Beispiel #1
0
    def testPathInterpolation(self):
        self.client_id = self.SetupClient(0)

        bar = rdf_client.User(username="******")
        baz = rdf_client.User(username="******")
        kb = rdf_client.KnowledgeBase(os="foo",
                                      domain="norf",
                                      users=[bar, baz])

        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        with client:
            client.Set(client.Schema.KNOWLEDGE_BASE, kb)

        with test_lib.AutoTempDirPath(remove_non_empty=True) as temp_dirpath:
            self._Touch(os.path.join(temp_dirpath, "foo", "bar"))
            self._Touch(os.path.join(temp_dirpath, "foo", "baz"))
            self._Touch(os.path.join(temp_dirpath, "foo", "quux"))
            self._Touch(os.path.join(temp_dirpath, "thud", "norf", "plugh"))
            self._Touch(os.path.join(temp_dirpath, "thud", "norf", "blargh"))

            paths = [
                os.path.join(temp_dirpath, "%%os%%", "%%users.username%%"),
                os.path.join(temp_dirpath, "thud", "%%domain%%", "plugh"),
            ]

            action = rdf_file_finder.FileFinderAction.Action.STAT
            results = self._RunCFF(paths, action)

            paths = [result.stat_entry.pathspec.path for result in results]
            self.assertItemsEqual(paths, [
                os.path.join(temp_dirpath, "foo", "bar"),
                os.path.join(temp_dirpath, "foo", "baz"),
                os.path.join(temp_dirpath, "thud", "norf", "plugh")
            ])
Beispiel #2
0
    def testGrep(self):
        class MockCallFlow(object):
            def CallFlow(self, *args, **kwargs):
                self.args = args
                self.kwargs = kwargs

        mock_call_flow = MockCallFlow()
        with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
                           mock_call_flow.CallFlow):

            collect_flow = collectors.ArtifactCollectorFlow(None,
                                                            token=self.token)
            collect_flow.args = mock.Mock()
            collect_flow.args.ignore_interpolation_errors = False
            kb = rdf_client.KnowledgeBase()
            kb.MergeOrAddUser(rdf_client.User(username="******"))
            kb.MergeOrAddUser(rdf_client.User(username="******"))
            collect_flow.state["knowledge_base"] = kb
            collect_flow.current_artifact_name = "blah"

            collector = rdf_artifacts.ArtifactSource(
                type=rdf_artifacts.ArtifactSource.SourceType.GREP,
                attributes={
                    "paths": ["/etc/passwd"],
                    "content_regex_list": [r"^a%%users.username%%b$"]
                })
            collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK)

        conditions = mock_call_flow.kwargs["conditions"]
        self.assertEqual(len(conditions), 1)
        regexes = conditions[0].contents_regex_match.regex.SerializeToString()
        self.assertItemsEqual(regexes.split("|"),
                              ["(^atest1b$)", "(^atest2b$)"])
        self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
Beispiel #3
0
  def testUserMergeLinux(self):
    """Check Linux users are accurately merged."""
    kb = rdf_client.KnowledgeBase()
    self.assertEqual(len(kb.users), 0)
    kb.MergeOrAddUser(rdf_client.User(username="******", last_logon=1111))
    self.assertEqual(len(kb.users), 1)
    # This should merge since the username is the same.
    kb.MergeOrAddUser(rdf_client.User(uid="12", username="******"))
    self.assertEqual(len(kb.users), 1)

    # This should create a new record because the uid is different
    kb.MergeOrAddUser(
        rdf_client.User(
            username="******", uid="13", desktop="/home/blake/Desktop"))
    self.assertEqual(len(kb.users), 2)

    kb.MergeOrAddUser(
        rdf_client.User(
            username="******", uid="14", desktop="/home/blake/Desktop"))

    self.assertEqual(len(kb.users), 3)

