ryan/sagacity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
sagacity/setup.php
Ryan Prather a32988ed03
parse_excel_echecklist.php: 
Skip parsing orphan worksheet
Issue error if there are more than 100 targets in any worksheet
Save findings when you get above 1000

database.inc:
Comment out block of code to retrieve orphan findings to export to the eChecklist

setup.php:
Convert possible algorithms to lower case. (should fix bug that person on FB was seeing).
2018-12-14 09:32:40 -05:00

726 lines
29 KiB
PHP
Raw Permalink Blame History

<?php
/**
* File: setup.php
* Author: Ryan Prather <ryan.prather@cyberperspectives.com>
* Purpose: Allow setup process for new installations
* Created: Nov 28, 2017
*
* Copyright 2017: Cyber Perspective, LLC, All rights reserved
* Released under the Apache v2.0 License
*
* See license.txt for details
*
* Change Log:
* - Nov 28, 2017 - File created
* - Dec 27, 2017 - Added check for local mysql server and empty root password, updated include path to display root path
* - Apr 29, 2018 - Updated 3rd party libraries
* - May 10, 2018 - Added root confirmation password validation (bug #412)
*/
set_time_limit(0);
include_once 'helper.inc';
/**
* check for PHP settings
* 1. is openssl installed and running?
* 2. is mysqli installed and running?
* 3. is ZipArchive class installed?
* 4. is the request_order set correctly? GPCS?
* 5. is root, inc, and classes folders in include_path
*/
$fail = false;
$config = file_get_contents(dirname(__FILE__) . "/config.inc");
if (version_compare(PHP_VERSION, '7.1') < 0) {
print "The minimum version of PHP necessary is 7.1, please upgrade to continue<br />";
$fail = true;
}
if (!is_writable(dirname(__FILE__))) {
print <<<EOO
The Apache user requires write access to all directories in the document root, please make sure that all permissions are as follows:
Directories = rwx
Files = rw
On *nix: find ./ -type d -exec chmod 775 {} \; && find ./ -type f -exec chmod 665 {} \;
EOO;
die();
}
if (!is_writable(dirname(__FILE__) . "/config.inc")) {
die("Sagacity needs write access to the config.inc file in the document root");
}
if(!is_writable(dirname(__FILE__) . "/inc")) {
die("Sagacity needs write access to the /inc directory to create the encrypted password file");
}
if(!file_exists(dirname(__FILE__) . "/logs")) {
mkdir(dirname(__FILE__) . "/logs");
}
elseif(!is_writable(dirname(__FILE__) . "/logs")) {
die("Sagacity needs write access to the /logs directory to create system and scanner log files");
}
if (!function_exists('openssl_encrypt')) {
print <<<EOO
The PHP OpenSSL module is not install or enabled.<br />
Visit <a href='/?phpinfo=1'>PHPInfo</a> to double-check this. If you know it's installed, restart Apache and see if that works.<br /><br />
EOO;
$fail = true;
}
else {
$algorithms = ["aes-256-cbc-hmac-sha256", "aec-256-cbc-hmac-sha1", "aes-256-cbc"];
$ciphers = array_map('strtolower', openssl_get_cipher_methods());
if (in_array($algorithms[0], $ciphers)) {
$idx = 0;
}
elseif (in_array($algorithms[1], $ciphers)) {
$idx = 1;
}
elseif (in_array($algorithms[2], $ciphers)) {
$idx = 2;
}
else {
print <<<EOO
The needed encryption algorithm is not available please install one of the following:
EOO;
print implode("<br />", $algorithms);
$fail = true;
}
if (!$fail) {
my_str_replace("{ALGORITHM}", $algorithms[$idx], $config);
$salt = base64_encode(openssl_random_pseudo_bytes(32));
my_str_replace("{SALT}", $salt, $config);
file_put_contents(dirname(__FILE__) . "/config.inc", $config);
}
}
if (!class_exists('mysqli')) {
print <<<EOO
The PHP mysqli module is not installed or enabled.<br />
Visit <a href='/?phpinfo=1'>PHPInfo</a> to double-check this. If you know it's installed, retstart Apache and try again<br /><br />
EOO;
$fail = true;
}
if (!class_exists('ZipArchive')) {
print <<<EOO
The PHP ZipArchive module is not installed or enabled.<br />
Visit <a href='/?phpinfo=1'>PHPInfo</a> to double-check this.<br /><br />
EOO;
$fail = true;
}
if (strtolower(substr(PHP_OS, 0, 3)) == "win" && !class_exists("COM")) {
print <<<EOO
The Component Object Model (COM) class is not available. Please make sure it is installed and enabled<br />
Visit <a href='http://php.net/manual/en/book.com.php'>http://php.net/manual/en/book.com.php</a> for more info
