interface/reports/audit_log_tamper_report.php

   1 <?php
   2 /**
   3  * Audit Log Tamper Report.
   4  *
   5  * @package OpenEMR
   6  * @link    http://www.open-emr.org
   7  * @author  Anil N <aniln@ensoftek.com>
   8  * @author  Brady Miller <brady.g.miller@gmail.com>
   9  * @copyright Copyright (c) 2014 Ensoftek
  10  * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
  11  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  12  */
  13
  14
  15 require_once("../globals.php");
  16 require_once("$srcdir/log.inc");
  17 require_once("$srcdir/crypto.php");
  18
  19 ?>
  20 <html>
  21 <head>
  22
  23 <title><?php echo xlt("Audit Log Tamper Report"); ?></title>
  24
  25 <?php html_header_show();?>
  26
  27 <link rel="stylesheet" href="<?php echo $css_header;?>" type="text/css">
  28 <link rel="stylesheet" href="<?php echo $GLOBALS['assets_static_relative']; ?>/jquery-datetimepicker/build/jquery.datetimepicker.min.css">
  29
  30 <script type="text/javascript" src="<?php echo $GLOBALS['assets_static_relative']; ?>/jquery/dist/jquery.min.js"></script>
  31 <script type="text/javascript" src="<?php echo $GLOBALS['webroot'] ?>/library/dialog.js?v=<?php echo $v_js_includes; ?>"></script>
  32 <script type="text/javascript" src="<?php echo $GLOBALS['assets_static_relative']; ?>/jquery-datetimepicker/build/jquery.datetimepicker.full.min.js"></script>
  33
  34 <style>
  35 #logview {
  36     width: 100%;
  37 }
  38 #logview table {
  39     width:100%;
  40     border-collapse: collapse;
  41 }
  42 #logview th {
  43     background-color: #cccccc;
  44     cursor: pointer; cursor: hand;
  45     padding: 5px 5px;
  46     align: left;
  47     text-align: left;
  48 }
  49
  50 #logview td {
  51     background-color: #ffffff;
  52     border-bottom: 1px solid #808080;
  53     cursor: default;
  54     padding: 5px 5px;
  55     vertical-align: top;
  56 }
  57 .highlight {
  58     background-color: #336699;
  59     color: #336699;
  60 }
  61 .tamperColor{
  62     color:red;
  63 }
  64 </style>
  65 <script>
  66 //function to disable the event type field if the event name is disclosure
  67 function eventTypeChange(eventname)
  68 {
  69          if (eventname == "disclosure") {
  70             document.theform.type_event.disabled = true;
  71           }
  72          else {
  73             document.theform.type_event.disabled = false;
  74          }
  75 }
  76
  77 // VicarePlus :: This invokes the find-patient popup.
  78  function sel_patient() {
  79   dlgopen('../main/calendar/find_patient_popup.php?pflag=0', '_blank', 500, 400);
  80  }
  81
  82 // VicarePlus :: This is for callback by the find-patient popup.