    # Check merging where we don't specify uid works
    new_attrs, conflicts = kb.MergeOrAddUser(
        rdf_client.User(username="******", desktop="/home/blakey/Desktop"))
    self.assertEqual(len(kb.users), 3)
    self.assertItemsEqual(new_attrs, ["users.username", "users.desktop"])
    self.assertItemsEqual(
        conflicts,
        [("desktop", u"/home/blake/Desktop", u"/home/blakey/Desktop")])
Beispiel #4
0
  def testUserMergeWindows(self):
    """Check Windows users are accurately merged."""
    kb = rdf_client.KnowledgeBase()
    self.assertEqual(len(kb.users), 0)
    kb.MergeOrAddUser(rdf_client.User(sid="1234"))
    self.assertEqual(len(kb.users), 1)
    kb.MergeOrAddUser(rdf_client.User(sid="5678", username="******"))
    self.assertEqual(len(kb.users), 2)

    _, conflicts = kb.MergeOrAddUser(
        rdf_client.User(sid="5678", username="******"))
    self.assertEqual(len(kb.users), 2)
    self.assertEqual(conflicts[0], ("username", "test1", "test2"))
    self.assertEqual(kb.GetUser(sid="5678").username, "test2")

    # This should merge on user name as we have no other data.
    kb.MergeOrAddUser(rdf_client.User(username="******", homedir="a"))
    self.assertEqual(len(kb.users), 2)

    # This should create a new user since the sid is different.
    new_attrs, conflicts = kb.MergeOrAddUser(
        rdf_client.User(username="******", sid="12345", temp="/blah"))
    self.assertEqual(len(kb.users), 3)
    self.assertItemsEqual(new_attrs,
                          ["users.username", "users.temp", "users.sid"])
    self.assertEqual(conflicts, [])
Beispiel #5
0
  def SetupTestClientObject(self,
                            client_nr,
                            add_cert=True,
                            arch="x86_64",
                            install_time=None,
                            last_boot_time=None,
                            fqdn=None,
                            kernel="4.0.0",
                            memory_size=None,
                            os_version="buster/sid",
                            ping=None,
                            system="Linux",
                            labels=None):
    """Prepares a test client object."""
    client_id = "C.1%015x" % client_nr

    client = rdf_objects.ClientSnapshot(client_id=client_id)
    client.startup_info.client_info = self._TestClientInfo()
    if last_boot_time is not None:
      client.startup_info.boot_time = last_boot_time

    client.knowledge_base.fqdn = fqdn or "Host-%x.example.com" % client_nr
    client.knowledge_base.os = system
    client.knowledge_base.users = [
        rdf_client.User(username="******"),
        rdf_client.User(username="******"),
    ]
    client.os_version = os_version
    client.arch = arch
    client.kernel = kernel

    client.interfaces = self._TestInterfaces(client_nr)
    client.install_time = install_time

    client.hardware_info = rdf_client.HardwareInfo(
        system_manufacturer="System-Manufacturer-%x" % client_nr,
        bios_version="Bios-Version-%x" % client_nr)

    if memory_size is not None:
      client.memory_size = memory_size

    ping = ping or rdfvalue.RDFDatetime.Now()
    if add_cert:
      cert = self.ClientCertFromPrivateKey(config.CONFIG["Client.private_key"])
    else:
      cert = None

    data_store.REL_DB.WriteClientMetadata(
        client_id, last_ping=ping, certificate=cert, fleetspeak_enabled=False)
    data_store.REL_DB.WriteClientSnapshot(client)

    client_index.ClientIndex().AddClient(client)

    if labels:
      data_store.REL_DB.AddClientLabels(client_id, "GRR", labels)
      client_index.ClientIndex().AddClientLabels(
          client_id, data_store.REL_DB.ReadClientLabels(client_id))

    return client
Beispiel #6
0
  def testInterpolation(self):
    """Check we can interpolate values from the knowledge base."""
    kb = rdf_client.KnowledgeBase()

    # No users yet, this should raise
    self.assertRaises(
        artifact_utils.KnowledgeBaseInterpolationError, list,
        artifact_utils.InterpolateKbAttributes("test%%users.username%%test",
                                               kb))

    # Now we have two users
    kb.users.Append(rdf_client.User(username="******", uid=1))
    kb.users.Append(rdf_client.User(username="******", uid=2))
    kb.Set("environ_allusersprofile", "c:\\programdata")

    paths = artifact_utils.InterpolateKbAttributes("test%%users.username%%test",
                                                   kb)
    paths = list(paths)
    self.assertEqual(len(paths), 2)
    self.assertItemsEqual(paths, ["testjoetest", "testjimtest"])

    paths = artifact_utils.InterpolateKbAttributes(
        "%%environ_allusersprofile%%\\a", kb)
    self.assertEqual(list(paths), ["c:\\programdata\\a"])