EOO;
$fail = true;
}
elseif (strtolower(substr(PHP_OS, 0, 3)) == 'win') {
try {
new COM("WScript.Shell");
}
catch (Exception $e) {
print <<<EOO
The Component Object Model (COM) class does not seem to be available
EOO;
$fail = true;
}
}
$ro = ini_get('request_order');
if ($ro != 'GPCS' && $ro != 'GPC') {
print <<<EOO
The request_order directive in php.ini is not set correctly. It needs to be either GPC or GPCS, it is currently $ro.<br />
Open the php.ini file, search for request_order, and change it to either GPC or GPCS. After it's saved, you'll need to restart Apache<br /><br />
EOO;
$fail = true;
}
if (strtolower(substr(PHP_OS, 0, 3)) == 'win') {
$delim = ';';
}
else {
$delim = ':';
}
$inc_path = explode($delim, ini_get('include_path'));
$doc_root = realpath(dirname(__FILE__));
$classes = realpath("{$doc_root}/classes");
$inc = realpath("{$doc_root}/inc");
$root = realpath(dirname(__FILE__));
if (!in_array($inc, $inc_path) || !in_array($classes, $inc_path) || !in_array($root, $inc_path)) {
print <<<EOO
The include_path directive in php.ini does not include the required paths.<br />
Open the php.ini file, search for include_path (and make sure that the one for your OS) includes $root, $inc, &amp; $classes<br />
Current include_path:
EOO;
print ini_get('include_path') . "<br />";
$fail = true;
}
$mem_limit = return_bytes(ini_get("memory_limit"));
$gig = return_bytes('1G');
if ($mem_limit < $gig) {
print <<<EOO
Sagacity does many data intensive actions, so we recommend a memory_limit of 1G. $mem_limit bytes is the current setting.<br />
To change this, open the php.ini file and look for 'memory_limit' and set to at least 1G<br />
EOO;
}
if (!ini_get("file_uploads")) {
print "File uploads are currently turned off by the file_uploads directive in php.ini. Please turn them back on if you wish to upload files through the user interfaces<br />";
}
else {
$upload_file_max = return_bytes(ini_get('upload_max_filesize'));
$post_max_size = return_bytes(ini_get('post_max_size'));
if ($upload_file_max != $post_max_size) {
print <<<EOO
Upload file max size ($upload_file_max bytes) and post max size ($post_max_size bytes) do not match. The smaller will be used to limit uploaded file sizes.<br />
To change this, open the php.ini file and change 'upload_max_filesize' and 'post_max_size'<br />
EOO;
}
}
if ($fail) {
die;
}
$is_online = ping("cyberperspectives.com");
$step = filter_input(INPUT_GET, 'step', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
$blank_root = false;
$mysql_host = '';
mysqli_report(MYSQLI_REPORT_STRICT);
try {
$db = new mysqli("localhost", "root", "");
if (!$db->connect_errno) {
$blank_root = true;
$mysql_host = 'localhost';
}
}
catch (Exception $e) {
}
if (strtolower(substr(PHP_OS, 0, 3)) == 'win') {
$mysql_host = 'localhost';
}
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Sagacity Setup</title>
<link href='/style/fonts/fonts.css' rel='stylesheet' type='text/css' />
<!--[if IE 9]><link rel="stylesheet" href="style/style-ie9.css" /><![endif]-->
<link href='/script/jquery-ui/jquery-ui.min.css' rel='stylesheet' type='text/css' />
<script src="/script/jquery-3.2.1.min.js"></script>
<script src="/style/5grid/jquery.browser.min.js"></script>
<script type="text/javascript" src="/script/jquery-ui/jquery-ui.min.js"></script>
<script
src="/style/5grid/init.js?use=mobile,desktop,1000px&amp;mobileUI=1&amp;mobileUI.theme=none"></script>
<script type="text/javascript" src="/script/default.js"></script>
<script type="text/javascript" src="/script/spin/spin.min.js"></script>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<link rel="apple-touch-icon" sizes="57x57" href="/apple-touch-icon-57x57.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-touch-icon-114x114.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-touch-icon-144x144.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-touch-icon-60x60.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-touch-icon-120x120.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-touch-icon-76x76.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-touch-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-160x160.png" sizes="160x160">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<style type='text/css'>
