From 567986fa499e9ebb29975ab24f1d2e347299811e Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Sun, 21 Jun 2026 21:43:11 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-21 21:42:44 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-21 21:42:44 --- ...6-21-howard-security-assessment-scoring.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/session-logs/2026-06/2026-06-21-howard-security-assessment-scoring.md b/session-logs/2026-06/2026-06-21-howard-security-assessment-scoring.md index 825c91df..63b53c1d 100644 --- a/session-logs/2026-06/2026-06-21-howard-security-assessment-scoring.md +++ b/session-logs/2026-06/2026-06-21-howard-security-assessment-scoring.md @@ -120,3 +120,70 @@ git branch -d ; git push origin --delete weighted by points; grades A≥90 B≥80 C≥70 D≥60 else F; finding when riskFrac ≥ gapThreshold (0.5). - Companion logs this session: `2026-06-21-howard-unifi-pfsense-control-verbs.md`, `2026-06-21-howard-gururmm-bug-018-019.md`. + +--- + +## Update: 21:41 PT — Fully-filled demo client (quote) for review + +### Session Summary +Howard asked to see a comprehensively filled-out client with a real score and Posture & Findings, +explicitly NOT entered into Syncro/RMM — just a persistent test record to review how the live site +renders with data. Built a realistic demo: `DEMO - Saguaro Family Dental (TEST)`, a fictional +18-person HIPAA dental practice on break-fix support, with a deliberate mix of strengths and gaps so +the report exercises every section (scored risk fields + unscored upsell opportunity fields) and +produces a varied posture rather than all-or-nothing. + +Authored a one-off PHP inserter (`app/_demo.php`) that opens config.php's PDO and INSERTs a single +`status='quote'` row into the `assessments` table (data as JSON in the `data` column). Uploaded it to +the IX docroot via MSYS `ssh` + base64 (askpass helper from vault), ran it with `php`, captured +`DEMOID=12`, then removed the server-side file. The DB row stays so Howard can open it. This never +touches Syncro — the tool only ever reads Syncro; the insert went straight into the assessment tool's +own DB as a quote. + +Verified server-side by fetching the internal export through the Cloudflare external-IP path +(`--resolve ...:443:72.194.62.5` + `Cf-Access-Authenticated-User-Email` header). The report renders: +overall 32/100 / Grade F; domain bars Endpoints 53%, Cloud/SaaS/DNS 40%, Identity&Email 38%, Backup 25%, +Physical/Governance 20%, Access&Ops 17%, Network&Perimeter 0%; HIPAA REQUIRED badges fire; multiple +security findings; and 8 upsell opportunities in the internal view. Confirmed `index.php` auto-loads +from `?id=` (line 213), so the direct link `https://security.azcomputerguru.com/?id=12` opens the +record. Provided Howard the URL. + +### Key Decisions +- Inserted the demo straight into the DB as a `quote` (not via Syncro), satisfying the standing + guardrail that new/entered info must never auto-sync to Syncro/RMM/any service. +- Chose a HIPAA dental office persona so REQUIRED-control badges and the compliance banner exercise, + and the upsell story (no MFA, RDP exposed, untested backups, no MDR) is realistic and ACG-relevant. +- Left the row in place (did not delete) and removed only the server-side inserter, so the record + persists for review while no scratch file lingers on the host. +- Accepted a Grade F as a legitimate, demonstrative result (varied domain bars, not all-zero); + offered to dial answers up to a C/D if a softer demo is wanted. + +### Problems Encountered +- `setsid` not present in Git-Bash — dropped it; bare MSYS `ssh -T` with SSH_ASKPASS worked. +- Initial grep for finding/opportunity CSS classes returned 0 (wrong class-name guess); the export + content clearly contained the findings + 8 opportunities, so this was a false negative, not a defect. + +### Configuration Changes +- Created (local, uncommitted scratch): `projects/msp-tools/security-assessment/app/_demo.php` — + reusable demo-quote seeder (uses config.php PDO; no secrets inline). +- Server: temporarily uploaded + removed `_demo.php` from the IX docroot after running. +- DB: inserted one row into `assessments` (id=12, status='quote'). No schema/app code changes. + +### Infrastructure & Servers +- IX server root SSH: `root@172.16.3.10:22` (ext 72.194.62.5). Password in vault `infrastructure/ix-server`. +- Docroot: `/home/azcomputerguru/public_html/security` (cPanel acct `azcomputerguru`, PHP 8.1). +- DB `acgsec_assess` via config.php creds on the server. + +### Commands & Outputs +- Insert: `base64 app/_demo.php | ssh -T root@172.16.3.10 "base64 -d > $DOCROOT/_demo.php && chown azcomputerguru:azcomputerguru ... && cd $DOCROOT && php _demo.php; rm -f $DOCROOT/_demo.php"` -> `DEMOID=12`. +- Verify: `curl -sk --resolve security.azcomputerguru.com:443:72.194.62.5 -H 'Cf-Access-Authenticated-User-Email: mike@azcomputerguru.com' '.../api.php?action=export&id=12&view=internal'` -> 26415 bytes, grade F, 8 opportunities, REQUIRED badges. + +### Pending / Incomplete Tasks +- Optional: tune demo id=12 answers to land a C/D grade if a softer showcase is preferred. +- Still deferred: #1 GuruRMM endpoint prefill (infra); FR-1 multi-tenant portal (auth decision); + wire Activate -> live import (button intentionally disabled for now). + +### Reference Information +- Demo URL: `https://security.azcomputerguru.com/?id=12` (Cloudflare Access login as howard@, hard-reload). +- Demo record: `DEMO - Saguaro Family Dental (TEST)`, id=12, status=quote, phone 5205550100. +- Auto-load: `index.php:213` reads `?id=` and calls `load()`.