    # Check a bad attribute raises
    self.assertRaises(
        artifact_utils.KnowledgeBaseInterpolationError, list,
        artifact_utils.InterpolateKbAttributes("%%nonexistent%%\\a", kb))

    # Empty values should also raise
    kb.Set("environ_allusersprofile", "")
    self.assertRaises(
        artifact_utils.KnowledgeBaseInterpolationError, list,
        artifact_utils.InterpolateKbAttributes("%%environ_allusersprofile%%\\a",
                                               kb))

    # No users have temp defined, so this should raise
    self.assertRaises(
        artifact_utils.KnowledgeBaseInterpolationError, list,
        artifact_utils.InterpolateKbAttributes("%%users.temp%%\\a", kb))

    # One user has users.temp defined, the others do not.  This is common on
    # windows where users have been created but have never logged in. We should
    # get just one value back.
    kb.users.Append(
        rdf_client.User(
            username="******",
            uid=1,
            temp="C:\\Users\\jason\\AppData\\Local\\Temp"))
    paths = artifact_utils.InterpolateKbAttributes(r"%%users.temp%%\abcd", kb)
    self.assertItemsEqual(paths,
                          ["C:\\Users\\jason\\AppData\\Local\\Temp\\abcd"])
Beispiel #7
0
    def Run(self, unused_args):
        """Enumerates all the users on this system."""
        users = self.ParseWtmp()
        for user, last_login in users.iteritems():

            # Lose the null termination
            username = user.split("\x00", 1)[0]

            if username:
                # Somehow the last login time can be < 0. There is no documentation
                # what this means so we just set it to 0 (the rdfvalue field is
                # unsigned so we can't send negative values).
                if last_login < 0:
                    last_login = 0

                result = rdf_client.User(username=utils.SmartUnicode(username),
                                         last_logon=last_login * 1000000)

                try:
                    pwdict = pwd.getpwnam(username)
                    result.homedir = utils.SmartUnicode(pwdict.pw_dir)
                    result.full_name = utils.SmartUnicode(pwdict.pw_gecos)
                    result.uid = pwdict.pw_uid
                    result.gid = pwdict.pw_gid
                    result.shell = utils.SmartUnicode(pwdict.pw_shell)
                except KeyError:
                    pass

                self.SendReply(result)
Beispiel #8
0
  def setUp(self):
    """Make sure things are initialized."""
    super(ArtifactFlowLinuxTest, self).setUp()
    with aff4.FACTORY.Open(
        self.SetupClient(0, system="Linux", os_version="12.04"),
        mode="rw",
        token=self.token) as fd:

      # Add some users
      kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
      kb.MergeOrAddUser(rdf_client.User(username="******"))
      kb.MergeOrAddUser(rdf_client.User(username="******"))
      kb.MergeOrAddUser(rdf_client.User(username="******"))
      fd.Set(kb)

    self.LoadTestArtifacts()
Beispiel #9
0
  def Parse(self, stat, knowledge_base):
    """Parse each returned registry value."""
    _ = knowledge_base  # Unused.
    sid_str = stat.pathspec.Dirname().Basename()

    if SID_RE.match(sid_str):
      kb_user = rdf_client.User()
      kb_user.sid = sid_str
      if stat.pathspec.Basename() == "ProfileImagePath":
        if stat.resident:
          # Support old clients.
          kb_user.homedir = utils.SmartUnicode(stat.resident)
        else:
          kb_user.homedir = stat.registry_data.GetValue()

        kb_user.userprofile = kb_user.homedir
        try:
          # Assume username is the last component of the path. This is not
          # robust, but other user artifacts will override it if there is a
          # better match.
          kb_user.username = kb_user.homedir.rsplit("\\", 1)[-1]
        except IndexError:
          pass