#msg {
display: none;
}
.err {
color: white;
background-color: red;
}
.msg {
color: white;
background-color: green;
}
#pwd-msg, #root-pwd-msg {
display: none;
width: 25px;
}
#root-conf {
display: none;
}
.buttons {
text-align: right;
}
.label {
width: 250px;
display: inline-block;
}
.left {
width: 49%;
display: inline-block;
vertical-align: top;
}
.right {
width: 49%;
display: inline-block;
}
.setup-header, .buttons {
width: 49%;
display: inline-block;
}
</style>
<script type="text/javascript">
var current_step = 0;
$(function () {
$('#tabs').tabs({
disabled: [1, 2]
});
$('#derived-on,#declassify-on').datepicker({dateFormat: "yy-mm-dd"});
$('.next').click(next_step);
$('.back').click(prev_step);
<?php
if ($blank_root) {
print "alert('System has detected your root MySQL password is blank. Please enter the password you want in the blank and the confirmation and we can set the password');";
print "$('#root-conf').show();";
}
if ($step !== null && $step > 0) {
switch ($step) {
case 2:
print <<<EOL
$('#tabs').tabs('enable', 2)
.tabs('option', 'active', 2);
current_step = 2;
EOL;
break;
case 1:
print <<<EOL
$('#tabs').tabs('enable', 1)
.tabs('option', 'active', 1);
current_step = 1;
EOL;
break;
}
switch ($step) {
case 2:
print "$('#tabs').tabs('disable', 1);" . PHP_EOL;
case 1:
print "$('#tabs').tabs('disable', 0);" . PHP_EOL;
print "setTimeout(function(){enable_next(current_step);}, 3000);" . PHP_EOL;
}
}
?>
});
function next_step() {
var params;
if (current_step == 0) {
if ($('#web-pwd').val() != $('#conf').val()) {
display_msg("Web passwords don't match");
$('#web-pwd').focus();
return;
}
if ($('#root-conf').is(":visible") && $('#root-pwd').val() != $('#root-conf').val()) {
display_msg("Root passwords don't match");
$('#root-pwd').focus();
return;
}
var action = null;
if ($('#do').is(":checked")) {
action = 'do';
}
else if ($('#po').is(":checked")) {
action = 'po';
}
params = {
'step': current_step,
'doc-root': $('#doc-root').val(),
'pwd-file': $('#pwd-file').val(),
'tmp-path': $('#tmp-path').val(),
'log-path': $('#log-path').val(),
'log-level': $('#log-level').val(),
'db-server': $('#db-server').val(),
'root-uname': $('#root-uname').val(),
'root-pwd': $('#root-pwd').val(),
'conf-root-pwd': $('#root-conf').val(),
'web-pwd': $('#web-pwd').val(),
'sample-data': ($('#sample-data').is(':checked') ? '1' : '0'),
'cpe': ($('#cpe').is(":checked") ? '1' : '0'),
'cve': ($('#cve').is(":checked") ? '1' : '0'),
'stig': ($('#stig').is(":checked") ? '1' : '0'),
'update-freq': $('#update-freq').val(),
'action': action
};
}
else if (current_step == 1) {
params = {
'step': current_step,
'company': $('#comp-name').val(),
'comp-add': $('#comp-add').val(),
'last-modified': $('#last-modified-by').val(),
'creator': $('#creator').val(),
'system-class': $('#sys-class').val(),
'classified-by': $('#classified-by').val(),
'scg': $('#derived-by').val(),
'derived-on': $('#derived-on').val(),
'declassify-on': $('#declassify-on').val()
};
}
else if (current_step == 2) {
params = {
'step': current_step,
'flatten': ($('#flatten').is(":checked") ? "1" : '0'),
'wrap-text': ($('#wrap-text').is(":checked") ? "1" : "0"),
'notifications': ($('#notifications').is(":checked") ? '1' : '0'),
'port-limit': $('#port-limit').val(),
'max-results': $('#max-results').val(),
'output-format': $('#output-format').val()
};
}
$.ajax('/exec/installer.php', {
data: params,
beforeSend: function () {
display_msg('Processing', 'msg');
},
success: function (data) {
if (data.error) {
display_msg(data.error + "<br />Go back to the previous step and fix the error", 'err');
}
else if (data.success) {
if (current_step > 2) {
location.href = '/ste/';
}
if (data.msg) {
display_msg(data.msg, 'msg', 10000);
}
else {
display_msg('Step Completed', 'msg');
}
}
},
error: function (xhr, status, error) {
console.error(error);
display_msg(error, 'err');
},
dataType: 'json',
method: 'post'
});
current_step++;
$('#tabs').tabs('enable', current_step)
.tabs('option', 'active', current_step)
.tabs('disable', current_step - 1);
setTimeout(function () {
enable_next(current_step);
}, 3000);
}
function display_msg(msg, err_class, delay = 3000) {
$('#msg').removeClass('msg err')
.addClass(err_class)
.html(msg)
.slideDown();
setTimeout(function () {
$('#msg').slideUp();
