AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
56df54f8b1
nis2-agile/docs/sql/010_audit_hash_chain.sql
DevEnv nis2-agile 874eabb6fc [FEAT] Simulazioni Demo + Audit Trail Certificato SHA-256 
- 5 scenari reali: Onboarding, Ransomware Art.23, Data Breach Supply Chain,
  Whistleblowing SCADA, Audit Hash Chain Verification
- simulate-nis2.php: 3 aziende (DataCore/MedClinic/EnerNet), 10 fasi, CLI+SSE
- AuditService.php: hash chain SHA-256 stile lg231 (prev_hash+entry_hash)
- Migration 010: prev_hash, entry_hash, severity, performed_by su audit_logs
- AuditController: GET chain-verify + GET export-certified
- reset-demo.sql: reset dati demo idempotente
- public/simulate.html: web runner SSE con console dark-theme
- Sidebar: link Simulazione Demo + Integrazioni

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 13:56:53 +01:00

114 lines
5.5 KiB
SQL
Raw Blame History

-- ============================================================
-- NIS2 Agile - Migration 010: Audit Trail Certificato SHA-256
-- Hash chain per immutabilità certificabile (ispirato da lg231 AuditTrailService)
-- Estende la tabella audit_logs con prev_hash, entry_hash, severity, performed_by
-- ============================================================
-- Eseguire su Hetzner:
-- mysql -u nis2_agile_user -p nis2_agile_db < docs/sql/010_audit_hash_chain.sql
USE nis2_agile_db;
-- ── Aggiunta colonne (idempotente via information_schema) ──────────────────
-- prev_hash: hash del record precedente per la stessa organization_id
SET @has_prev = (
SELECT COUNT(*) FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND COLUMN_NAME = 'prev_hash'
);
SET @sql_prev = IF(@has_prev = 0,
'ALTER TABLE audit_logs ADD COLUMN prev_hash VARCHAR(64) NULL AFTER details',
'SELECT ''prev_hash already exists'' AS note'
);
PREPARE s FROM @sql_prev; EXECUTE s; DEALLOCATE PREPARE s;
-- entry_hash: SHA-256 di questo record (include prev_hash per la catena)
SET @has_entry = (
SELECT COUNT(*) FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND COLUMN_NAME = 'entry_hash'
);
SET @sql_entry = IF(@has_entry = 0,
'ALTER TABLE audit_logs ADD COLUMN entry_hash VARCHAR(64) NOT NULL DEFAULT \'\' AFTER prev_hash',
'SELECT ''entry_hash already exists'' AS note'
);
PREPARE s FROM @sql_entry; EXECUTE s; DEALLOCATE PREPARE s;
-- severity: criticità dell'evento per filtro dashboard
SET @has_sev = (
SELECT COUNT(*) FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND COLUMN_NAME = 'severity'
);
SET @sql_sev = IF(@has_sev = 0,
"ALTER TABLE audit_logs ADD COLUMN severity ENUM('info','warning','critical') NOT NULL DEFAULT 'info' AFTER entry_hash",
'SELECT ''severity already exists'' AS note'
);
PREPARE s FROM @sql_sev; EXECUTE s; DEALLOCATE PREPARE s;
-- performed_by: email/identificatore utente (denormalizzato per export certificato)
SET @has_by = (
SELECT COUNT(*) FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND COLUMN_NAME = 'performed_by'
);
SET @sql_by = IF(@has_by = 0,
'ALTER TABLE audit_logs ADD COLUMN performed_by VARCHAR(255) NULL AFTER severity',
'SELECT ''performed_by already exists'' AS note'
);
PREPARE s FROM @sql_by; EXECUTE s; DEALLOCATE PREPARE s;
-- ── Indici ────────────────────────────────────────────────────────────────
-- Indice su entry_hash per verifica integrità e ricerca
SET @has_idx_hash = (
SELECT COUNT(*) FROM information_schema.STATISTICS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND INDEX_NAME = 'idx_entry_hash'
);
SET @sql_idx = IF(@has_idx_hash = 0,
'ALTER TABLE audit_logs ADD INDEX idx_entry_hash (entry_hash)',
'SELECT ''idx_entry_hash already exists'' AS note'
);
PREPARE s FROM @sql_idx; EXECUTE s; DEALLOCATE PREPARE s;
-- Indice su severity per filtro dashboard
SET @has_idx_sev = (
SELECT COUNT(*) FROM information_schema.STATISTICS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'audit_logs' AND INDEX_NAME = 'idx_severity'
);
SET @sql_isev = IF(@has_idx_sev = 0,
'ALTER TABLE audit_logs ADD INDEX idx_severity (severity, organization_id)',
'SELECT ''idx_severity already exists'' AS note'
);
PREPARE s FROM @sql_isev; EXECUTE s; DEALLOCATE PREPARE s;
-- ── Tabella export certificati audit ─────────────────────────────────────
CREATE TABLE IF NOT EXISTS audit_exports (
id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
organization_id INT NOT NULL,
exported_by INT NULL, -- user_id (NULL = sistema)
performed_by VARCHAR(255) NULL, -- email utente
format ENUM('json','xml','csv') NOT NULL DEFAULT 'json',
records_count INT UNSIGNED NOT NULL DEFAULT 0,
date_from DATE NULL,
date_to DATE NULL,
export_hash VARCHAR(64) NOT NULL, -- SHA-256 del contenuto export
chain_valid TINYINT(1) NOT NULL DEFAULT 1, -- integrità al momento export
purpose VARCHAR(100) NOT NULL DEFAULT 'export_certificato',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
INDEX idx_org (organization_id),
INDEX idx_created (created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- ── Tabella violazioni integrità catena ───────────────────────────────────
CREATE TABLE IF NOT EXISTS audit_violations (
id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
organization_id INT NOT NULL,
detected_by VARCHAR(255) NOT NULL DEFAULT 'system',
broken_at_id INT NULL, -- audit_logs.id dove la catena si rompe
chain_length INT UNSIGNED NOT NULL DEFAULT 0, -- record totali verificati
notes TEXT NULL,
resolved TINYINT(1) NOT NULL DEFAULT 0,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
INDEX idx_org (organization_id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
SELECT 'Migration 010 completata: audit_logs con hash chain SHA-256 certificato' AS result;
Reference in New Issue View Git Blame Copy Permalink