      yield kb_user
Beispiel #10
0
 def ParsePasswdEntry(self, line):
     """Process the passwd entry fields and primary group memberships."""
     fields = ("uname", "passwd", "uid", "gid", "fullname", "homedir",
               "shell")
     if line:
         rslt = dict(zip(fields, line.split(":")))
         user = self.entry.setdefault(rslt["uname"], rdf_client.User())
         user.username = rslt["uname"]
         user.pw_entry.store = self.GetPwStore(rslt["passwd"])
         if user.pw_entry.store == self.base_store:
             user.pw_entry.hash_type = self.GetHashType(rslt["passwd"])
         # If the passwd file contains NIS entries they may not have uid/gid set.
         if rslt["uid"]:
             user.uid = int(rslt["uid"])
         if rslt["gid"]:
             user.gid = int(rslt["gid"])
         user.homedir = rslt["homedir"]
         user.shell = rslt["shell"]
         user.full_name = rslt["fullname"]
         # Map uid numbers to detect duplicates.
         uids = self.uids.setdefault(user.uid, set())
         uids.add(user.username)
         # Map primary group memberships to populate memberships.
         gid = self.gids.setdefault(user.gid, set())
         gid.add(user.username)
Beispiel #11
0
    def testFindsKeyWithInterpolatedGlobWithoutConditions(self):
        # Initialize client's knowledge base in order for the interpolation
        # to work.
        user = rdf_client.User(sid="S-1-5-20")
        kb = rdf_client.KnowledgeBase(users=[user])
        client_id = self.SetupClient(0)

        with aff4.FACTORY.Open(client_id, mode="rw",
                               token=self.token) as client:
            client.Set(client.Schema.KNOWLEDGE_BASE, kb)

        session_id = self.RunFlow(client_id, [
            "HKEY_USERS/%%users.sid%%/Software/Microsoft/Windows/"
            "CurrentVersion/*"
        ])

        results = self.GetResults(session_id)
        self.assertEqual(len(results), 1)

        key = ("/HKEY_USERS/S-1-5-20/"
               "Software/Microsoft/Windows/CurrentVersion/Run")

        self.assertEqual(results[0].stat_entry.AFF4Path(client_id),
                         "aff4:/C.1000000000000000/registry" + key)
        self.assertEqual(results[0].stat_entry.pathspec.path, key)
        self.assertEqual(results[0].stat_entry.pathspec.pathtype,
                         rdf_paths.PathSpec.PathType.REGISTRY)
Beispiel #12
0
  def ParseMultiple(self, stats, knowledge_base):
    """Parse each returned registry value."""
    user_dict = {}

    for stat in stats:
      sid_str = stat.pathspec.path.split("/", 3)[2]
      if SID_RE.match(sid_str):
        if sid_str not in user_dict:
          user_dict[sid_str] = rdf_client.User(sid=sid_str)

        if stat.registry_data.GetValue():
          # Look up in the mapping if we can use this entry to populate a user
          # attribute, and if so, set it.
          reg_key_name = stat.pathspec.Dirname().Basename()
          if reg_key_name in self.key_var_mapping:
            map_dict = self.key_var_mapping[reg_key_name]
            reg_key = stat.pathspec.Basename()
            kb_attr = map_dict.get(reg_key)
            if kb_attr:
              value = artifact_utils.ExpandWindowsEnvironmentVariables(
                  stat.registry_data.GetValue(), knowledge_base)
              value = artifact_utils.ExpandWindowsUserEnvironmentVariables(
                  value, knowledge_base, sid=sid_str)
              user_dict[sid_str].Set(kb_attr, value)

    # Now yield each user we found.
    return user_dict.itervalues()
Beispiel #13
0
    def Parse(self, stat, file_object, knowledge_base):
        """Parse the wtmp file."""
        _, _ = stat, knowledge_base
        users = {}
        wtmp = file_object.read()
        while wtmp:
            try:
                record = UtmpStruct(wtmp)
            except utils.ParsingError:
                break

            wtmp = wtmp[record.size:]
            # Users only appear for USER_PROCESS events, others are system.
            if record.ut_type != 7:
                continue

