def Render(self, args, token=None):
audit_description = ",".join([
token.username + u"." + utils.SmartUnicode(name)
for name in args.labels
])
audit_events = []
try:
index = aff4.FACTORY.Create(client_index.MAIN_INDEX,
aff4_type="ClientIndex",
mode="rw",
token=token)
client_objs = aff4.FACTORY.MultiOpen(args.client_ids,
aff4_type="VFSGRRClient",
mode="rw",
token=token)
for client_obj in client_objs:
client_obj.AddLabels(*args.labels)
index.AddClient(client_obj)
client_obj.Close()
audit_events.append(
rdfvalue.AuditEvent(
user=token.username,
action="CLIENT_ADD_LABEL",
flow_name="renderer.ApiClientsAddLabelsRenderer",
client=client_obj.urn,
description=audit_description))
return dict(status="OK")
finally:
flow.Events.PublishMultipleEvents({"Audit": audit_events},
token=token)
def StartHunt(cls, args=None, runner_args=None, **kwargs):
"""This class method creates new hunts."""
# Build the runner args from the keywords.
if runner_args is None:
runner_args = HuntRunnerArgs()
cls.FilterArgsFromSemanticProtobuf(runner_args, kwargs)
# Is the required flow a known flow?
if (runner_args.hunt_name not in cls.classes and not aff4.issubclass(
cls.classes[runner_args.hunt_name], GRRHunt)):
raise RuntimeError("Unable to locate hunt %s" %
runner_args.hunt_name)
# Make a new hunt object and initialize its runner.
hunt_obj = aff4.FACTORY.Create(None,
runner_args.hunt_name,
mode="w",
token=runner_args.token)
# Hunt is called using keyword args. We construct an args proto from the
# kwargs..
if hunt_obj.args_type and args is None:
args = hunt_obj.args_type()
cls.FilterArgsFromSemanticProtobuf(args, kwargs)
if hunt_obj.args_type and not isinstance(args, hunt_obj.args_type):
raise RuntimeError("Hunt args must be instance of %s" %
hunt_obj.args_type)
if kwargs:
raise type_info.UnknownArg("Unknown parameters to StartHunt: %s" %
kwargs)
# Store the hunt args in the state.
hunt_obj.state.Register("args", args)
# Hunts are always created in the paused state. The runner method Start
# should be called to start them.
hunt_obj.Set(hunt_obj.Schema.STATE("PAUSED"))
runner = hunt_obj.CreateRunner(runner_args=runner_args)
# Allow the hunt to do its own initialization.
runner.RunStateMethod("Start")
hunt_obj.Flush()
try:
flow_name = args.flow_runner_args.flow_name
except AttributeError:
flow_name = ""
event = rdfvalue.AuditEvent(user=runner_args.token.username,
action="HUNT_CREATED",
urn=hunt_obj.urn,
flow_name=flow_name,
description=runner_args.description)
flow.Events.PublishEvent("Audit", event, token=runner_args.token)
return hunt_obj
def Start(self):
"""Find a hunt, perform a permissions check and modify it."""
with aff4.FACTORY.Open(
self.args.hunt_urn, aff4_type="GRRHunt",
mode="rw", token=self.token) as hunt:
runner = hunt.GetRunner()
data_store.DB.security_manager.CheckHuntAccess(
self.token.RealUID(), hunt.urn)
# Make sure the hunt is not running:
if runner.IsHuntStarted():
raise RuntimeError("Unable to modify a running hunt. Pause it first.")
