<?php /** * File: update_db.php * Purpose: Script to download updated versions of the online files and update the database * Author: Ryan Prather * Created: Jan 5, 2015 * * Portions Copyright 2016-2018: Cyber Perspectives, LLC, All rights reserved * Released under the Apache v2.0 License * * Portions Copyright (c) 2012-2015, Salient Federal Solutions * Portions Copyright (c) 2008-2011, Science Applications International Corporation (SAIC) * Released under Modified BSD License * * See license.txt for details * * Change Log: * - Jan 5, 2015 - File Created * - Sep 1, 2016 - Copyright Updated and added file header * - Oct 24, 2016 - Added check for presence of /tmp/cce, /tmp/cve, & /tmp/cpe directories before downloading * - Nov 9, 2016 - Added command line parameters for each of the update types (CVE, CPE, CCE), * Added detection if the file from same day already exists, added "download only" option, * Added mkdir if temporary directories don't exist, added usage output, * Changed URL for CCE and CPE to HTTPS paths * - Nov 21, 2016 - Cleaned up code a little and added 3 second sleep between commands so user can see results * - Dec 7, 2016 - Changed PHP constant to PHP_BIN * - Jan 30, 2017 - Updated to parse Nessus NASL plugin update file * - Jan 31, 2017 - Completed NASL plugin parsing * - Feb 15, 2017 - Completed adding STIG download and update, added parse only (po) flag for offline systems, * Added ping method to check for connection to internet. Added url_exists method to check for presence of file before attempting to download. * - Feb 21, 2017 - Extended output for nasl on Windows hosts, store existing plugins in memory to speed up processing, * Delete files if there are parsing errors, added --delete flag when parsing stigs, * Added check to see if STIG file has been downloaded already today * - Mar 3, 2017 - Fixed output of tar command like Jeff suggested, and clarified -u parameter * - Mar 8, 2017 - Added check for presence of downloaded files before attempting to parse * - Mar 13, 2017 - Cleaned up downloads of STIG compilation file, added check for *v2.zip file * - Mar 17, 2017 - Added check for previous STIG file that contains '_v2' at the end of the file, * Added check for any other *.zip files in the /tmp folder just in case user only wants to upgrade FOUO files or individual XML files * - Mar 20, 2017 - Added check for previous STIG that includes '_v2' at end of filename, and added checks to fix issues when FOUO file is present * - Mar 22, 2017 - Added check for extracted STIG files in /tmp/stig/xml/*.xml * - Apr 5, 2017 - Added check for previous STIG compilation_v2, so will now check for 4 different naming possibilities, * Extended TIME_WAIT ports to 2000, started time totaling process * - Apr 7, 2017 - Fixed typo in printed tar command * - May 13, 2017 - Clarified if it cannot access the internet instead of "cannot connect to server" * Fixed confusion with Cygwin and Bash on Windows paths * - Jun 27, 2017 - Matt Shuter: Fixed bug #262 & #270 * - Dec 27, 2017 - Added database field and download progress flag * - Apr 29, 2018 - Added extract parameter to only extract nasl archive file, fixed a couple bugs * - May 10, 2018 - Removed ping of cve.mitre.org, and added 'po' and 'do' parameters for NVD CVE * - Jun 5, 2018 - Fixed a couple setting updates * - Sep 18, 2018 - Jeff - Added --sunset switch for Installing Sunset STIGs from https://iase.disa.mil/stigs/sunset/Pages/index.aspx */ include_once 'config.inc'; include_once 'helper.inc'; include_once 'error.inc'; include_once 'database.inc'; include_once 'DateTimeDiff.php'; include_once 'vendor/autoload.php'; use Monolog\Logger; use Monolog\Handler\StreamHandler; use Monolog\Formatter\LineFormatter; $current_date = new DateTime(); $total_complete = 0; $threads = []; $cmd = getopt("h::u::p::", ['cpe::', 'cce::', 'cve::', 'nvd::', 'nasl::', 'stig::', 'sunset::', 'do::', 'po::', 'help::', 'debug::', 'extract::', 'exclude::']); $db = new db(); $diff = new DateTimeDiff(); $log_level = Logger::ERROR; switch (LOG_LEVEL) { case E_WARNING: $log_level = Logger::WARNING; break; case E_NOTICE: $log_level = Logger::NOTICE; break; case E_DEBUG: $log_level = Logger::DEBUG; } if (isset($cmd['debug']) && $cmd['debug']) { $log_level = Logger::DEBUG; } $stream = new StreamHandler("php://output", $log_level); $stream->setFormatter(new LineFormatter("%datetime% %level_name% %message%" . PHP_EOL, "H:i:s.u")); $log = new Logger("update_db"); $log->pushHandler(new StreamHandler(LOG_PATH . "/update_db.log", $log_level)); $log->pushHandler($stream); if (isset($cmd['h'], $cmd['help']) || (!isset($cmd['cpe']) && !isset($cmd['cve']) && !isset($cmd['nasl']) && !isset($cmd['stig']) && !isset($cmd['sunset']) && !isset($cmd['nvd']))) { die(usage()); } if (isset($cmd['do']) || !isset($cmd['po'])) { if (!ping("cyberperspectives.com")) { $log->emergency("Cannot connect to internet"); } } /** * Update CPE content downloaded from NIST */ if (isset($cmd['cpe'])) { $db->set_Setting_Array([ 'cpe-dl-progress' => 0, 'cpe-progress' => 0, 'cpe-count' => 0 ]); $path = TMP . "/cpe"; if (isset($cmd['p']) && $cmd['p']) { $path = $cmd['p']; } check_path($path); $diff->resetClock(); print "Started CPE ingestion ({$diff->getStartClockTime()})" . PHP_EOL; // search for an unzip any zip files in the tmp directory $zip_files = glob("{$path}/*cpe-dictionary*.zip"); if (count($zip_files)) { $log->debug("Found a existing cpe-dictionary.zip file, unzipping then parsing"); $zip = new ZipArchive(); foreach ($zip_files as $file) { $log->debug("Unzipping {$file}"); $zip->open($file); $zip->extractTo($path); $zip->close(); unlink($file); } } // search for any existing cpe-dictionary files in the /tmp directory $tmp_files = glob(TMP . "/*cpe-dictionary*.xml"); if (count($tmp_files)) { $log->debug("Found existing cpe-dictionary.xml file in TMP folder, moving to TMP/cpe then processing"); foreach ($tmp_files as $fname) { $name = basename($fname); if ($name == 'official-cpe-dictionary_v2.3.xml') { $name = "cpe-dictionary-{$diff->getStartClock()->format("Ymd")}.xml"; } rename($fname, "{$path}/{$name}"); } } $cpe_fname = realpath($path) . "/cpe-dictionary-{$current_date->format('Ymd')}.xml"; $cpe_url = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml"; $cpe_parse_fname = null; // download the file if the do flag is used even if it already exists if (isset($cmd['do']) && !isset($cmd['po'])) { download_file($cpe_url, $cpe_fname, $db->help, 'cpe-dl-progress'); } // download the file only if it doesn't exist elseif (!file_exists($cpe_fname) && !isset($cmd['po'])) { download_file($cpe_url, $cpe_fname, $db->help, 'cpe-dl-progress'); } elseif (!isset($cmd['po'])) { $log->error("Could not connect to nist.gov to download the CPE library"); die(); } $dt = new DateTime(); if (!isset($cmd['do']) || isset($cmd['po'])) { $cpe_files = glob("{$path}/*cpe-dictionary*.xml"); rsort($cpe_files, SORT_NATURAL); if (count($cpe_files)) { $match = []; if (preg_match("/cpe\-dictionary\-([\d]+)\.xml/", $cpe_files[0], $match)) { $dt = DateTime::createFromFormat("Ymd", $match[1]); $seven_days_old = new DateTime(); $seven_days_old->sub(DateInterval::createFromDateString("7 days")); if ($dt < $seven_days_old) { $log->warning("The file that is being ingested is more than 7 days old ({$dt->format('Y-m-d')})"); } $cpe_parse_fname = $cpe_files[0]; } else { $log->warning("Don't know when the file was downloaded, but parsing it anyway"); $cpe_parse_fname = $cpe_files[0]; } } if (is_null($cpe_parse_fname)) { $log->warning("Could not find a CPE file to parse"); } $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/parse_cpe.php") . " --" . " -f=\"" . realpath($cpe_parse_fname) . "\"" . " -d=\"{$dt->format("Y-m-d")}\""; $log->debug("Running CPE parsing script on file: $cpe_parse_fname"); passthru($script); } $db->help->select_count("software"); $cpe_count = $db->help->execute(); $db->set_Setting("cpe-count", $cpe_count); $diff->stopClock(); print PHP_EOL . "Finished at {$diff->getEndClockTime()}" . PHP_EOL . "Total time: {$diff->getDiffString()}" . PHP_EOL; sleep(3); } /** * Update CVE content */ if (isset($cmd['cve'])) { $db->set_Setting_Array([ 'nvd-cve-dl-progress' => 0, 'nvd-cve-progress' => 0, 'nvd-cve-count' => 0, 'cve-dl-progress' => 0, 'cve-progress' => 0, 'cve-count' => 0 ]); $path = TMP . "/cve"; if (isset($cmd['p']) && $cmd['p']) { $path = $cmd['p']; } check_path($path); $diff->resetClock(); print "Started CVE ingestion {$diff->getStartClockTime()}" . PHP_EOL; $cve_files = glob(TMP . "/allitems.xml"); if (count($cve_files)) { foreach ($cve_files as $file) { rename($file, "{$path}/cve-all-{$diff->getStartClock()->format("Ymd")}.xml"); } } $tmp_files = glob("{$path}/cve*.xml"); if (count($tmp_files)) { foreach ($tmp_files as $fname) { rename($fname, "{$path}/" . basename($fname)); } } $cve_fname = realpath($path) . "/cve-all-{$current_date->format('Ymd')}.xml"; $cve_url = "http://cve.mitre.org/data/downloads/allitems.xml"; $cve_parse_fname = null; if (isset($cmd['do']) && !isset($cmd['po'])) { download_file($cve_url, $cve_fname, $db->help, 'cve-dl-progress'); } elseif (!file_exists($cve_fname) && !isset($cmd['po'])) { download_file($cve_url, $cve_fname, $db->help, 'cve-dl-progress'); } elseif (!isset($cmd['po'])) { Sagacity_Error::err_handler("Could not connect to cve.mitre.org to download the CVE library", E_ERROR); } if (!isset($cmd['do']) || isset($cmd['po'])) { $cve_files = glob("{$path}/cve-all-*.xml"); rsort($cve_files, SORT_NATURAL); if (count($cve_files)) { $match = []; if (preg_match("/cve\-all\-([\d]+)\.xml/", $cve_files[0], $match)) { $dt = DateTime::createFromFormat("Ymd", $match[1]); $seven_days_old = new DateTime(); $seven_days_old->sub(DateInterval::createFromDateString("7 days")); if ($dt < $seven_days_old) { $log->warning("The CVE file that is being ingested is more than 7 days old ({$dt->format('Y-m-d')})"); } $cve_parse_fname = $cve_files[0]; } } if (is_null($cve_parse_fname)) { $log->error("Could not find a CVE file to parse"); die; } $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/parse_cve.php") . " --" . " -f=\"" . realpath($cve_parse_fname) . "\"" . " -d=\"{$dt->format("Y-m-d")}\""; $log->debug("Script to run $script"); passthru($script); } $db->help->select_count("sagacity.cve_db"); $cve_count = $db->help->execute(); $db->set_Setting_Array([ 'cve-dl-progress' => 100, 'cve-progress' => 100, 'cve-count' => $cve_count, 'cve-load-date' => new DateTime(), 'nvd-cve-dl-progress' => 100, 'nvd-cve-progress' => 100, 'nvd-cve-count' => $cve_count, 'nvd-cve-load-date' => new DateTime() ]); $diff->stopClock(); print "Finished at {$diff->getEndClockTime()}" . PHP_EOL . "Total Time: {$diff->getDiffString()}" . PHP_EOL; sleep(3); } /** * Update to NVD CVE content */ if (isset($cmd['nvd'])) { $db->set_Setting_Array([ 'nvd-cve-dl-progress' => 0, 'nvd-cve-progress' => 0, 'nvd-cve-count' => 0, 'cve-dl-progress' => 0, 'cve-progress' => 0, 'cve-count' => 0 ]); $path = TMP . "/nvd"; if (isset($cmd['p']) && $cmd['p']) { $path = $cmd['p']; } check_path($path); $diff->resetClock(); print "Started NVD CVE ingestion ({$diff->getStartClockTime()})" . PHP_EOL; $nvd_years = []; for ($x = 