            # Lose the null termination
            record.user = record.user.split("\x00", 1)[0]

            # Store the latest login time.
            # TODO(user): remove the 0 here once RDFDatetime can support times
            # pre-epoch properly.
            try:
                users[record.user] = max(users[record.user], record.sec, 0)
            except KeyError:
                users[record.user] = record.sec

        for user, last_login in users.iteritems():
            yield rdf_client.User(username=utils.SmartUnicode(user),
                                  last_logon=last_login * 1000000)
Beispiel #14
0
    def testInterpolateArgs(self):
        collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token)

        kb = rdf_client.KnowledgeBase()
        kb.MergeOrAddUser(rdf_client.User(username="******"))
        kb.MergeOrAddUser(rdf_client.User(username="******"))
        collect_flow.state["knowledge_base"] = kb

        collect_flow.current_artifact_name = "blah"
        collect_flow.args = artifact_utils.ArtifactCollectorFlowArgs()

        test_rdf = rdf_client.KnowledgeBase()
        action_args = {
            "usernames": ["%%users.username%%", "%%users.username%%"],
            "nointerp": "asdfsdf",
            "notastring": test_rdf
        }

        kwargs = collect_flow.InterpolateDict(action_args)
        self.assertItemsEqual(kwargs["usernames"],
                              ["test1", "test2", "test1", "test2"])
        self.assertEqual(kwargs["nointerp"], "asdfsdf")
        self.assertEqual(kwargs["notastring"], test_rdf)

        # We should be using an array since users.username will expand to multiple
        # values.
        self.assertRaises(ValueError, collect_flow.InterpolateDict,
                          {"bad": "%%users.username%%"})

        list_args = collect_flow.InterpolateList(
            ["%%users.username%%", r"%%users.username%%\aa"])
        self.assertItemsEqual(list_args,
                              ["test1", "test2", r"test1\aa", r"test2\aa"])

        list_args = collect_flow.InterpolateList(["one"])
        self.assertEqual(list_args, ["one"])

        # Ignore the failure in users.desktop, report the others.
        collect_flow.args.ignore_interpolation_errors = True
        list_args = collect_flow.InterpolateList(
            ["%%users.desktop%%", r"%%users.username%%\aa"])
        self.assertItemsEqual(list_args, [r"test1\aa", r"test2\aa"])

        # Both fail.
        list_args = collect_flow.InterpolateList(
            [r"%%users.desktop%%\aa", r"%%users.sid%%\aa"])
        self.assertItemsEqual(list_args, [])
Beispiel #15
0
    def Parse(self, stat_entries, knowledge_base, path_type):
        """Parse the StatEntry objects."""
        _, _ = knowledge_base, path_type

        for stat_entry in stat_entries:
            if stat.S_ISDIR(stat_entry.st_mode):
                homedir = stat_entry.pathspec.path
                username = os.path.basename(homedir)
                if username not in self.blacklist:
                    yield rdf_client.User(username=username, homedir=homedir)
Beispiel #16
0
 def SetLinuxKB(self):
     client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
     kb = client.Schema.KNOWLEDGE_BASE()
     kb.os = "Linux"
     user = rdf_client.User(username="******", homedir="/home/user1")
     kb.users = [user]
     client.Set(client.Schema.KNOWLEDGE_BASE, kb)
     client.Set(client.Schema.SYSTEM("Linux"))
     client.Set(client.Schema.OS_VERSION("12.04"))
     client.Flush()
Beispiel #17
0
    def testKBUserBackwardsCompatibility(self):
        """Check User can be created from deprecated KBUser."""
        kbuser = rdf_client.KnowledgeBaseUser()
        kbuser.username = "******"
        kbuser.desktop = "User Desktop 1"

        user = rdf_client.User(kbuser)

        self.assertEqual(user.username, "user1")
        self.assertEqual(user.desktop, "User Desktop 1")
Beispiel #18
0
    def _CreateClients(self):
        # To test all search keywords, we can rely on SetupClients
        # creating clients with attributes containing a numberic
        # value, e.g. hostname will be Host-0, Host-1, etc.
        self.client_ids = self.SetupClients(15)

        self.AddClientLabel(self.client_ids[0], self.token.username,
                            "common_test_label")
        self.AddClientLabel(self.client_ids[0], self.token.username,
                            "unique_test_label")
        self.AddClientLabel(self.client_ids[1], self.token.username,
                            "common_test_label")