  83  function setpatient(pid, lname, fname, dob) {
  84   var f = document.theform;
  85   f.form_patient.value = lname + ', ' + fname;
  86   f.form_pid.value = pid;
  87  }
  88
  89 </script>
  90 </head>
  91 <body class="body_top">
  92 <font class="title"><?php echo xlt('Audit Log Tamper Report'); ?></font>
  93 <br>
  94 <?php
  95 $err_message=0;
  96
  97 $start_date = (!empty($_GET["start_date"])) ? DateTimeToYYYYMMDDHHMMSS($_GET["start_date"]) : date("Y-m-d") . " 00:00:00";
  98 $end_date = (!empty($_GET["end_date"])) ? DateTimeToYYYYMMDDHHMMSS($_GET["end_date"]) : date("Y-m-d") . " 23:59:59";
  99 /*
 100  * Start date should not be greater than end date - Date Validation
 101  */
 102 if ($start_date > $end_date) {
 103     echo "<table><tr class='alert'><td colspan=7>";
 104     echo xlt('Start Date should not be greater than End Date');
 105     echo "</td></tr></table>";
 106     $err_message=1;
 107 }
 108
 109 if ($_GET["form_patient"]) {
 110     $form_patient = $_GET['form_patient'];
 111 }
 112
 113 ?>
 114 <?php
 115 $form_user = $_REQUEST['form_user'];
 116 $form_pid = $_REQUEST['form_pid'];
 117 if ($form_patient == '') {
 118     $form_pid = '';
 119 }
 120
 121 ?>
 122 <br>
 123 <FORM METHOD="GET" name="theform" id="theform" onSubmit='top.restoreSession()'>
 124 <?php
 125
 126 $sortby = $_GET['sortby'];
 127 ?>
 128 <input type="hidden" name="sortby" id="sortby" value="<?php echo attr($sortby); ?>">
 129 <input type=hidden name=csum value="">
 130 <table>
 131 <tr><td>
 132 <span class="text"><?php echo xlt('Start Date'); ?>: </span>
 133 </td><td>
 134 <input type="text" size="18" class="datetimepicker" name="start_date" id="start_date" value="<?php echo attr(oeFormatDateTime($start_date, 0, true)); ?>" title="<?php echo xla('Start date'); ?>" />
 135 </td>
 136 <td>
 137 <span class="text"><?php echo xlt('End Date'); ?>: </span>
 138 </td><td>
 139 <input type="text" size="18" class="datetimepicker" name="end_date" id="end_date" value="<?php echo attr(oeFormatDateTime($end_date, 0, true)); ?>" title="<?php echo xla('End date'); ?>" />
 140 </td>
 141
 142 <td>
 143 &nbsp;&nbsp;<span class='text'><?php echo xlt('Patient'); ?>: </span>
 144 </td>
 145 <td>
 146 <input type='text' size='20' name='form_patient' style='width:100%;cursor:pointer;cursor:hand' value='<?php echo attr($form_patient) ? attr($form_patient) : xla('Click To Select'); ?>' onclick='sel_patient()' title='<?php echo xlt('Click to select patient'); ?>' />
 147 <input type='hidden' name='form_pid' value='<?php echo attr($form_pid); ?>' />
 148 </td>
 149 </tr>
 150
 151 <tr><td>
 152 <span class='text'><?php echo xlt('Include Checksum'); ?>: </span>
 153 </td><td>
 154 <?php
 155
 156 $check_sum = isset($_GET['check_sum']);
 157 ?>
 158 <input type="checkbox" name="check_sum" <?php echo ($check_sum) ? "checked" : ""; ?>>
 159 </td>
 160 <td>
 161 <input type=hidden name="event" value=<?php echo attr($event) ; ?>>
 162 <a href="javascript:document.theform.submit();" class='link_submit'>[<?php echo xlt('Refresh'); ?>]</a>
 163 </td>
 164 </tr>
 165 </table>
 166 </FORM>
 167
 168
 169 <?php if ($start_date && $end_date && $err_message!=1) { ?>
 170 <div id="logview">
 171 <span class="text" id="display_tamper" style="display:none;"><?php echo xlt('Following rows in the audit log have been tampered'); ?></span>
 172 <table>
 173  <tr>
 174   <th id="sortby_date" class="text" title="<?php echo xla('Sort by Tamper date/time'); ?>"><?php echo xlt('Tamper Date'); ?></th>
 175   <th id="sortby_user" class="text" title="<?php echo xla('Sort by User'); ?>"><?php echo xlt('User'); ?></th>
 176   <th id="sortby_pid" class="text" title="<?php echo xla('Sort by PatientID'); ?>"><?php echo xlt('PatientID'); ?></th>
