$cat_1 | " .
+ "$cat_2 | " .
+ "$cat_3 | " .
+ "$na | " .
+ "$nf | " .
+ "" . $unique['sum_count'] . " | " .
+ "" . $host_count['sum_count'] . " | " .
+ "" . ($cat_1 + $cat_2 + $cat_3) . " | " .
+ "
";
+
+ $ret .= "
" .
+ "
" .
+ "" .
+ "
" .
+ "" .
+ "" .
+ "STIG ID" .
+ " | Cat" .
+ " | M" .
+ " | Vulnerability Title" .
+ " | Affected Hosts" .
+ " | Notes (inc.)" .
+ " |
" .
+ "" .
+ ""
+ ;
+
+ $sql = "SELECT " .
+ "f.`pdi_id`,s.`stig_id`,f.`cat`,pdi.`short_title`," .
+ "(SELECT GROUP_CONCAT(fc.`ia_control` SEPARATOR ' ') " .
+ "FROM `sagacity`.`finding_controls` fc " .
+ "WHERE " .
+ "fc.`finding_id`=f.`id` " .
+ ") AS ia_controls " .
+ "FROM `sagacity`.`findings` f " .
+ "JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " .
+ "JOIN `sagacity`.`stigs` s ON s.`pdi_id`=f.`pdi_id` " .
+ "JOIN `sagacity`.`pdi_catalog` pdi ON pdi.`id`=f.`pdi_id` " .
+ "WHERE (fs.`status`='Open' OR fs.`status`='Exception') " .
+ "GROUP BY f.`pdi_id` " .
+ "HAVING ia_controls LIKE '%" . $_REQUEST['id'] . "%' " .
+ "ORDER BY s.`stig_id`"
+ ;
+
+ if ($res = $conn->query($sql)) {
+ while ($row = $res->fetch_assoc()) {
+ $cat = str_repeat("I", $row['cat']);
+ $ias = explode(" ", $row['ia_controls']);
+ $ia_cnt = (is_array($ias) ? count($ias) : 0);
+ $stig = str_replace(".", "", $row['stig_id']);
+
+ $sql2 = "SELECT " .
+ "GROUP_CONCAT(DISTINCT f.`id` SEPARATOR ',') AS 'finding_ids'," .
+ "GROUP_CONCAT(DISTINCT t.`name` SEPARATOR ', ') AS 'affected_hosts',f.`notes` " .
+ "FROM `sagacity`.`target` t " .
+ "JOIN `sagacity`.`findings` f ON f.`tgt_id`=t.`id` " .
+ "JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " .
+ "WHERE t.`ste_id`=? AND f.`pdi_id`=?";
+
+ $row = db_helper::selectrow_array($conn, $sql2, $_REQUEST['ste_id'], $row['pdi_id'])[0];
+ $ids = $row['finding_ids'];
+ $hosts = $row['affected_hosts'];
+ $notes = $row['notes'];
+
+ $ret .= "" .
+ "" . $row['stig_id'] . " | " .
+ "$cat | " .
+ "" .
+ ($ia_cnt > 1 ? " " : "") .
+ "" .
+ " | " .
+ "" . $row['short_title'] . " | " .
+ "$hosts | " .
+ "$notes | " .