        if data_store.RelationalDBReadEnabled():
            snapshot = data_store.REL_DB.ReadClientSnapshot(
                self.client_ids[0].Basename())
            snapshot.knowledge_base.users.Append(
                rdf_client.User(username="******"))
            snapshot.knowledge_base.users.Append(
                rdf_client.User(username=self.token.username))
            data_store.REL_DB.WriteClientSnapshot(snapshot)
            client_index.ClientIndex().AddClient(
                data_store.REL_DB.ReadClientSnapshot(
                    self.client_ids[0].Basename()))
        else:
            # SetupClients adds no labels or user names.
            with aff4.FACTORY.Open(self.client_ids[0],
                                   mode="rw",
                                   token=self.token) as client_obj:
                client_obj.AddLabel("common_test_label",
                                    owner=self.token.username)
                client_obj.AddLabel("unique_test_label",
                                    owner=self.token.username)

                # Add user in knowledge base.
                kb = client_obj.Get(client_obj.Schema.KNOWLEDGE_BASE)
                kb.users.Append(rdf_client.User(username="******"))
                kb.users.Append(rdf_client.User(username=self.token.username))
                client_obj.Set(client_obj.Schema.KNOWLEDGE_BASE, kb)

                # Update index, since we added users and labels.
                with client_index.CreateClientIndex(token=self.token) as index:
                    index.AddClient(client_obj)
Beispiel #19
0
 def testRdfFormatterFanOut(self):
     rdf = rdf_protodict.Dict()
     user1 = rdf_client.User(username="******")
     user2 = rdf_client.User(username="******")
     rdf["cataclysm"] = "GreyGoo"
     rdf["thinkers"] = [user1, user2]
     rdf["reference"] = {
         "ecophage": ["bots", ["nanobots", ["picobots"]]],
         "doomsday": {
             "books": ["cats cradle", "prey"]
         }
     }
     template = ("{cataclysm}; {thinkers.username}; {reference.ecophage}; "
                 "{reference.doomsday}\n")
     hinter = hints.Hinter(template=template)
     expected = ("GreyGoo; drexler,joy; bots,nanobots,picobots; "
                 "books:cats cradle,prey")
     result = hinter.Render(rdf)
     self.assertEqual(expected, result)
Beispiel #20
0
    def testAnalyzeClient(self):
        index = client_index.CreateClientIndex(token=self.token)
        client = aff4.FACTORY.Create("aff4:/" + CLIENT_ID,
                                     aff4_type=aff4_grr.VFSGRRClient,
                                     mode="rw",
                                     token=self.token)
        client.Set(client.Schema.SYSTEM("Windows"))
        client.Set(
            client.Schema.CLIENT_INFO(client_name="grr monitor",
                                      labels=["client-label-23"]))
        kb = rdf_client.KnowledgeBase()
        kb.users.Append(
            rdf_client.User(
                username="******",
                full_name="Eric (Bertrand ) 'Russell' \"Logician\" Jacobson"))
        kb.users.Append(
            rdf_client.User(username="******", full_name="Steve O'Bryan"))
        client.Set(client.Schema.KNOWLEDGE_BASE(kb))
        _, keywords = index.AnalyzeClient(client)

        # Should not contain an empty string.
        self.assertNotIn("", keywords)

        # OS of the client
        self.assertIn("windows", keywords)

        # Users of the client.
        self.assertIn("bert", keywords)
        self.assertIn("bertrand", keywords)
        self.assertNotIn(")", keywords)
        self.assertIn("russell", keywords)
        self.assertIn("logician", keywords)
        self.assertIn("ernie", keywords)
        self.assertIn("eric", keywords)
        self.assertIn("jacobson", keywords)
        self.assertIn("steve o'bryan", keywords)
        self.assertIn("o'bryan", keywords)

        # Client information.
        self.assertIn("grr monitor", keywords)
        self.assertIn("client-label-23", keywords)
Beispiel #21
0
 def GetExpectedUser(self, algo, user_store, group_store):
     user = rdf_client.User(username="******",
                            full_name="User",
                            uid="1001",
                            gid="1001",
                            homedir="/home/user",
                            shell="/bin/bash")
     user.pw_entry = rdf_client.PwEntry(store=user_store, hash_type=algo)
     user.gids = [1001]
     grp = rdf_client.Group(gid=1001, members=["user"], name="user")
     grp.pw_entry = rdf_client.PwEntry(store=group_store, hash_type=algo)
     return user, grp
Beispiel #22
0
    def testGlobWithStarStarRootPath(self):
        """Test ** expressions with root_path."""
        self.client_id = self.SetupClient(0)