 177   <th id="sortby_comments" class="text" title="<?php echo  xla('Sort by Comments'); ?>"><?php echo xlt('Comments'); ?></th>
 178     <?php  if ($check_sum) {?>
 179   <th id="sortby_newchecksum" class="text" title="<?php xla('Sort by New Checksum'); ?>"><?php echo xlt('Tampered Checksum'); ?></th>
 180   <th id="sortby_oldchecksum" class="text" title="<?php xla('Sort by Old Checksum'); ?>"><?php echo xlt('Original Checksum'); ?></th>
 181     <?php } ?>
 182  </tr>
 183 <?php
 184
 185 $eventname = $_GET['eventname'];
 186 $type_event = $_GET['type_event'];
 187 ?>
 188 <input type=hidden name=event value=<?php echo attr($eventname)."-".attr($type_event) ?>>
 189 <?php
 190 $type_event = "update";
 191 $tevent="";
 192 $gev="";
 193 if ($eventname != "" && $type_event != "") {
 194     $getevent=$eventname."-".$type_event;
 195 }
 196
 197 if (($eventname == "") && ($type_event != "")) {
 198     $tevent=$type_event;
 199 } else if ($type_event =="" && $eventname != "") {
 200     $gev=$eventname;
 201 } else if ($eventname == "") {
 202     $gev = "";
 203 } else {
 204     $gev = $getevent;
 205 }
 206
 207 $dispArr = array();
 208 $icnt = 1;
 209 if ($ret = getEvents(array('sdate' => $start_date,'edate' => $end_date, 'user' => $form_user, 'patient' => $form_pid, 'sortby' => $_GET['sortby'], 'levent' =>$gev, 'tevent' =>$tevent))) {
 210     foreach ($ret as $iter) {
 211         //translate comments
 212         $patterns = array ('/^success/','/^failure/','/ encounter/');
 213         $replace = array ( xl('success'), xl('failure'), xl('encounter', '', ' '));
 214
 215         $dispCheck = false;
 216         $log_id = $iter['id'];
 217         $commentEncrStatus = "No";
 218         $encryptVersion = 0;
 219         $logEncryptData = logCommentEncryptData($log_id);
 220
 221         if (count($logEncryptData) > 0) {
 222             $commentEncrStatus = $logEncryptData['encrypt'];
 223             $checkSumOld = $logEncryptData['checksum'];
 224             $encryptVersion = $logEncryptData['version'];
 225             $concatLogColumns = $iter['date'].$iter['event'].$iter['user'].$iter['groupname'].$iter['comments'].$iter['patient_id'].$iter['success'].$iter['checksum'].$iter['crt_user'];
 226             $checkSumNew = sha1($concatLogColumns);
 227
 228             if ($checkSumOld != $checkSumNew) {
 229                 $dispCheck = true;
 230             } else {
 231                 $dispCheck = false;
 232                 continue;
 233             }
 234         } else {
 235             continue;
 236         }
 237
 238         if ($commentEncrStatus == "Yes") {
 239             if ($encryptVersion == 1) {
 240                 // Use new openssl method
 241                 if (extension_loaded('openssl')) {
 242                     $trans_comments = preg_replace($patterns, $replace, trim(aes256Decrypt($iter["comments"])));
 243                 } else {
 244                     $trans_comments = xl("Unable to decrypt these comments since the PHP openssl module is not installed.");
 245                 }
 246             } else { //$encryptVersion == 0
 247                 // Use old mcrypt method
 248                 if (extension_loaded('mcrypt')) {
 249                     $trans_comments = preg_replace($patterns, $replace, trim(aes256Decrypt_mycrypt($iter["comments"])));
 250                 } else {
 251                     $trans_comments = xl("Unable to decrypt these comments since the PHP mycrypt module is not installed.");
 252                 }
 253             }
 254         } else {
 255             $trans_comments = preg_replace($patterns, $replace, trim($iter["comments"]));
 256         }
 257
 258         //Alter Checksum value records only display here
 259         if ($dispCheck) {
 260             $dispArr[] = $icnt++;
 261         ?>