}, delay);
}
function enable_next(step) {
if (step == 1) {
$('#company').find('.next')
.removeClass('button-delete')
.addClass('button')
.prop('disabled', false);
}
else if (step == 2) {
$('#options').find('.next')
.removeClass('button-delete')
.addClass('button')
.prop('disabled', false);
}
}
function prev_step() {
current_step--;
$('#tabs').tabs('enable', current_step);
$('#tabs').tabs('option', 'active', current_step);
$('#tabs').tabs('disable', current_step + 1);
}
function chk_pwd() {
if ($('#web-pwd').val() != $('#conf').val()) {
$('#pwd-msg').attr('src', "/img/X.png");
}
else {
$('#pwd-msg').attr('src', "/img/ok.png");
}
$('#pwd-msg').show();
}
function chk_root_pwd() {
if ($('#root-conf').is(":visible")) {
if ($('#root-pwd').val() != $('#root-conf').val()) {
$('#root-pwd-msg').attr('src', '/img/X.png');
}
else {
$('#root-pwd-msg').attr('src', '/img/ok.png');
}
$('#root-pwd-msg').show();
}
}
</script>
</head>
<body>
<div id="header-wrapper" style="height:125px;">
<header id="header" class="5grid-layout">
<div class="row">
<div class="12u" style="text-align:center;">
<!-- Logo -->
<span class="mobileUI-site-name">
<img src='/img/Sagacity-Logo.png' style='width:365px;' />
</span>
</div>
</div>
</header>
</div>
<div style="width:1200px;margin:auto;">
<?php
print "Maximum file upload size is currently set to " . ini_get("upload_max_filesize") . "B<br />";
print "Your current timezone is set to " . ini_get("date.timezone") . "<br />";
?>
<div id='msg'></div>
<div id='tabs' style='height:450px;'>
<ul>
<li><a href='#database'>Database</a></li>
<li><a href='#company'>Company</a></li>
<li><a href='#options'>Options</a></li>
</ul>
<div id='database'>
<div class='setup-header'>
<h2>Database Configuration</h2>
</div>
<div class="buttons">
<input type='button' class='button' value='Adv Web Settings' onclick="$('#advanced').slideToggle();" />&nbsp;&nbsp;
<input type='button' class='button next' value='Next' />
</div>
<div class='left'>
<label class='label' for='db_server'>Database Server:</label>
<input type='text' id="db-server" placeholder="Hostname or IP" value='<?php print $mysql_host; ?>' title='Database server DNS name or IP' /><br />
<span class='label'>
<input type='text' id='root-uname' placeholder='Root username' value='root' />
</span>
<input type='password' id='root-pwd' placeholder='Root password' /><br />
<label class='label'>&nbsp;</label>
<input type='password' id='root-conf' onkeyup='javascript:chk_root_pwd();' placeholder='Confirm root password' /> <img id='root-pwd-msg' /><br />
<label class='label' for='pwd'>Web user password:</label>
<input type='password' id='web-pwd' /><br />
<label class='label' for='conf'>Confirm password:</label>
<input type='password' id='conf' onkeyup='javascript:chk_pwd();' /> <img id='pwd-msg'/><br />
<label class='label' for='sample-data'>Add Sample Data:</label>
<input type='checkbox' id='sample-data' title='Add sample data to database' /><br />
</div>
<div class='right'>
<label for='cpe' class='label'>Load CPE's:</label>
<input type='checkbox' id='cpe' checked title="Do you want to load CPE's upon completion?" /><br />
<label for='cve' class='label'>Load CVE's:</label>
<input type='checkbox' id='cve' checked title="Do you want to laod CVE's upon completion?" /><br />
<label for='stig' class='label'>Load STIG's:</label>
<input type='checkbox' id='stig' checked title="Do you want to load STIG's upon completion?" /><br />
<?php if ($is_online) { ?>
<label for='dp' class='label'>Online:</label>
<input type='radio' id='dp' name='action' value='dp' checked /><br />
<label for='do' class='label'>Download only:</label>
<input type='radio' id='do' name='action' value='do' /><br />
<?php } ?>
<label for='po' class='label'>Offline:</label>
<input type='radio' id='po' name='action' value='po' />&nbsp;&nbsp;
</div>
<div id='advanced' style='display:none;margin-top:15px;'>
<div class="left">
<label class='label'>Web Root:</label>
<input type='text' id='doc-root' value='<?php print realpath(getcwd()); ?>' title='Absolute path of the document root' /><br />
<label class='label'>Password File:</label>
<input type='text' id='pwd-file' value='inc/passwd' title='Relative path to the encrypted password file' /><br/>
<label class='label'>AJAX Refresh Freq:</label>