        # Add some usernames we can interpolate later.
        client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
        kb = client.Get(client.Schema.KNOWLEDGE_BASE)
        kb.MergeOrAddUser(rdf_client.User(username="******"))
        kb.MergeOrAddUser(rdf_client.User(username="******"))
        client.Set(kb)
        client.Close()

        client_mock = action_mocks.GlobClientMock()

        # Glob for foo at a depth of 4.
        path = os.path.join("foo**4")
        root_path = rdf_paths.PathSpec(path=os.path.join(
            self.base_path, "test_img.dd"),
                                       pathtype=rdf_paths.PathSpec.PathType.OS)
        root_path.Append(path="/", pathtype=rdf_paths.PathSpec.PathType.TSK)

        # Run the flow.
        flow_test_lib.TestFlowHelper(filesystem.Glob.__name__,
                                     client_mock,
                                     client_id=self.client_id,
                                     paths=[path],
                                     root_path=root_path,
                                     pathtype=rdf_paths.PathSpec.PathType.OS,
                                     token=self.token)

        output_path = self.client_id.Add("fs/tsk").Add(
            self.base_path.replace("\\", "/")).Add("test_img.dd/glob_test/a/b")

        children = []
        fd = aff4.FACTORY.Open(output_path, token=self.token)
        for child in fd.ListChildren():
            children.append(child.Basename())

        # We should find some files.
        self.assertEqual(children, ["foo"])
Beispiel #23
0
    def testGlobDirectory(self):
        """Test that glob expands directories."""
        self.client_id = self.SetupClient(0)

        # Add some usernames we can interpolate later.
        client = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)

        kb = client.Get(client.Schema.KNOWLEDGE_BASE)
        kb.MergeOrAddUser(
            rdf_client.User(username="******", appdata="test_data/index.dat"))
        kb.MergeOrAddUser(
            rdf_client.User(username="******", appdata="test_data/History"))
        # This is a record which means something to the interpolation system. We
        # should not process this especially.
        kb.MergeOrAddUser(rdf_client.User(username="******",
                                          appdata="%%PATH%%"))

        client.Set(kb)
        client.Close()

        client_mock = action_mocks.GlobClientMock()

        # This glob selects all files which start with the username on this system.
        path = os.path.join(os.path.dirname(self.base_path),
                            "%%users.appdata%%")

        # Run the flow.
        flow_test_lib.TestFlowHelper(filesystem.Glob.__name__,
                                     client_mock,
                                     client_id=self.client_id,
                                     paths=[path],
                                     token=self.token)

        path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")

        aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)

        path = self.client_id.Add("fs/os").Add(self.base_path).Add("index.dat")

        aff4.FACTORY.Open(path, aff4_type=aff4_grr.VFSFile, token=self.token)
Beispiel #24
0
    def testKnowlegeBaseUsersAttributesExpandIntoLists(self):
        kb = rdf_client.KnowledgeBase()
        kb.users.append(
            rdf_client.User(appdata="the_appdata_1",
                            localappdata="the_localappdata_1",
                            userdomain="the_userdomain_1",
                            userprofile="the_userprofile_1"))
        kb.users.append(
            rdf_client.User(appdata="the_appdata_2",
                            localappdata="the_localappdata_2",
                            userdomain="the_userdomain_2",
                            userprofile="the_userprofile_2"))

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "appdata": ["the_appdata_1", "the_appdata_2"],
                "localappdata": ["the_localappdata_1", "the_localappdata_2"],
                "userdomain": ["the_userdomain_1", "the_userdomain_2"],
                "userprofile": ["the_userprofile_1", "the_userprofile_2"]
            })
Beispiel #25
0
    def _MakeClientRecord(self):
        # Set up client info
        client_id = self.SetupClient(0)
        client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token)
        client.Set(client.Schema.SYSTEM("Windows"))
        kb = client.Get(client.Schema.KNOWLEDGE_BASE)
        kb.users.Append(
            rdf_client.User(username="******",
                            userdomain="TESTDOMAIN",
                            full_name="test user",
                            homedir="c:\\Users\\test",
                            last_logon=rdfvalue.RDFDatetime.FromHumanReadable(
                                "2012-11-10")))