+ "
";
+ }
+ }
+
+
+ $ret .= "
";
+
+ return $ret;
+}
+
+function update_risk_status()
+{
+ global $conn;
+ $sql = "UPDATE `sagacity`.`control_findings` SET `risk_status`=? WHERE `ste_id`=? AND `control_id`=?";
+ db_helper::run($conn, $sql, strtolower($_REQUEST['status']), $_REQUEST['ste_id'], $_REQUEST['ctrl_id']);
+}
+
+function update_risk_analysis()
+{
+ global $conn;
+ $sql = "UPDATE `sagacity`.`control_findings` SET `risk_analysis`=? WHERE `control_id`=? AND `ste_id`=?";
+ db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ctrl_id'], $_REQUEST['ste_id']);
+}
+
+function update_control_completion()
+{
+ global $conn;
+ $sql = "UPDATE `sagacity`.`control_findings` SET `done`=IF(`done`=1,0,1) WHERE `control_id`=? AND `ste_id`=?";
+ db_helper::run($conn, $sql, $_REQUEST['ctrl_id'], $_REQUEST['ste_id']);
+}
+
+function update_stig_control()
+{
+ global $conn;
+ $sql = "DELETE FROM `sagacity`.`finding_controls` WHERE `finding_id` IN (" . $_REQUEST['ids'] . ")";
+ $conn->real_query($sql);
+
+ $sql = "INSERT INTO `sagacity`.`finding_controls` (`finding_id`,`ia_control`) VALUES ";
+ $ids = explode(",", $_REQUEST['ids']);
+ for ($x = 0; $x < count($ids); $x++) {
+ $sql .= "(" . $ids[$x] . ",'" . $_REQUEST['ctrl_id'] . "'),";
+ }
+ $sql = substr($sql, 0, -1);
+ $conn->real_query($sql);
+}
+
+/**
+ * Function to get targets from the category
+ *
+ * @global db $db
+ *
+ * @param int $cat_id
+ *
+ * @return mixed
+ */
+function get_hosts($cat_id = null)
+{
+ global $db;
+ $ret = ['cat_id' => $cat_id];
+ $ste_id = filter_input(INPUT_COOKIE, 'ste', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+ $tgts = [];
+
+ if ($cat_id) {
+ $ste_cat = $db->get_Category($cat_id)[0];
+ $tgts = $db->get_Target_By_Category($cat_id);
+ }
+ elseif (is_numeric($ste_id)) {
+ $tgts = $db->get_Unassigned_Targets($ste_id);
+ }
+ else {
+ return json_encode(['error' => "Invalid info"]);
+ }
+
+ foreach ($tgts as $key => $tgt) {
+ $chks = $db->get_Target_Checklists($tgt->get_ID());
+ if ($cat_id) {
+ $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat);
+ }
+ else {
+ $exp_scan_srcs = null;
+ }
+ $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs);
+ $icons = [];
+ $icon_str = '';
+ $src_str = '';
+
+ foreach ($chks as $chk) {
+ if (!in_array($chk->get_Icon(), array_keys($icons))) {
+ $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon();
+ $icons[$chk->get_Icon()]['name'] = '';
+ }
+ $icons[$chk->get_Icon()]['name'] .= "{$chk->get_Name()} V{$chk->get_Version()}R{$chk->get_Release()} ({$chk->get_type()})" . PHP_EOL;
+ }
+
+ foreach ($icons as $icon => $data) {
+ $icon_str .= "
";
+ }
+
+ foreach ($scan_srcs as $key => $src) {
+ $icon = $src['src']->get_Icon();
+ if($src['scan_error']) {
+ $icon = strtolower($src['src']->get_Name()) . "-failed.png";
+ }
+
+ $src_str .= "
get_Name()}";
+ if (isset($src['count']) && $src['count']) {
+ $src_str .= " ({$src['count']})";
+ }
+ $src_str .= "' class='checklist_image' />";
+ }
+
+ $ret['targets'][] = array_merge([
+ 'id' => $tgt->get_ID(),
+ 'ste_id' => $tgt->get_STE_ID(),
+ 'name' => $tgt->get_Name(),
+ 'os' => $tgt->get_OS_String(),
+ 'location' => $tgt->get_Location(),
+ 'auto' => $tgt->get_Task_Status($tgt->get_Auto_Status_ID()),
+ 'man' => $tgt->get_Task_Status($tgt->get_Man_Status_ID()),
+ 'data' => $tgt->get_Task_Status($tgt->get_Data_Status_ID()),
