From 444e56d6753d3412b7495ffebd9a11242e8246d5 Mon Sep 17 00:00:00 2001
From: jakani24 <janis.st44@gmail.com>
Date: Sat, 8 Jun 2024 20:20:27 +0200
Subject: [PATCH] adding logging

---
 src/server/cyberhex-code/system/insecure_zone/php/2fa.php   | 3 ++-
 .../system/insecure_zone/php/add_user_passkey.php           | 1 +
 src/server/cyberhex-code/system/insecure_zone/php/login.php | 2 ++
 .../system/insecure_zone/php/login_backend.php              | 1 +
 .../cyberhex-code/system/secure_zone/php/add_user.php       | 1 +
 .../system/secure_zone/php/client_settings.php              | 3 +++
 .../system/secure_zone/php/database_settings.php            | 3 +++
 .../cyberhex-code/system/secure_zone/php/export_log.php     | 2 +-
 .../cyberhex-code/system/secure_zone/php/manage_user.php    | 6 +-----
 src/server/cyberhex-code/system/secure_zone/php/passwd.php  | 3 +++
 src/server/cyberhex-code/system/secure_zone/php/profile.php | 1 +
 .../system/secure_zone/php/server_settings.php              | 3 +++
 .../cyberhex-code/system/secure_zone/php/view_log.php       | 4 ++++
 13 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/server/cyberhex-code/system/insecure_zone/php/2fa.php b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
index 74ae8e6..7302da9 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
@@ -59,12 +59,13 @@ include "../../../api/php/notifications/sendmessage.php"; //to send user notific
 								if($pin==$_SESSION["pin"])	
 								{
 									$_SESSION["login"]=true;
+									log_action("LOGIN::2fa::SUCCESS","User ".$_SESSION["username"]." logged in with second factor.",$_SESSION["id"]);
 									if($_SESSION["send_login_message"]=="1"){
 										$ip = $_SERVER['REMOTE_ADDR'];
 										$username=$_SESSION["username"];
 										send_to_user("[LOGIN WARNING]\nHello $username\nSomebody has logged into Cyberhex with your account.\nIf this was you, you can ignore this message. Else please take steps to secure your account!\nIP: $ip\n",$username);
-										echo '<script>window.location.href = "/system/secure_zone/php/index.php";</script>';
 									}
+									echo '<script>window.location.href = "/system/secure_zone/php/index.php";</script>';
 								}else {
 									$pin=mt_rand(100000, 999999);
 									$_SESSION["pin"]=$pin;
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/add_user_passkey.php b/src/server/cyberhex-code/system/insecure_zone/php/add_user_passkey.php
index d9bfedb..4b3cd47 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/add_user_passkey.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/add_user_passkey.php
@@ -174,6 +174,7 @@ try {
         $return->msg = $msg;
         header('Content-Type: application/json');
         print(json_encode($return));
+		log_action("PASSWD::PASSKEY::ADD","User ".$_SESSION["username"]." added a passkey.",$_SESSION["id"]);
     } 
 
 } catch (Throwable $ex) {
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/login.php b/src/server/cyberhex-code/system/insecure_zone/php/login.php
index ab4826e..ead7579 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/login.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login.php
@@ -331,6 +331,7 @@ async function checkRegistration() {
 											}
 											exit();
 										} else {
+											log_action("LOGIN::FAILURE","User ".$username." entered wrong password.",0);
 											echo '<div class="alert alert-danger" role="alert">
 													Incorrect username or password.
 												  </div>';
@@ -342,6 +343,7 @@ async function checkRegistration() {
 										  </div>';
 									}
 								} else {
+									log_action("LOGIN::FAILURE","User ".$username." entered unknown username.",0);
 									echo '<div class="alert alert-danger" role="alert">
 											Incorrect username or password.
 										  </div>';
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php b/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
index 19c9a30..0503967 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
@@ -195,6 +195,7 @@ try {
 			//send the user to 2fa auth page
 			$return->msg="send_to_2fa";
 		}else{
+			log_action("LOGIN::SUCCESS","User ".$_SESSION["username"]." logged in with passkey.",$_SESSION["id"]);
 			if($_SESSION["send_login_message"]=="1"){
 				$ip = $_SERVER['REMOTE_ADDR'];
 				$username=$row["username"];
diff --git a/src/server/cyberhex-code/system/secure_zone/php/add_user.php b/src/server/cyberhex-code/system/secure_zone/php/add_user.php
index 0b01fac..7e20489 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/add_user.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/add_user.php
@@ -171,6 +171,7 @@ include "perms_functions.php";
 								echo '<div class="alert alert-success" role="alert">
 											User added successfully!
 										  </div>';
+								log_action("USER::ADD::SUCCESS","User ".$_SESSION["username"]." added another user ($username).",$_SESSION["id"]);
 							}
 						}elseif($block==1){
 							echo '<div class="alert alert-danger" role="alert">
diff --git a/src/server/cyberhex-code/system/secure_zone/php/client_settings.php b/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
index b1e2c14..be4a51f 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
@@ -37,12 +37,15 @@ if ($conn->connect_error) {
 include "client_settings_functions.php";
 if(isset($_GET["update"])){
 	safe_settings();
+	log_action("CLIENT_SETTINGS::UPDATE::SUCCESS","User ".$_SESSION["username"]." updated some client settings.",$_SESSION["id"]);
 }
 if(isset($_GET["delete"])){
 	delete_item($_GET["db"],$_GET["delete"]);
+	log_action("CLIENT_SETTINGS::DELETE::SUCCESS","User ".$_SESSION["username"]." deleted some client settings.",$_SESSION["id"]);
 }
 if(isset($_GET["add"])){
 	add_item($_GET["add"],$_GET["value"],$_GET["field"]);
+	log_action("CLIENT_SETTINGS::ADD::SUCCESS","User ".$_SESSION["username"]." added some client settings.",$_SESSION["id"]);
 }
 load_settings();
 