# Record changes in the audit event
changes = []
if runner.context.expires != self.args.expiry_time:
changes.append("Expires: Old=%s, New=%s" % (runner.context.expires,
self.args.expiry_time))
if runner.args.client_limit != self.args.client_limit:
changes.append("Client Limit: Old=%s, New=%s" % (
runner.args.client_limit, self.args.client_limit))
description = ", ".join(changes)
event = rdfvalue.AuditEvent(user=self.token.username,
action="HUNT_MODIFIED",
urn=self.args.hunt_urn,
description=description)
flow.Events.PublishEvent("Audit", event, token=self.token)
# Just go ahead and change the hunt now.
runner.context.expires = self.args.expiry_time
runner.args.client_limit = self.args.client_limit
def Render(self, args, token=None):
audit_description = ",".join([
token.username + u"." + utils.SmartUnicode(name)
for name in args.labels
])
audit_events = []
try:
index = aff4.FACTORY.Create(client_index.MAIN_INDEX,
aff4_type="ClientIndex",
mode="rw",
token=token)
client_objs = aff4.FACTORY.MultiOpen(args.client_ids,
aff4_type="VFSGRRClient",
mode="rw",
token=token)
for client_obj in client_objs:
self.RemoveClientLabels(client_obj, args.labels)
# TODO(user): AddClient doesn't remove labels. Make sure removed labels
# are actually removed from the index.
index.AddClient(client_obj)
client_obj.Close()
audit_events.append(
rdfvalue.AuditEvent(
user=token.username,
action="CLIENT_REMOVE_LABEL",
flow_name="renderer.ApiClientsRemoveLabelsRenderer",
client=client_obj.urn,
description=audit_description))
finally:
flow.Events.PublishMultipleEvents({"Audit": audit_events},
token=token)
return dict(status="OK")
def SimulateUserActivity(username, client_id, timestamp, num=10):
for flow_name in flows[:num]:
event = rdfvalue.AuditEvent(user=username, action="RUN_FLOW",
flow=flow_name, client=client_id,
age=timestamp)
flow.Events.PublishEvent("Audit", event, token=token)
def Start(self):
audit_description = ",".join([
self.token.username + u"." + utils.SmartUnicode(name)
for name in self.args.labels
])
audit_events = []
try:
index = aff4.FACTORY.Create(client_index.MAIN_INDEX,
aff4_type="ClientIndex",
mode="rw",
token=self.token)
client_objs = aff4.FACTORY.MultiOpen(self.args.clients,
aff4_type="VFSGRRClient",
mode="rw",
token=self.token)
for client_obj in client_objs:
client_obj.AddLabels(*self.args.labels)
index.AddClient(client_obj)
client_obj.Close()
audit_events.append(
rdfvalue.AuditEvent(user=self.token.username,
action="CLIENT_ADD_LABEL",
flow_name="ApplyLabelsToClientsFlow",
client=client_obj.urn,
description=audit_description))
finally:
flow.Events.PublishMultipleEvents({"Audit": audit_events},
token=self.token)
def BuildApprovalUrn(self):
"""Builds approval object urn."""
event = rdfvalue.AuditEvent(user=self.token.username,
action="CLIENT_APPROVAL_REQUEST",
client=self.client_id,
description=self.args.reason)
flow.Events.PublishEvent("Audit", event, token=self.token)
return self.ApprovalUrnBuilder(self.client_id.Path(),
self.token.username, self.args.reason)
def _CreateAuditEvent(self, event_action):
try:
flow_name = self.flow_obj.args.flow_runner_args.flow_name
except AttributeError:
flow_name = ""
event = rdfvalue.AuditEvent(user=self.flow_obj.token.username,
action=event_action,
urn=self.flow_obj.urn,
flow_name=flow_name,
description=self.args.description)
flow.Events.PublishEvent("Audit", event, token=self.flow_obj.token)
def BuildApprovalUrn(self):
"""Builds approval object URN."""
# In this case subject_urn is hunt's URN.
flow.Events.PublishEvent("Audit",
rdfvalue.AuditEvent(
user=self.token.username,
action="CRON_APPROVAL_GRANT",
urn=self.args.subject_urn,
description=self.args.reason),
token=self.token)
return self.ApprovalUrnBuilder(self.args.subject_urn.Path(),
self.args.delegate, self.args.reason)