+ 'fp' => $tgt->get_Task_Status($tgt->get_FP_Cat1_Status_ID()),
+ 'ip' => (count($tgt->interfaces) ? array_keys($tgt->interfaces)[0] : ''),
+ 'notes' => $tgt->getDisplayNotes(),
+ 'scans' => $src_str,
+ 'chk' => $icon_str,
+ 'nr' => $tgt->getNotReviewedCount(),
+ 'na' => $tgt->getNotApplicableCount(),
+ 'nf' => $tgt->getNotAFindingCount(),
+ 'cat_1' => $tgt->getCat1Count(),
+ 'cat_2' => $tgt->getCat2Count(),
+ 'cat_3' => $tgt->getCat3Count(),
+ 'comp' => $tgt->getCompliantPercent(),
+ 'assessed' => $tgt->getAssessedPercent()
+ ]);
+ }
+
+ return json_encode($ret);
+}
+
+function get_target_data()
+{
+ global $db;
+
+ $tgt = $db->get_Target_Details($_REQUEST['ste_id'], $_REQUEST['tgt_id'])[0];
+
+ switch ($_REQUEST['type']) {
+ case 'netstat':
+ return $tgt->get_Netstat_Connections();
+ case 'routes':
+ return $tgt->get_Routes();
+ case 'firewall':
+ return $tgt->get_Firewall_Config();
+ case 'shares':
+ return $tgt->get_Shares();
+ case 'mounted':
+ return $tgt->get_Mounted();
+ case 'process_list':
+ return $tgt->get_Process_List();
+ case 'autorun':
+ return $tgt->get_Autorun();
+ case 'services':
+ return $tgt->get_Services();
+ case 'remote_registry':
+ return $tgt->get_Remote_Registry();
+ case 'system':
+ return $tgt->get_System();
+ case 'bios':
+ return $tgt->get_BIOS();
+ case 'copyright':
+ return $tgt->get_Copyright();
+ case 'missing_patches':
+ return $tgt->get_Missing_Patches();
+ case 'user_list':
+ return $tgt->get_User_List();
+ case 'disabled_accts':
+ return $tgt->get_Disabled_Accts();
+ case 'stag_pwds':
+ return $tgt->get_Stag_Pwds();
+ case 'never_logged_in':
+ return $tgt->get_Never_Logged_In();
+ case 'pwds_never_expire':
+ return $tgt->get_Pwds_Never_Expire();
+ }
+
+ return null;
+}
+
+function target_filter($ste_id, $criteria)
+{
+ global $db, $conn;
+ $where = array();
+ $tgts = array();
+ $idx = 0;
+ $like = false;
+ $ret = array();
+
+ $search = explode("\n", $criteria);
+ unset($search[count($search) - 1]);
+
+ foreach ($search as $str) {
+ if (!$str) {
+ continue;
+ }
+ switch ($str) {
+ case (preg_match("/name /i", $str) ? true : false):
+ $where[] = "t.`name`";
+ break;
+ case (preg_match("/sw /i", $str) ? true : false):
+ $where[] = "sw.`cpe`";
+ break;
+ case (preg_match("/os /i", $str) ? true : false):
+ $where[] = "os.`cpe`";
+ break;
+ case (preg_match("/auto status /i", $str) ? true : false):
+ $where[] = "`as`.`status`";
+ break;
+ case (preg_match("/manual status /i", $str) ? true : false):
+ $where[] = "ms.`status`";
+ break;
+ case (preg_match("/data gathering status /i", $str) ? true : false):
+ $where[] = "ds.`status`";
+ break;
+ case (preg_match("/fp\/cat i status /i", $str) ? true : false):
+ $where[] = "fp.`status`";
+ break;
+ case (preg_match("/category /i", $str) ? true : false):
+ $where[] = "t.`cat_id`";
+ break;
+ case (preg_match("/open port /i", $str) ? true : false):
+ $where[] = "CONCAT(pps.`proto`,'/',pps.`port`)";
+ break;
+ default:
+ continue 2;
+ }
+
+ if (($pos = strpos($str, "!~")) !== false) {
+ $where[$idx] .= " NOT LIKE ";
+ $like = true;
+ }
+ elseif (($pos = strpos($str, "~=")) !== false) {
+ $where[$idx] .= " LIKE ";
+ $like = true;
+ }
+ elseif (($pos = strpos($str, "!=")) !== false) {
+ $where[$idx] .= " != ";
+ }
+ elseif (($pos = strpos($str, "=")) !== false) {
+ $where[$idx] .= " = ";
+ $pos--;
+ }
+
+ $where[$idx] .= "'" . ($like ? "%" : "") .
+ $conn->real_escape_string(substr($str, $pos + 4, -1)) .
+ ($like ? "%" : "") . "'";
+
+ $idx++;
+ $like = false;
+ }
+
+ $where_str = implode(" AND ", $where);
+
+ $sql = "SELECT COUNT(DISTINCT(t.`id`)) as 'cnt' " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " .
+ "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " .
+ "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " .
+ "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " .
+ "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " .
+ "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " .
+ "WHERE " .
+ $where_str
+ ;
+ $cnt = 0;
+ if ($res = $conn->query($sql)) {
+ $cnt = $res->fetch_array()[0];
+ }
+ else {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+ }
+ $ret['count'] = $cnt;
+
+ $sql = "SELECT DISTINCT(t.`id`) " .
+ "FROM `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " .
+ "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " .
+ "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " .
+ "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " .
+ "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " .
+ "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " .
+ "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " .
+ "WHERE " .
+ $where_str . " " .
+ ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "")
+ ;
+
+ if ($res = $conn->query($sql)) {
+ while ($row = $res->fetch_assoc()) {
+ $tgts[] = $db->get_Target_Details($_REQUEST['ste'], $row['id'])[0];
+ }
+ }
+ else {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+ }
+
+ foreach ($tgts as $tgt) {
+ $cat_id = $tgt->get_Cat_ID();
+ $ste_cat = $db->get_Category($cat_id);
+ $chks = $db->get_Target_Checklists($tgt->get_ID());
+ if (isset($cat_id)) {
+ $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat);
+ }
+ else {
+ $exp_scan_srcs = null;
+ }
+ $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs);
+ $icons = array();
+ $icon_str = '';
+ $src_str = '';
+
+ foreach ($chks as $chk) {
+ if (!in_array($chk->get_Icon(), array_keys($icons))) {
+ $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon();
+ $icons[$chk->get_Icon()]['name'] = '';
+ }
+ $icons[$chk->get_Icon()]['name'] .= $chk->get_Name() . " V" . $chk->get_Version() . "R" . $chk->get_Release() . " (" . $chk->get_type() . ")" . PHP_EOL;
+ }
+
+ foreach ($icons as $icon => $data) {
+ $icon_str .= "
";
+ }
+
+ foreach ($scan_srcs as $src) {
+ $src_str .= "
get_Icon() . "' title='" . $src['src']->get_Name();
+ if (isset($src['count']) && $src['count']) {
+ $src_str .= " (" . $src['count'] . ")";
+ }
+ $src_str .= "' class='checklist_image' />";
+ }
+
+ $ret['targets'][] = array_merge($tgt->get_JSON(), array(
+ 'scans' => $src_str,
+ 'chk' => $icon_str
+ ));
+ }
+
+ if (isset($ret['targets']) && is_array($ret['targets']) && count($ret['targets'])) {
+ return json_encode($ret);
+ }
+ else {
+ return json_encode(array('count' => 0));
+ }
+}
+
+function reference_filter($criteria)
+{
+ global $db, $conn;
+ $where = array();
+ $ref = array();
+ $idx = 0;
+ $ret = '';
+ $like = false;
+ $odd = true;
+
+ $sql = "SELECT * FROM `sagacity`.`pdi_catalog` pdi ";
+
+ $query = array(
+ 'cce' => array(
+ 'sql' => "LEFT JOIN `sagacity`.`cce` ON cce.`pdi_id`=pdi.`id` ",
+ 'added' => false
+ ),
+ 'cve' => array(
+ 'sql' => "LEFT JOIN `sagacity`.`cve` ON cve.`pdi_id`=pdi.`id` " .
+ "LEFT JOIN `sagacity`.`cve_db` ON cve_db.`cve_id`=cve.`cve_id` " .