diff --git a/src/server/cyberhex-code/system/secure_zone/php/database_settings.php b/src/server/cyberhex-code/system/secure_zone/php/database_settings.php
index d02a64a..f7e2b34 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/database_settings.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/database_settings.php
@@ -99,12 +99,15 @@ async function add_item(db,element_id1,field1,element_id2,field2){ //we have two
 	include "database_settings_functions.php";
 	if(isset($_GET["update"])){
 		safe_settings($_GET["db"]);
+		log_action("DB_SETTINGS::UPDATE::SUCCESS","User ".$_SESSION["username"]." updated the database settings.",$_SESSION["id"]);
 	}
 	if(isset($_GET["delete"])){
 		delete_item($_GET["db"],$_GET["delete"]);
+		log_action("DB_SETTINGS::DELETE::SUCCESS","User ".$_SESSION["username"]." deleted some database settings.",$_SESSION["id"]);
 	}
 	if(isset($_GET["add"])){
 		add_item($_GET["add"],$_GET["value1"],$_GET["field1"],$_GET["value2"],$_GET["field2"]);
+		log_action("DB_SETTINGS::ADD::SUCCESS","User ".$_SESSION["username"]." added some database settings.",$_SESSION["id"]);
 	}
 ?>
 <div class="container mt-5">
diff --git a/src/server/cyberhex-code/system/secure_zone/php/export_log.php b/src/server/cyberhex-code/system/secure_zone/php/export_log.php
index 1de5f74..cec3137 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/export_log.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/export_log.php
@@ -94,7 +94,7 @@ $filter_query = "&loglevel=$loglevel&logtext=$logtext&machine_id=$machine_id&tim
 							echo '<div class="alert alert-success" role="alert">
                                                 Log export finished. <a href="/export/cyberhex_log_export.csv" download>Download export</a>
                             </div>';
-							
+							log_action("LOG::ENTRY::EXPORT::SUCCESS","User ".$_SESSION["username"]." exported the log.",$_SESSION["id"]);
 						}
 
 						//now display the normal page
diff --git a/src/server/cyberhex-code/system/secure_zone/php/manage_user.php b/src/server/cyberhex-code/system/secure_zone/php/manage_user.php
index 9804046..78968bf 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/manage_user.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/manage_user.php
@@ -192,11 +192,6 @@ include "perms_functions.php";
 								die("Connection failed: " . $conn->connect_error);
 							}
 							
-							$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
-							if ($conn->connect_error) {
-									$success=0;
-									die("Connection failed: " . $conn->connect_error);
-								}
 							$stmt = $conn->prepare("UPDATE users set email=?, username=?,perms=? WHERE id=?");
 							$stmt->bind_param("sssi", $m_email, $m_username, $m_permissions,$m_userid);
 
@@ -210,6 +205,7 @@ include "perms_functions.php";
 							//echo '<div class="alert alert-success" role="alert">
 							//			User updated successfully!
 							//		  </div>';
+							log_action("PROFILE::UPDATE::SUCCESS","User ".$_SESSION["username"]." updated another users profile ($m_username).",$_SESSION["id"]);
 							echo("<script>location.href='user_list.php'; </script>");
 						}elseif($block==1){
 							echo '<div class="alert alert-danger" role="alert">
diff --git a/src/server/cyberhex-code/system/secure_zone/php/passwd.php b/src/server/cyberhex-code/system/secure_zone/php/passwd.php
index bb13e85..ea9a5d0 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/passwd.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/passwd.php
@@ -298,16 +298,19 @@ $email = $_SESSION["email"];
 										$stmt->execute();
 										$stmt->close();
 										$conn->close();
+										log_action("PASSWD::CHANGE::SUCCESS","User ".$_SESSION["username"]." changed his password.",$_SESSION["id"]);
 										echo '<br><div class="alert alert-success" role="alert">
 											Information updated successfully!
 										  </div>';
 										
