library/log_validation.php

   1 <?php
   2 /**
   3  * library/log_validation.php to validate audit logs tamper resistance.
   4  *
   5  * Copyright (C) 2016 Visolve <services@visolve.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Visolve <services@visolve.com>
  20  * @link    https://www.open-emr.org
  21  */
  22
  23
  24 require_once("../interface/globals.php");
  25 require_once("$srcdir/acl.inc");
  26
  27 use OpenEMR\Common\Csrf\CsrfUtils;
  28
  29 if (!acl_check('admin', 'users')) {
  30     die(xlt("Not Authorized"));
  31 }
  32
  33 if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
  34     CsrfUtils::csrfNotVerified();
  35 }
  36
  37 $valid  = true;
  38 $errors = array();
  39 catch_logs();
  40 $sql = sqlStatement("select * from log_validator");
  41 while ($row = sqlFetchArray($sql)) {
  42     $logEntry = sqlQuery("select * from log where id = ?", array($row['log_id']));
  43     if (empty($logEntry)) {
  44         $valid = false;
  45         array_push($errors, xl("Following audit log entry number is missing") . ": " . $row['log_id']);
  46     } else if ($row['log_checksum'] != $logEntry['checksum']) {
  47         $valid = false;
  48         array_push($errors, xl("Audit log tampering evident at entry number") . " " . $row['log_id']);
  49     }
  50
  51     if (!$valid) {
  52         break;
  53     }
  54 }
  55
  56 if ($valid) {
  57     echo xlt("Audit Log Validated Successfully");
  58 } else {
  59     echo xlt("Audit Log Validation Failed") . "(ERROR:: " . text($errors[0]) . ")";
  60 }
  61
  62 function catch_logs()
  63 {
  64     $sql = sqlStatement("select * from log where id not in(select log_id from log_validator) and checksum is NOT null and checksum != ''");
  65     while ($row = sqlFetchArray($sql)) {
  66         sqlStatement("INSERT into log_validator (log_id,log_checksum) VALUES(?,?)", array($row['id'],$row['checksum']));
  67     }
  68 }