+ "LEFT JOIN `sagacity`.`cve_references` ref ON ref.`cve_seq`=cve_db.`cve_id` " .
+ "LEFT JOIN `sagacity`.`cve_web` web ON web.`cve_id`=cve_db.`cve_id` ",
+ 'added' => false,
+ ),
+ 'vms' => array(
+ 'sql' => "LEFT JOIN `sagacity`.`golddisk` gd ON gd.`pdi_id`=pdi.`id` ",
+ 'added' => false,
+ ),
+ 'iavm' => array(
+ 'sql' => "LEFT JOIN `sagacity`.`iavm_notices` iavm ON iavm.`pdi_id`=pdi.`id` ",
+ 'added' => false,
+ )
+ );
+
+ $xml = new DOMDocument();
+ $xml->appendChild($root = xml_helper($xml, "root"));
+
+ $search = explode("\n", $criteria);
+ unset($search[count($search) - 1]);
+
+ foreach ($search as $str) {
+ switch ($str) {
+ case (preg_match("/cce /i", $str) ? true : false):
+ if (!$query['cce']['added']) {
+ $sql .= $query['cce']['sql'];
+ }
+ $query['cce']['added'] = true;
+ $where[] = "";
+ break;
+ case (preg_match("/cpe /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/cve /i", $str) ? true : false):
+ if (!$query['cve']['added']) {
+ $sql .= $query['cve']['sql'];
+ }
+ $query['cve']['added'] = true;
+ $where[] = "";
+ break;
+ case (preg_match("/ia control /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/iavm /i", $str) ? true : false):
+ if (!$query['iavm']['added']) {
+ $sql .= $query['iavm']['sql'];
+ }
+ $query['iavm']['added'] = true;
+ $where[] = "";
+ break;
+ case (preg_match("/nessus plugin id /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/oval /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/reference /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/stig id /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/sv rule /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/vms id /i", $str) ? true : false):
+ if (!$query['vms']['added']) {
+ $sql .= $query['vms']['sql'];
+ }
+ $query['vms']['added'] = true;
+ $where[] = "";
+ break;
+ case (preg_match("/vendor advisory /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/check contents /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/short title /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ case (preg_match("/description /i", $str) ? true : false):
+ $where[] = "";
+ break;
+ default:
+ continue 2;
+ }
+
+ if (($pos = strpos($str, "!~")) !== false) {
+ $where[$idx] .= " NOT LIKE ";
+ $like = true;
+ }
+ elseif (($pos = strpos($str, "~=")) !== false) {
+ $where[$idx] .= " LIKE ";
+ $like = true;
+ }
+ elseif (($pos = strpos($str, "!=")) !== false) {
+ $where[$idx] .= " != ";
+ }
+ elseif (($pos = strpos($str, "=")) !== false) {
+ $where[$idx] .= " = ";
+ $pos--;
+ }
+
+ $where[$idx] .= "'" . ($like ? "%" : "") .
+ $conn->real_escape_string(substr($str, $pos + 4, -1)) .
+ ($like ? "%" : "") . "'";
+
+ $idx++;
+ $like = false;
+ }
+
+ $where_str = implode(" AND ", $where);
+
+ $sql = "SELECT COUNT(t.`id`) as 'cnt' " .
+ "WHERE " .
+ $where_str;
+
+ $cnt = 0;
+ if ($res = $conn->query($sql)) {
+ $cnt = $res->fetch_array()[0];
+ }
+ else {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+ }
+ $root->setAttribute('count', $cnt);
+
+ $sql = "SELECT t.`id` " .
+ " " .
+ "WHERE " .
+ $where_str . " " .
+ ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "")
+ ;
+
+ if ($res = $conn->query($sql)) {
+ while ($row = $res->fetch_assoc()) {
+
+ }
+ }
+ else {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+ }
+
+ return $xml->saveXML();
+}
+
+function scan_filter($ste_id, $criteria)
+{
+
+}
+
+function finding_filter($ste_id, $criteria)
+{
+
+}
+
+function get_saved_filter($type, $filter_name)
+{
+ global $db;
+ $filter = $db->get_Filters($type, $filter_name);
+ $ret = array();
+
+ if (is_array($filter) && count($filter)) {
+ $filter = $filter[0];
+ foreach (explode("\n", $filter['criteria']) as $cri) {
+ if ($cri)
+ $ret[] = $cri;
+ }
+ }
+
+ return json_encode($ret);
+}
+
+function update_target_field($field, $data)
+{
+ global $db, $conn;
+
+ $sql = "UPDATE `sagacity`.`target` t " .
+ "LEFT JOIN `sagacity`.`target_software` ts ON t.`id`=ts.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`target_net_meta` tnm ON t.`id`=tnm.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`target_sys_meta` tsm ON t.`id`=tsm.`tgt_id` " .
+ "LEFT JOIN `sagacity`.`target_user_meta` tum ON t.`id`=tum.`tgt_id` " .
+ "SET ";
+
+ switch ($field) {
+ case 'name':
+ $sql .= "t.`name`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'location':
+ $sql .= "t.`location`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'wmi_pid':
+ $sql .= "tsm.`wmi_listening_pid`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'last_login':
+ $sql .= "tum.`last_login`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'login':
+ $sql .= "tum.`login`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'notes':
+ $sql .= "t.`notes`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'auto_status':
+ $sql .= "t.`auto_status_id`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'man_status':
+ $sql .= "t.`man_status_id`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'data_status':
+ $sql .= "t.`data_status_id`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'fp-cat1_status':
+ $sql .= "t.`fp_cat1_status_id`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'vm':
+ $sql .= "tsm.`is_vm`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'pp_on':
+ $sql .= "t.`pp_off`=" . ($data == '1' ? '0' : '1');
+ break;
+ case 'netstat_data':
+ $sql .= "tnm.`netstat_connections`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'routes_data':
+ $sql .= "tnm.`routes`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'shares_data':
+ $sql .= "tnm.`shares`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'firewall_data':
+ $sql .= "tnm.`firewall_config`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'mounted_data':
+ $sql .= "tsm.`mounted`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'process_list_data':
+ $sql .= "tsm.`process_list`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'autorun_data':
+ $sql .= "tsm.`autorun`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'services_data':
+ $sql .= "tsm.`services`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'remote_registry_data':
+ $sql .= "tsm.`remote_registry`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'copyright_data':
+ $sql .= "tsm.`copyrighted`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'system_data':
+ $sql .= "tsm.`system`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'bios_data':
+ $sql .= "tsm.`bios`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'missing_patches_data':
+ $sql .= "t.`missing_patches`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'user_list_data':
+ $sql .= "tum.`user_list`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'disabled_accts_data':
+ $sql .= "tum.`disabled_accts`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'stag_pwds_data':
+ $sql .= "tum.`stag_pwds`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'never_logged_in_data':
+ $sql .= "tum.`never_logged_in`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case 'pwds_never_expire_data':
+ $sql .= "tum.`pwd_never_expires`='" . $conn->real_escape_string($data) . "'";
+ break;
+ case '':
+ $sql .= "='" . $conn->real_escape_string($data) . "'";
+ break;
+ }
+
+ $sql .= " WHERE t.`id`=" . $conn->real_escape_string($_REQUEST['tgt_id']);
+
+ if (!$conn->real_query($sql)) {
+ error_log($conn->error);
+ Sagacity_Error::sql_handler($sql);
+
+ return 'false';
+ }
+
+ return 'true';
+}
+
+function get_category_details($cat_id)
+{
+ global $db;
+ $cat = $db->get_Category($cat_id);
+ if (is_array($cat) && count($cat) && isset($cat[0]) && is_a($cat[0], 'ste_cat')) {
+ $cat = $cat[0];
+ }
+ else {
+ return 'no category found';
+ }
+
+ return json_encode([
+ 'id' => $cat->get_ID(),
+ 'name' => $cat->get_Name(),
+ 'analyst' => $cat->get_Analyst(),
+ 'sources' => $cat->get_Sources()
+ ]);
+}