 									} else {
+										log_action("PASSWD::CHANGE::FAILURE","User ".$_SESSION["username"]." tried to change his password but failed due to wrong password.",$_SESSION["id"]);
 										echo '<div class="alert alert-danger" role="alert">
 												Incorrect password.
 											  </div>';
 									}
 								} else {
+									log_action("PASSWD::CHANGE::FAILURE","User ".$_SESSION["username"]." tried to change his password but failed due to wrong password.",$_SESSION["id"]);
 									echo '<div class="alert alert-danger" role="alert">
 											Incorrect password.
 										  </div>';
diff --git a/src/server/cyberhex-code/system/secure_zone/php/profile.php b/src/server/cyberhex-code/system/secure_zone/php/profile.php
index f810580..245f69e 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/profile.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/profile.php
@@ -128,6 +128,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 					</form>
 					<?php
 						if(isset($_GET["update"])){
+							log_action("PROFILE::UPDATE::SUCCESS","User ".$_SESSION["username"]." updated his profile.",$_SESSION["id"]);
 							echo '<br><div class="alert alert-success" role="alert">
 										Information updated successfully!
 									  </div>';
diff --git a/src/server/cyberhex-code/system/secure_zone/php/server_settings.php b/src/server/cyberhex-code/system/secure_zone/php/server_settings.php
index c91ddc0..4757927 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/server_settings.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/server_settings.php
@@ -34,12 +34,15 @@ if ($conn->connect_error) {
 include "client_settings_functions.php";
 if(isset($_GET["update"])){
 	safe_settings();
+	log_action("SERVER_SETTINGS::UPDATE::SUCCESS","User ".$_SESSION["username"]." updated some server settings.",$_SESSION["id"]);
 }
 if(isset($_GET["delete"])){
 	delete_item($_GET["db"],$_GET["delete"]);
+	log_action("SERVER_SETTINGS::DELETE::SUCCESS","User ".$_SESSION["username"]." deleted some server settings.",$_SESSION["id"]);
 }
 if(isset($_GET["add"])){
 	add_item($_GET["add"],$_GET["value"],$_GET["field"]);
+	log_action("SERVER_SETTINGS::ADD::SUCCESS","User ".$_SESSION["username"]." added some server settings.",$_SESSION["id"]);
 }
 load_settings();
 
diff --git a/src/server/cyberhex-code/system/secure_zone/php/view_log.php b/src/server/cyberhex-code/system/secure_zone/php/view_log.php
index 2922fd1..f7b39a6 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/view_log.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/view_log.php
@@ -129,6 +129,7 @@ $conn->close();
                         //delete entry if requested and if user has rights to do that
                         if(isset($_GET["delete"])){
                             if($perms[3]!=="1"){
+								log_action("LOG::ENTRY::DELETE::FAILURE","User ".$_SESSION["username"]." tried to delete a log entry but not succeeded because of insufficient permissions.",$_SESSION["id"]);
                                 echo '<div class="alert alert-danger" role="alert">
                                                 You are not allowed to delete log entries. (insufficient permissions)
                                 </div>';
@@ -149,10 +150,12 @@ $conn->close();
                                 echo '<div class="alert alert-success" role="alert">
                                                 Log entry deleted.
                                 </div>';
+								log_action("LOG::ENTRY::DELETE::SUCCESS","User ".$_SESSION["username"]." deleted a log entry.",$_SESSION["id"]);
                             }
                         }
 						if(isset($_GET["delete_all"])){
                             if($perms[3]!=="1"){
+								log_action("LOG::ENTRY::DELETE::FAILURE","User ".$_SESSION["username"]." tried to delete the full log but not succeeded because of insufficient permissions.",$_SESSION["id"]);
                                 echo '<div class="alert alert-danger" role="alert">
                                                 You are not allowed to delete log entries. (insufficient permissions)
                                 </div>';
@@ -171,6 +174,7 @@ $conn->close();
                                 echo '<div class="alert alert-success" role="alert">
                                                 Log deleted.
                                 </div>';
+								log_action("LOG::ENTRY::DELETE::SUCCESS","User ".$_SESSION["username"]." deleted the full log.",$_SESSION["id"]);
                             }
                         }