def Handle(self, args, token=None):
client_urn = self.GetClientTarget(args, token=token)
size_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(
max_file_size=args.max_file_size))
file_finder_args = file_finder.FileFinderArgs(
paths=args.paths,
action=file_finder.FileFinderAction(action_type=args.action),
conditions=[size_condition])
# Check our flow throttling limits, will raise if there are problems.
throttler = throttle.FlowThrottler()
throttler.EnforceLimits(client_urn,
token.username,
file_finder.FileFinder.__name__,
file_finder_args,
token=token)
# Limit the whole flow to 200MB so if a glob matches lots of small files we
# still don't have too much impact.
runner_args = flow_runner.FlowRunnerArgs(
client_id=client_urn,
flow_name=file_finder.FileFinder.__name__,
network_bytes_limit=200 * 1000 * 1000)
flow_id = flow.GRRFlow.StartFlow(runner_args=runner_args,
token=token,
args=file_finder_args)
return ApiStartRobotGetFilesOperationResult(
operation_id=utils.SmartUnicode(flow_id))
class TestFileFinderOSLinuxProc(transfer.TestGetFileOSLinux):
"""Download a /proc/sys entry with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward"
client_min_version = 3007
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {
"paths": ["/proc/sys/net/ipv4/ip_forward"],
"conditions": filecondition,
"action": action
}
def CheckFile(self, fd):
data = fd.Read(10)
# Some value was read from the sysctl.
self.assertTrue(data)
def testSizeCondition(self):
# There are two values, one is 20 bytes, the other 53.
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(min_file_size=50))])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertGreater(results[0].stat_entry.st_size, 50)
def testSizeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
sizes = [os.stat(os.path.join(self.fixture_path, f)).st_size
for f in expected_files]
size_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(max_file_size=max(sizes) + 1))
for action in sorted(file_finder.FileFinderAction.Action.enum_dict.values(
)):
self.RunFlowAndCheckResults(action=action,
conditions=[size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testSizeAndRegexConditionsWithDifferentActions(self):
files_over_size_limit = ["auth.log"]
filtered_files = ["dpkg.log", "dpkg_false.log"]
expected_files = []
non_expected_files = files_over_size_limit + filtered_files
sizes = [
os.stat(os.path.join(self.fixture_path, f)).st_size
for f in files_over_size_limit
]
size_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(max_file_size=min(sizes) -
1))
regex_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.
CONTENTS_REGEX_MATCH,
contents_regex_match=file_finder.
FileFinderContentsRegexMatchCondition(
mode=file_finder.FileFinderContentsRegexMatchCondition.Mode.
ALL_HITS,
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition, regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of conditions doesn't influence results
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition, size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
class TestFileFinderOSLinux(base.VFSPathContentIsELF):
"""Download a file with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/bin/ps"
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/bin/ps"],
"conditions": filecondition,
"action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists):
"""Download a /proc/sys entry with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward"
client_min_version = 3007
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/proc/sys/net/ipv4/ip_forward"],
"conditions": filecondition,
"action": action}
def Render(self, args, token=None):
client_urn = self.GetClientTarget(args, token=token)
size_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(
max_file_size=args.max_file_size))
file_finder_args = file_finder.FileFinderArgs(
paths=args.paths,
action=file_finder.FileFinderAction(action_type=args.action),
conditions=[size_condition])
# Check our flow throttling limits, will raise if there are problems.
throttler = throttle.FlowThrottler()
throttler.EnforceLimits(client_urn,
token.username,
"FileFinder",
file_finder_args,
token=token)
# Limit the whole flow to 200MB so if a glob matches lots of small files we
# still don't have too much impact.
runner_args = flow_runner.FlowRunnerArgs(client_id=client_urn,
flow_name="FileFinder",
network_bytes_limit=200 *
1000 * 1000)
flow_id = flow.GRRFlow.StartFlow(runner_args=runner_args,
token=token,
args=file_finder_args)
# Provide a url where the caller can check on the flow status.
status_url = urlparse.urljoin(
config_lib.CONFIG["AdminUI.url"], "/api/flows/%s/%s/status" %
(client_urn.Basename(), flow_id.Basename()))
return dict(
flow_id=api_value_renderers.RenderValue(flow_id),
flow_args=api_value_renderers.RenderValue(file_finder_args),
runner_args=api_value_renderers.RenderValue(runner_args),
status_url=status_url)
class TestFileFinderOSWindows(transfer.TestGetFileOSWindows):
"""Download a file with FileFinder.
Exercise globbing, interpolation and filtering.
"""
flow = "FileFinder"
test_output_path = "/fs/os/.*/Windows/System32/notepad.exe"
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"conditions": filecondition,
"action": action}