2002; $x <= $diff->getStartClock()->format("Y"); $x++) { $nvd_years[] = $x; } if (isset($cmd['do']) || !isset($cmd['po'])) { $too_old = new DateTime(); $too_old->sub(DateInterval::createFromDateString("7 days")); $load_date = new DateTime($db->get_Settings("nvd-cve-load-date")); if ($load_date < $too_old) { // More than 7 days old so have to do a full load foreach ($nvd_years as $x => $yr) { $db->set_Setting('nvd-year', $yr); $db->set_Setting('nvd-cve-dl-progress', (($x + 1) / count($nvd_years)) * 100); download_file("https://static.nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-{$yr}.json.zip", TMP . "/nvd/nvdcve-{$yr}.json.zip"); $zip = new ZipArchive(); $zip->open(TMP . "/nvd/nvdcve-{$yr}.json.zip"); $zip->extractTo(TMP . "/nvd"); $zip->close(); unlink(TMP . "/nvd/nvdcve-{$yr}.json.zip"); } } else { $db->set_Setting('nvd-year', 'modified'); download_file("https://static.nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.json.zip", TMP . "/nvd/nvdcve-modified.json.zip", $db->help, 'nvd-cve-dl-progress'); $zip = new ZipArchive(); $zip->open(TMP . "/nvd/nvdcve-modified.json.zip"); $zip->extractTo(TMP . "/nvd"); $zip->close(); unlink(TMP . "/nvd/nvdcve-modified.json.zip"); $db->set_Setting('nvd-year', 'recent'); download_file("https://static.nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-recent.json.zip", TMP . "/nvd/nvdcve-recent.json.zip", $db->help, 'nvd-cve-dl-progress'); $zip->open(TMP . "/nvd/nvdcve-recent.json.zip"); $zip->extractTo(TMP . "/nvd"); $zip->close(); unlink(TMP . "/nvd/nvdcve-recent.json.zip"); } } chdir(DOC_ROOT . "/exec"); if (isset($cmd['po']) || !isset($cmd['do'])) { $json_files = glob(TMP . "/nvd/*.json"); foreach ($json_files as $x => $j) { $match = []; if (preg_match("/(\d{4}|recent|modified)/", basename($j), $match)) { $db->set_Setting('nvd-year', $match[1]); } else { $db->set_Setting('nvd-year', null); } $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/parse_nvd_json_cve.php") . " --" . " -f=\"" . realpath($j) . "\""; $log->debug("Running NVD CVE parsing script on file: $j"); passthru($script); $db->set_Setting('nvd-cve-progress', (($x + 1) / count($json_files)) * 100); } } $db->help->select_count("sagacity.cve_db"); $nvd_count = $db->help->execute(); $diff->stopClock(); print "Finished at {$diff->getEndClockTime()}" . PHP_EOL . "Total time {$diff->getTotalDiffString()}" . PHP_EOL; $db->set_Setting_Array([ 'nvd-cve-load-date' => $diff->getEndClock()->format(MYSQL_DT_FORMAT), 'nvd-cve-count' => $nvd_count, 'nvd-cve-progress' => 100, 'nvd-cve-dl-progress' => 100, 'nvd-year' => null, 'cve-load-date' => $diff->getEndClock()->format(MYSQL_DT_FORMAT), 'cve-count' => $nvd_count, 'cve-progress' => 100, 'cve-dl-progress' => 100 ]); } /** * Update CCE content */ if (isset($cmd['cce'])) { check_path(TMP . "/cce"); $cce_fname = TMP . "/cce/cce-all-20130214.xml"; if (!file_exists($cce_fname) && ping("nist.gov") && !isset($cmd['po'])) { download_file("https://static.nvd.nist.gov/feeds/xml/cce/cce-COMBINED-5.20130214.xml", $cce_fname); } if (!isset($cmd['do']) || isset($cmd['po'])) { } sleep(3); } /** * Parse NASL content from NVT and/or Nessus */ if (isset($cmd['nasl'])) { $db->set_Setting_Array([ 'nasl-dl-progress' => 0, 'nasl-progress' => 0, 'nasl-count' => 0 ]); $count = 0; check_path(TMP . "/nessus_plugins"); // Capture start time for performance monitoring $diff->resetClock(); print "Started NASL ingestion ({$diff->getStartClockTime()})" . PHP_EOL; // Generate a unique filename for the OpenVAS feed archive using the current date $nasl_fname = TMP . "/nessus_plugins/nasl_plugins-{$current_date->format("Ymd")}.tar.bz2"; // Download OpenVAS feed if a) it doesn't exist, b) can reach openvas.org, and c) parse only flag not