<input type='number' id='update-freq' value='3' title='Frequency that the AJAX calls refresh methods (in seconds)' />
</div>
<div class='right'>
<label class='label'>TMP Path:</label>
<input type='text' id='tmp-path' value='<?php print realpath(getcwd()) . DIRECTORY_SEPARATOR . "tmp"; ?>' title='Absolute path to the temporary storage folder' /><br />
<?php
$log_path = null;
if (strtolower(substr(PHP_OS, 0, 3)) == 'lin') {
$log_path = "/var/log/sagacity";
}
else {
$log_path = realpath(getcwd()) . DIRECTORY_SEPARATOR . "logs";
}
?>
<label class='label'>Log Path:</label>
<input type='text' id='log-path' value='<?php print $log_path; ?>' title='Absolute path to the log path' /><br />
<label class='label'>Log Level:</label>
<select id='log-level' title='The default log level'>
<option>ERROR</option>
<option>WARNING</option>
<option>NOTICE</option>
<option>DEBUG</option>
</select>
</div>
</div>
</div>
<div id='company'>
<div class='setup-header'>
<h2>Company Information</h2>
</div>
<div class='buttons'>
<input type='button' class='button back' value='Previous' />&nbsp;&nbsp;
<input type='button' class='button-delete next' value='Next' disabled="true" />
</div>
<div class='left'>
<label class='label'>Name:</label>
<input type='text' id='comp-name' placeholder='Company Name' title='The name of your company' /><br />
<label class='label'>Address:</label>
<input type='text' id='comp-add' placeholder='Company Address' title='The company address' /><br />
<label class='label'>Last Modified By:</label>
<input type='text' id='last-modified-by' placeholder='Last modified by?' title='The name of the person that last modified the eChecklist' /><br />
<label class='label'>Creator:</label>
<input type='text' id='creator' placeholder='Creator' title='Person who created the eChecklist' />
</div>
<div class='right'>
<label class='label'>System Classification:</label>
<select id='sys-class'>
<option>UNCLASSIFIED</option>
<option>U//FOUO</option>
<option>SECRET</option>
</select>
<br />
<label class='label'>Classified By:</label>
<input type='text' id='classified-by' /><br />
<label class='label'>Derived From:</label>
<input type='text' id='derived-by' /><br />
<label class='label'>SCG Date:</label>
<input type='text' id='derived-on' /><br />
<label class='label'>Declassify On:</label>
<input type='text' id='declassify-on' />
</div>
</div>
<div id='options'>
<div class='setup-header'>
<h2>System Options</h2>
</div>
<div class='buttons'>
<input type='button' class='button back' value='Previous' />&nbsp;&nbsp;
<input type='button' class='button-delete next' value='Done' disabled="true" />
</div>
<div class="left">
<label for='flatten' class='label'>Flatten eChecklist:</label>
<input type='checkbox' id='flatten' checked title='Do you want a high-water mark with the eChecklist exports by default (shows worst case/check)?' /><br />
<label for='wrap-text' class='label'>Wrap Text in eChecklist:</label>
<input type='checkbox' id='wrap-text' title='Do you want exported eChecklist files to have wrapped text for the check contents field?' /><br />
<label for='notifications' class='label'>Scan Notifications:</label>
<input type='checkbox' id='notifications' title='Do you want to hear audible notifications when result scans complete' /><br />
<label for='port-limit' class='label'>Port Ingestion Limit:</label>
<input type="number" id='port-limit' value="100" min="0" max="10000" title="The maximum number of open ports to import from a target (limit 10000)" /><br />
<label for='max-results' class='label'>Max # of Result Threads:</label>
<input type="number" id='max-results' value="5" min="1" max="20" title="The maximum number of scans to import at a given time (recommended limit of 20)" /><br />
<label for='output-format' class='label'>Output format</label>
<select id='output-format'>
<option value="xlsx">Microsoft Excel 2007+ (.xlsx)</option>
<option value="xls">Microsoft Excel 95-2003 (.xls)</option>
<option value="ods">OpenDocument Format (.ods)</option>
<?php /*
<option value="html">HTML (.html)</option>
<option value="pdf">Post-script Document (.pdf)</option>
<option value="csv">Comma-separated files (.csv)</option>
*/ ?>
</select>
</div>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink