sync: auto-sync from HOWARD-HOME at 2026-06-21 21:42:44
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-21 21:42:44
This commit is contained in:
@@ -120,3 +120,70 @@ git branch -d <branch>; git push origin --delete <branch>
|
||||
weighted by points; grades A≥90 B≥80 C≥70 D≥60 else F; finding when riskFrac ≥ gapThreshold (0.5).
|
||||
- Companion logs this session: `2026-06-21-howard-unifi-pfsense-control-verbs.md`,
|
||||
`2026-06-21-howard-gururmm-bug-018-019.md`.
|
||||
|
||||
---
|
||||
|
||||
## Update: 21:41 PT — Fully-filled demo client (quote) for review
|
||||
|
||||
### Session Summary
|
||||
Howard asked to see a comprehensively filled-out client with a real score and Posture & Findings,
|
||||
explicitly NOT entered into Syncro/RMM — just a persistent test record to review how the live site
|
||||
renders with data. Built a realistic demo: `DEMO - Saguaro Family Dental (TEST)`, a fictional
|
||||
18-person HIPAA dental practice on break-fix support, with a deliberate mix of strengths and gaps so
|
||||
the report exercises every section (scored risk fields + unscored upsell opportunity fields) and
|
||||
produces a varied posture rather than all-or-nothing.
|
||||
|
||||
Authored a one-off PHP inserter (`app/_demo.php`) that opens config.php's PDO and INSERTs a single
|
||||
`status='quote'` row into the `assessments` table (data as JSON in the `data` column). Uploaded it to
|
||||
the IX docroot via MSYS `ssh` + base64 (askpass helper from vault), ran it with `php`, captured
|
||||
`DEMOID=12`, then removed the server-side file. The DB row stays so Howard can open it. This never
|
||||
touches Syncro — the tool only ever reads Syncro; the insert went straight into the assessment tool's
|
||||
own DB as a quote.
|
||||
|
||||
Verified server-side by fetching the internal export through the Cloudflare external-IP path
|
||||
(`--resolve ...:443:72.194.62.5` + `Cf-Access-Authenticated-User-Email` header). The report renders:
|
||||
overall 32/100 / Grade F; domain bars Endpoints 53%, Cloud/SaaS/DNS 40%, Identity&Email 38%, Backup 25%,
|
||||
Physical/Governance 20%, Access&Ops 17%, Network&Perimeter 0%; HIPAA REQUIRED badges fire; multiple
|
||||
security findings; and 8 upsell opportunities in the internal view. Confirmed `index.php` auto-loads
|
||||
from `?id=` (line 213), so the direct link `https://security.azcomputerguru.com/?id=12` opens the
|
||||
record. Provided Howard the URL.
|
||||
|
||||
### Key Decisions
|
||||
- Inserted the demo straight into the DB as a `quote` (not via Syncro), satisfying the standing
|
||||
guardrail that new/entered info must never auto-sync to Syncro/RMM/any service.
|
||||
- Chose a HIPAA dental office persona so REQUIRED-control badges and the compliance banner exercise,
|
||||
and the upsell story (no MFA, RDP exposed, untested backups, no MDR) is realistic and ACG-relevant.
|
||||
- Left the row in place (did not delete) and removed only the server-side inserter, so the record
|
||||
persists for review while no scratch file lingers on the host.
|
||||
- Accepted a Grade F as a legitimate, demonstrative result (varied domain bars, not all-zero);
|
||||
offered to dial answers up to a C/D if a softer demo is wanted.
|
||||
|
||||
### Problems Encountered
|
||||
- `setsid` not present in Git-Bash — dropped it; bare MSYS `ssh -T` with SSH_ASKPASS worked.
|
||||
- Initial grep for finding/opportunity CSS classes returned 0 (wrong class-name guess); the export
|
||||
content clearly contained the findings + 8 opportunities, so this was a false negative, not a defect.
|
||||
|
||||
### Configuration Changes
|
||||
- Created (local, uncommitted scratch): `projects/msp-tools/security-assessment/app/_demo.php` —
|
||||
reusable demo-quote seeder (uses config.php PDO; no secrets inline).
|
||||
- Server: temporarily uploaded + removed `_demo.php` from the IX docroot after running.
|
||||
- DB: inserted one row into `assessments` (id=12, status='quote'). No schema/app code changes.
|
||||
|
||||
### Infrastructure & Servers
|
||||
- IX server root SSH: `root@172.16.3.10:22` (ext 72.194.62.5). Password in vault `infrastructure/ix-server`.
|
||||
- Docroot: `/home/azcomputerguru/public_html/security` (cPanel acct `azcomputerguru`, PHP 8.1).
|
||||
- DB `acgsec_assess` via config.php creds on the server.
|
||||
|
||||
### Commands & Outputs
|
||||
- Insert: `base64 app/_demo.php | ssh -T root@172.16.3.10 "base64 -d > $DOCROOT/_demo.php && chown azcomputerguru:azcomputerguru ... && cd $DOCROOT && php _demo.php; rm -f $DOCROOT/_demo.php"` -> `DEMOID=12`.
|
||||
- Verify: `curl -sk --resolve security.azcomputerguru.com:443:72.194.62.5 -H 'Cf-Access-Authenticated-User-Email: mike@azcomputerguru.com' '.../api.php?action=export&id=12&view=internal'` -> 26415 bytes, grade F, 8 opportunities, REQUIRED badges.
|
||||
|
||||
### Pending / Incomplete Tasks
|
||||
- Optional: tune demo id=12 answers to land a C/D grade if a softer showcase is preferred.
|
||||
- Still deferred: #1 GuruRMM endpoint prefill (infra); FR-1 multi-tenant portal (auth decision);
|
||||
wire Activate -> live import (button intentionally disabled for now).
|
||||
|
||||
### Reference Information
|
||||
- Demo URL: `https://security.azcomputerguru.com/?id=12` (Cloudflare Access login as howard@, hard-reload).
|
||||
- Demo record: `DEMO - Saguaro Family Dental (TEST)`, id=12, status=quote, phone 5205550100.
|
||||
- Auto-load: `index.php:213` reads `?id=` and calls `load()`.
|
||||
|
||||
Reference in New Issue
Block a user