        kb.users.Append(
            rdf_client.User(username="******",
                            userdomain="TESTDOMAIN",
                            full_name="test user 2",
                            homedir="c:\\Users\\test2",
                            last_logon=100))
        client.Set(kb)
        client.Flush()
        return client
Beispiel #26
0
    def testAnalyzeClient(self):
        index = client_index.ClientIndex()

        client = rdf_objects.ClientSnapshot(client_id="C.0000000000000000")
        client.knowledge_base.os = "Windows"
        client.startup_info.client_info.client_name = "grr monitor"
        client.startup_info.client_info.labels = ["client-label-23"]
        kb = client.knowledge_base
        kb.users = [
            rdf_client.User(
                username="******",
                full_name="Eric (Bertrand ) 'Russell' \"Logician\" Jacobson"),
            rdf_client.User(username="******", full_name="Steve O'Bryan")
        ]
        keywords = index.AnalyzeClient(client)

        # Should not contain an empty string.
        self.assertNotIn("", keywords)

        # OS of the client
        self.assertIn("windows", keywords)

        # Users of the client.
        self.assertIn("bert", keywords)
        self.assertIn("bertrand", keywords)
        self.assertNotIn(")", keywords)
        self.assertIn("russell", keywords)
        self.assertIn("logician", keywords)
        self.assertIn("ernie", keywords)
        self.assertIn("eric", keywords)
        self.assertIn("jacobson", keywords)
        self.assertIn("steve o'bryan", keywords)
        self.assertIn("o'bryan", keywords)

        # Client information.
        self.assertIn("grr monitor", keywords)
        self.assertIn("client-label-23", keywords)
Beispiel #27
0
 def Parse(self, query, result, knowledge_base):
     """Parse the WMI Win32_UserAccount output."""
     _ = query, knowledge_base
     kb_user = rdf_client.User()
     for wmi_key, kb_key in self.account_mapping.items():
         try:
             kb_user.Set(kb_key, result[wmi_key])
         except KeyError:
             pass
     # We need at least a sid or a username.  If these are missing its likely we
     # retrieved just the userdomain for an AD account that has a name collision
     # with a local account that is correctly populated.  We drop the bogus
     # domain account.
     if kb_user.sid or kb_user.username:
         yield kb_user
Beispiel #28
0
  def testClientSubfieldGet(self):
    """Test we can get subfields of the client."""
    fd = aff4.FACTORY.Create(
        "C.0000000000000000", aff4_grr.VFSGRRClient, token=self.token)

    kb = fd.Schema.KNOWLEDGE_BASE()
    for i in range(5):
      kb.users.Append(rdf_client.User(username="******" % i))
    fd.Set(kb)
    fd.Close()

    fd = aff4.FACTORY.Open(
        "C.0000000000000000", aff4_grr.VFSGRRClient, token=self.token)
    for i, user in enumerate(fd.Get(fd.Schema.KNOWLEDGE_BASE).users):
      self.assertEqual(user.username, "user%s" % i)
Beispiel #29
0
  def setUp(self):
    super(TestWebHistoryWithArtifacts, self).setUp()
    self.client_id = self.SetupClient(0, system="Linux", os_version="12.04")
    fd = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
    self.kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
    self.kb.users.Append(
        rdf_client.User(
            username="******",
            full_name="test user",
            homedir="/home/test/",
            last_logon=250))
    fd.AddAttribute(fd.Schema.KNOWLEDGE_BASE, self.kb)
    fd.Flush()

    self.client_mock = action_mocks.FileFinderClientMock()
Beispiel #30
0
    def testCompatibility(self):
        proto = knowledge_base_pb2.User(username="******")
        proto.desktop = "User Desktop 1"

        serialized = proto.SerializeToString()

        rdf_from_serialized = rdf_client.User.FromSerializedString(serialized)

        self.assertEqual(rdf_from_serialized.username, proto.username)
        self.assertEqual(rdf_from_serialized.desktop, proto.desktop)

        rdf_direct = rdf_client.User(username="******",
                                     desktop="User Desktop 1")

        self.assertRDFValuesEqual(rdf_from_serialized, rdf_direct)