set if (!file_exists($nasl_fname) && ping("openvas.org") && !isset($cmd['po'])) { $log->debug("Downloading new NASL library"); download_file("http://www.openvas.org/openvas-nvt-feed-current.tar.bz2", $nasl_fname, $db->help, 'nasl-dl-progress'); } // Can only extract .tar.bz2 files on Linux so... if (!isset($cmd['do']) || isset($cmd['po'])) { if (file_exists($nasl_fname)) { if (substr(strtolower(PHP_OS), 0, 3) == 'lin') { $log->debug("Extracting NASL files from archive"); passthru("tar xvf $nasl_fname -C " . realpath(TMP . "/nessus_plugins") . " --wildcards --transform='s/.*\///' '*.nasl'"); if (isset($cmd['extract'])) { print "Completed extracting files from archive" . PHP_EOL; } } } if (isset($cmd['extract'])) { die; } // ...if there are no .nasl files in the directory, die and give instructions for unzipping in Windows $files = glob(TMP . "/nessus_plugins/*.nasl"); if (strtolower(substr(PHP_OS, 0, 3)) == 'win') { if (file_exists(getenv("%ProgramData%") . "/Tenable/Nessus/nessus/plugins")) { $log->debug("Importing local Nessus plugin files"); $files = array_merge($files, glob(getenv("%ProgramData%") . "/Tenable/Nessus/nessus/plugins/*.nasl")); } } elseif (strtolower(substr(PHP_OS, 0, 3)) == 'lin') { if (file_exists("/opt/nessus/lib/nessus/plugins") && is_readable("/opt/nessus/lib/nessus/plugins")) { $log->debug("Importing local Nessus plugin files"); $files = array_merge($files, glob("/opt/nessus/lib/nessus/plugins/*.nasl")); } if (file_exists("/opt/sc/data/nasl") && is_readable("/opt/sc/data/nasl")) { $log->debug("Importing local Nessus plugin files"); $files = array_merge($files, glob("/opt/sc/data/nasl/*.nasl")); } } $files = array_unique($files); if (!($file_count = count($files))) { $log->emergency("Downloaded the OpenVAS NVT plugin repository, please extract *.nasl files to " . realpath(TMP . "/nessus_plugins") . PHP_EOL . "If you have Bash on Windows ({path} = /mnt/c/xampp/www) or Cygwin ({path} = /cygdrive/c/xampp/www) installed you can run the following command on the downloaded file tweaking the paths" . PHP_EOL . "tar xvf {path}/tmp/nessus_plugins/" . basename($nasl_fname) . " -C {path}/tmp/nessus_plugins --wildcards --transform='s/.*\///' '*.nasl'" . PHP_EOL); die; } // Report how many NASL files were found in the directory print "Found {$file_count} NASL files" . PHP_EOL . "Started at {$diff->getStartClockTime()}" . PHP_EOL; // Query database to build an array of existing plugins to compare against on import $existing_plugins = []; $db->help->select("nessus_plugins", ['plugin_id', 'file_date']); $rows = $db->help->execute(); if (is_array($rows) && count($rows)) { foreach ($rows as $row) { $existing_plugins[$row['plugin_id']] = DateTime::createFromFormat("U", $row['file_date']); } } $log->debug("Count of existing plugins " . count($existing_plugins)); // Sort the files and loop over them natsort($files); foreach ($files as $file) { // Read the current NASL file into a nasl object $nasl = new nasl($file); // calculate percent complete $comp = number_format(($total_complete / $file_count) * 100, 2); print "\r{$comp}%"; $log->debug("Parsing {$file} ({$comp}%)"); // If no plugin ID, delete file and continue to the next plugin if (!isset($nasl->id)) { $log->warning("Could not locate an ID in the plugin, skipping"); unlink($file); continue; } // Only process if plugin doesn't already exist or has an older last_modificaiton date if (!isset($existing_plugins[$nasl->id]) || (isset($nasl->last_modification) && $existing_plugins[$nasl->id] > $nasl->last_modification)) { $log->info("Updating plugin {$nasl->id}"); // define command line to call script to parse the file $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/nessus-plugin-to-database.php") . " --" . " -f=\"{$file}\""; $threads[] = new \Cocur\BackgroundProcess\BackgroundProcess($script); end($threads)->run(); $count++; $total_complete++; if($total_complete % 100 == 0) { $db->set_Setting('nasl-progress', $comp); } } } } $db->set_Setting_Array([ 'nasl-dl-progress' => 100, 'nasl-progress' => 100, 'nasl-count' => $total_complete, 'nasl-load-date' => new DateTime() ]); $diff->stopClock(); print PHP_EOL . "Finished at {$diff->getEndClockTime()}" . PHP_EOL . "Total Time: {$diff->getDiffString()}" . PHP_EOL; sleep(3); } /** * Update STIG library from DISA content */ if (isset($cmd['stig'])) { $db->set_Setting_Array([ 'stig-dl-progress' => 0, 'stig-progress' => 0, 'stig-count' => 0 ]); $path = TMP . "/stigs"; check_path(TMP . "/stigs"); check_path(TMP . "/stigs/zip"); $sunset_array = []; $diff->resetClock(); print "Started STIG ingestion ({$diff->getStartClockTime()})" . PHP_EOL; $mon = '01'; $prev_mon = '10'; $year = (int) $current_date->format("Y"); if (between($current_date->format("n"), 4, 6)) { $mon = '04'; $prev_mon = '01'; } elseif (between($current_date->format("n"), 7, 9)) { $mon = '07'; $prev_mon = '04'; } elseif (between($current_date->format("n"), 10, 12)) { $mon = '10'; $prev_mon = '07'; } $current_url = "https://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$mon}.zip"; $current_v2_url = "https://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$mon}_v2.zip"; $sunset_url = "https://iase.disa.mil/stigs/Lists/Sunset%20Master%20List/FinalView.aspx"; $stig_fname = "{$path}/stig_library-{$year}_{$mon}.zip"; if (!file_exists($stig_fname) && ping("disa.mil") && !isset($cmd['po'])) { if (isset($cmd['u'])) { $url = $cmd['u']; $log->debug("Checking for $url"); if (url_exists($url)) { download_file($url, $stig_fname, $db->help, 'stig-dl-progress'); } } else { $log->debug("Checking for $current_url"); if ($found = url_exists($current_url)) { download_file($current_url, $stig_fname, $db->help, 'stig-dl-progress'); } if (!$found) { $log->debug("Checking for $current_v2_url"); if ($found = url_exists($current_v2_url)) { download_file($current_v2_url, $stig_fname, $db->help, 'stig-dl-progress'); } } if ($mon == '01') { $year--; } $prev_url = "https://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$prev_mon}.zip"; $prev_v2_url = "https://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$prev_mon}_v2.zip"; if (!$found) { $log->debug("Checking for $prev_url"); if ($found = url_exists($prev_url)) { download_file($prev_url, $stig_fname, $db->help, 'stig-dl-progress'); } } if (!$found) { $log->debug("Checking for $prev_v2_url"); if (url_exists($prev_v2_url)) { download_file($prev_v2_url, $stig_fname, $db->help, 'stig-dl-progress'); } } } } if(ping("disa.mil") && !isset($cmd['po'])) { $log->debug("Checking for $sunset_url"); if(url_exists($sunset_url)) { $log->debug("Downloading sunset STIGs"); $contents = file_get_contents($sunset_url); preg_match_all("/a href=\"([^ ]+STIG\.zip)/", $contents, $sunset_array); if(is_array($sunset_array) && isset($sunset_array[1]) && count($sunset_array[1])) { foreach($sunset_array[1] as $url) { $sunset_fname = basename($url); download_file($url, TMP . "/stigs/zip/{$sunset_fname}"); } } } } if (!isset($cmd['do']) || isset($cmd['po'])) { $stig_files = array_merge( glob("{$path}/*.zip"), glob("{$path}/*.xml"), glob(TMP . "/*.zip"), glob(TMP . "/*.xml"), glob(TMP . "/stigs/xml/*.xml") ); if (!count($stig_files)) { die("Could not locate any XCCDF STIG libraries " . realpath(TMP)); } $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/background_stigs.php") . " --" . (isset($cmd['exclude']) && $cmd['exclude'] ? " --exclude=\"{$cmd['exclude']}\"" : "") . " --delete"; $log->debug("Script to run $script"); passthru($script); } $db->help->select_count("sagacity.stigs"); $stig_count = $db->help->execute(); $db->set_Setting("stig-count", $stig_count); $diff->stopClock(); print PHP_EOL . "Finished at {$diff->getEndClockTime()}" . PHP_EOL . "Total Time: {$diff->getDiffString()}" . PHP_EOL; sleep(3); } if (is_a($diff->getTotalDiff(), 'DateInterval')) { print "Total Script Time: {$diff->getTotalDiffString()}" . PHP_EOL; } /** * Function to download the latest STIG compilation library zip file for extraction and updating */ function getStigLibrary() { global $current_date, $cmd, $log, $db; $path = TMP; $mon = '01'; $prev_mon = '10'; $year = (int) $current_date->format("Y"); if (between($current_date->format("n"), 4, 6)) { $mon = '04'; $prev_mon = '01'; } elseif (between($current_date->format("n"), 7, 9)) { $mon = '07'; $prev_mon = '04'; } elseif (between($current_date->format("n"), 10, 12)) { $mon = '10'; $prev_mon = '07'; } $current_url = "http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$mon}.zip"; $current_v2_url = "http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$mon}_v2.zip"; $stig_fname = "{$path}/stig_library-{$year}_{$mon}.zip"; if (!file_exists($stig_fname) && ping("disa.mil") && !isset($cmd['po'])) { if (isset($cmd['u'])) { $url = $cmd['u']; $log->debug("Checking for $url"); if (url_exists($url)) { download_file($url, $stig_fname, $db->help, 'stig-dl-progress'); } } else { $log->debug("Checking for $current_url"); if ($found = url_exists($current_url)) { download_file($current_url, $stig_fname, $db->help, 'stig-dl-progress'); } if (!$found) { $log->debug("Checking for $current_v2_url"); if ($found = url_exists($current_v2_url)) { download_file($current_v2_url, $stig_fname, $db->help, 'stig-dl-progress'); } } if ($mon == '01') { $year--; } $prev_url = "http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$prev_mon}.zip"; $prev_v2_url = "http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_{$year}_{$prev_mon}_v2.zip"; if (!$found) { $log->debug("Checking for $prev_url"); if ($found = url_exists($prev_url)) { download_file($prev_url, $stig_fname, $db->help, 'stig-dl-progress'); } } if (!$found) { $log->debug("Checking for $prev_v2_url"); if (url_exists($prev_v2_url)) { download_file($prev_v2_url, $stig_fname, $db->help, 'stig-dl-progress'); } } } } } /** * Usage information about the script */ function usage() { $tmp = realpath(TMP); print <<<EOO Purpose: The purpose of this script is to update the CVE, CPE, and CCE databases. Script will sleep for 3 seconds between actions to allow you review the results. Usage: php update_db.php [--cpe] [--cve] [--nvd] [--nasl] [--stig] [-u={URL}] [--do] [--po] [-h|--help] [--debug] [--exclude="ex1"] --cpe To download and update the CPE catalog --cve To download and update the CVE catalog using Mitre's database --nvd To download and update the CVE catalog using the National Vulnerability Database (NVD) JSON library --nasl To download OpenVAS NVT library and update NASL files You can also extract *.nasl files from the Nessus library to $tmp/nessus_plugins and it will include these in the update --stig To download and update the STIG library --do To download the files only...do not call the parsers will overwrite any existing files --po To parse the downloaded files only, do not download --exclude="ex1" Insert a valid regex expression (properly escaped) to exclude specific STIGs from parsing (no '/' necessary) --extract Used so script will download and extract files from archive and stop processing -u={url} Used only for STIGs because sometimes DISA will use a non-standard link which makes it difficult to download the file. -h|--help This screen --debug To print verbose debugging messages to the console EOO; }