 262      <TR class="oneresult">
 263           <TD class="text tamperColor"><?php echo text(oeFormatDateTime($iter["date"], "global", true)); ?></TD>
 264           <TD class="text tamperColor"><?php echo text($iter["user"]); ?></TD>
 265           <TD class="text tamperColor"><?php echo text($iter["patient_id"]);?></TD>
 266           <TD class="text tamperColor"><?php echo text($trans_comments);?></TD>
 267             <?php  if ($check_sum) { ?>
 268           <TD class="text tamperColor"><?php echo text($checkSumNew);?></TD>
 269           <TD class="text tamperColor"><?php echo text($checkSumOld);?></TD>
 270             <?php } ?>
 271      </TR>
 272 <?php
 273         }
 274     }
 275 }
 276
 277 if (count($dispArr) == 0) {?>
 278      <TR class="oneresult">
 279             <?php
 280             $colspan = 4;
 281             if ($check_sum) {
 282                 $colspan=6;
 283             }
 284             ?>
 285         <TD class="text" colspan="<?php echo $colspan;?>" align="center"><?php echo xlt('No audit log tampering detected in the selected date range.'); ?></TD>
 286      </TR>
 287 <?php
 288 } else {?>
 289     <script type="text/javascript">$('#display_tamper').css('display', 'block');</script>
 290     <?php
 291 }
 292
 293 ?>
 294 </table>
 295 </div>
 296 <?php } ?>
 297 </body>
 298 <script language="javascript">
 299
 300 // jQuery stuff to make the page a little easier to use
 301 $(document).ready(function(){
 302     // funny thing here... good learning experience
 303     // the TR has TD children which have their own background and text color
 304     // toggling the TR color doesn't change the TD color
 305     // so we need to change all the TR's children (the TD's) just as we did the TR
 306     // thus we have two calls to toggleClass:
 307     // 1 - for the parent (the TR)
 308     // 2 - for each of the children (the TDs)
 309     $(".oneresult").mouseover(function() { $(this).toggleClass("highlight"); $(this).children().toggleClass("highlight"); });
 310     $(".oneresult").mouseout(function() { $(this).toggleClass("highlight"); $(this).children().toggleClass("highlight"); });
 311
 312     // click-able column headers to sort the list
 313     $("#sortby_date").click(function() { $("#sortby").val("date"); $("#theform").submit(); });
 314     $("#sortby_event").click(function() { $("#sortby").val("event"); $("#theform").submit(); });
 315     $("#sortby_user").click(function() { $("#sortby").val("user"); $("#theform").submit(); });
 316     $("#sortby_cuser").click(function() { $("#sortby").val("user"); $("#theform").submit(); });
 317     $("#sortby_group").click(function() { $("#sortby").val("groupname"); $("#theform").submit(); });
 318     $("#sortby_pid").click(function() { $("#sortby").val("patient_id"); $("#theform").submit(); });
 319     $("#sortby_success").click(function() { $("#sortby").val("success"); $("#theform").submit(); });
 320     $("#sortby_comments").click(function() { $("#sortby").val("comments"); $("#theform").submit(); });
 321     $("#sortby_oldchecksum").click(function() { $("#sortby").val("checksum"); $("#theform").submit(); });
 322     $("#sortby_newchecksum").click(function() { $("#sortby").val("checksum"); $("#theform").submit(); });
 323
 324     $('.datetimepicker').datetimepicker({
 325         <?php $datetimepicker_timepicker = true; ?>
 326         <?php $datetimepicker_showseconds = true; ?>
 327         <?php $datetimepicker_formatInput = true; ?>
 328         <?php require($GLOBALS['srcdir'] . '/js/xl/jquery-datetimepicker-2-5-4.js.php'); ?>
 329         <?php // can add any additional javascript settings to datetimepicker here; need to prepend first setting with a comma ?>
 330     });
 331 });
 332
 333 </script>
 334
 335 </html>
 336