class DynamicTypeTest(structs.RDFProtoStruct):
"""A protobuf with dynamic types."""
type_description = type_info.TypeDescriptorSet(
type_info.ProtoString(
name="type",
field_number=1,
# By default return the TestStruct proto.
default="TestStruct",
description="A string value"),
type_info.ProtoDynamicEmbedded(
name="dynamic",
# The callback here returns the type specified by the type member.
dynamic_cb=lambda x: structs.RDFProtoStruct.classes.get(x.type),
field_number=2,
description="A dynamic value based on another field."),
type_info.ProtoEmbedded(name="nested",
field_number=3,
nested=rdfvalue.User))
class LateBindingTest(structs.RDFProtoStruct):
type_description = type_info.TypeDescriptorSet(
# A nested protobuf referring to an undefined type.
type_info.ProtoNested(name="nested",
field_number=1,
nested="UndefinedYet"),
type_info.ProtoRDFValue(name="rdfvalue",
field_number=6,
rdf_type="UndefinedRDFValue",
description="An undefined RDFValue field."),
# A repeated late bound field.
type_info.ProtoList(
type_info.ProtoRDFValue(name="repeated",
field_number=7,
rdf_type="UndefinedRDFValue2",
description="An undefined RDFValue field.")
),
)
def __init__(self):
"""Initialize the configuration manager."""
# The context is used to provide different configuration directives in
# different situations. The context can contain any string describing a
# different aspect of the running instance.
self.context = []
self.raw_data = OrderedYamlDict()
self.validated = set()
self.writeback = None
self.writeback_data = OrderedYamlDict()
self.global_override = dict()
self.context_descriptions = {}
# This is the type info set describing all configuration
# parameters.
self.type_infos = type_info.TypeDescriptorSet()
# We store the defaults here.
self.defaults = {}
# A cache of validated and interpolated results.
self.FlushCache()
class TestStruct(structs.RDFProtoStruct):
"""A test struct object."""
type_description = type_info.TypeDescriptorSet(
structs.ProtoString(
name="foobar",
field_number=1,
default="string",
description="A string value",
labels=[structs.SemanticDescriptor.Labels.HIDDEN]),
structs.ProtoUnsignedInteger(
name="int", field_number=2, default=5,
description="An integer value"),
structs.ProtoList(
structs.ProtoString(
name="repeated",
field_number=3,
description="A repeated string value")),
# We can serialize an arbitrary RDFValue. This will be serialized into a
# binary string and parsed on demand.
structs.ProtoRDFValue(
name="urn",
field_number=6,
default=rdfvalue.RDFURN("www.google.com"),
rdf_type="RDFURN",
description="An arbitrary RDFValue field."),
structs.ProtoEnum(
name="type",
field_number=7,
enum_name="Type",
enum=dict(FIRST=1, SECOND=2, THIRD=3),
default=3,
description="An enum field"),
structs.ProtoFloat(
name="float",
field_number=8,
description="A float number",
default=1.1),)
class UnionTest(structs.RDFProtoStruct):
union_field = "struct_flavor"
type_description = type_info.TypeDescriptorSet(
type_info.ProtoEnum(name="struct_flavor",
field_number=1,
enum_name="Type",
enum=dict(FIRST=1, SECOND=2, THIRD=3),
default=3,
description="An union enum field"),
type_info.ProtoFloat(name="first",
field_number=2,
description="A float number",
default=1.1),
type_info.ProtoString(name="second",
field_number=3,
default="string",
description="A string value"),
type_info.ProtoUnsignedInteger(name="third",
field_number=4,
default=5,
description="An integer value"),
)
class PartialTest1(structs.RDFProtoStruct):
"""This is a protobuf with fewer fields than TestStruct."""
type_description = type_info.TypeDescriptorSet(
type_info.ProtoUnsignedInteger(name="int", field_number=2),
)
class UndefinedYet(structs.RDFProtoStruct):
type_description = type_info.TypeDescriptorSet(
type_info.ProtoString(name="foobar", field_number=1,
description="A string value"),
)
class WinSystemActivityInvestigation(flow.GRRFlow):
"""Do the initial work for a system investigation.
This encapsulates the different platform specific modules.
"""
category = "/Automation/"
flow_typeinfo = type_info.TypeDescriptorSet(
type_info.Bool(
name="list_processes",
description="Call the ListProcesses flow.",
default=True,
),
type_info.Bool(
name="list_network_connections",
description="Call the Netstat flow.",
default=True,
),
type_info.MultiSelectList(
name="artifact_list",
description="A list of Artifact names.",
default=[
"ApplicationEventLog", "SystemEventLog", "SecurityEventLog",
"TerminalServicesEventLogEvtx", "ApplicationEventLogEvtx",
"SystemEventLogEvtx", "SecurityEventLogEvtx"
],
),
type_info.Bool(
name="collect_av_data",
description="Call the Antivirus flows to collect quarantine/logs.",
default=True,
),
type_info.Bool(
name="collect_prefetch",
description="List the prefetch directory.",
default=True,
),
type_info.Bool(
name="list_common_dirs",
description="List common system directories.",
default=True,
),
type_info.Bool(name="use_tsk",
description="Use raw filesystem access where possible.",
default=True),
type_info.Bool(
name="timeline_collected_data",
description="Once complete create a timeline for the host.",
default=True),
)
common_dirs = [
"c:\\", "c:\\users", "c:\\windows", "c:\\windows\\system32\\drivers",
"c:\\windows\\logs", "c:\\program files"
]
@flow.StateHandler(next_state="FinishFlow")
def Start(self):
"""Start."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.system = str(self.client.Get(self.client.Schema.SYSTEM))
self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION))
self.os_major_version = self.os_version.split(".")[0]
if self.use_tsk:
self.path_type = rdfvalue.PathSpec.PathType.TSK
else:
self.path_type = rdfvalue.PathSpec.PathType.OS
if self.collect_av_data:
self.CallFlow("SophosCollector",
pathtype=self.path_type,
next_state="FinishFlow")
if self.list_processes:
self.CallFlow("ListProcesses", next_state="FinishFlow")
if self.list_network_connections:
self.CallFlow("Netstat", next_state="FinishFlow")
# Execution events.
if self.collect_prefetch:
self.CallFlow("ListDirectory",
path=r"C:\Windows\Prefetch",
pathtype=self.path_type,
next_state="FinishFlow")
if self.list_common_dirs:
for common_dir in self.common_dirs:
self.CallFlow("ListDirectory",
path=common_dir,
pathtype=self.path_type,
next_state="FinishFlow")
if self.artifact_list:
self.CallFlow("ArtifactCollectorFlow",
artifact_list=list(self.artifact_list),
use_tsk=self.use_tsk,
next_state="FinishFlow")
@flow.StateHandler()
def FinishFlow(self, responses):
"""Complete anything we need to do for each flow finishing."""
flow_name = self.__class__.__name__
if responses.success:
self.Log("Flow %s completed successfully", flow_name)
else:
self.Log("Flow %s failed to complete", flow_name)
# If no more flows, we're done and we can run the timeline.
if self.OutstandingRequests(
) == 1: # We're processing last request now.
if self.timeline_collected_data:
self.CallFlow("MACTimes", path="/", next_state="End")
class LinSystemActivityInvestigation(flow.GRRFlow):
"""Do the initial work for a Linux system investigation.
This encapsulates the different platform specific modules.
"""
category = "/Automation/"
flow_typeinfo = type_info.TypeDescriptorSet(
type_info.Bool(
name="list_processes",
description="Call the ListProcesses flow.",
default=True,
),
type_info.Bool(
name="list_network_connections",
description="Call the Netstat flow.",
default=True,
),
type_info.MultiSelectList(
name="artifact_list",
description="A list of Artifact names.",
default=["AuthLog", "LinuxWtmp"],
),
type_info.Bool(name="use_tsk",
description="Use raw filesystem access where possible.",
default=True),
type_info.Bool(
name="timeline_collected_data",
description="Once complete create a timeline for the host.",
default=True),
)
@flow.StateHandler(next_state="FinishFlow")
def Start(self):
"""Start."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.system = str(self.client.Get(self.client.Schema.SYSTEM))
self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION))
self.os_major_version = self.os_version.split(".")[0]
if self.use_tsk:
self.path_type = rdfvalue.PathSpec.PathType.TSK
else:
self.path_type = rdfvalue.PathSpec.PathType.OS
if self.list_processes:
self.CallFlow("ListProcesses", next_state="FinishFlow")
if self.list_network_connections:
self.CallFlow("Netstat", next_state="FinishFlow")
if self.artifact_list:
self.CallFlow("ArtifactCollectorFlow",
artifact_list=self.artifact_list,
use_tsk=self.use_tsk,
next_state="FinishFlow")
@flow.StateHandler()
def FinishFlow(self, responses):
"""Complete anything we need to do for each flow finishing."""
flow_name = self.__class__.__name__
if responses.success:
self.Log("Flow %s completed successfully", flow_name)
else:
self.Log("Flow %s failed to complete", flow_name)
# If no more flows, we're done and we can run the timeline.
if self.OutstandingRequests(
) == 1: # We're processing last request now.
if self.timeline_collected_data:
self.CallFlow("MACTimes", path="/", next_state="End")
class TestEmbeddedStruct(rdf_structs.RDFProtoStruct):
"""Custom struct for testing schema generation."""
type_description = type_info.TypeDescriptorSet(
rdf_structs.ProtoString(name="e_string_field", field_number=1),
rdf_structs.ProtoDouble(name="e_double_field", field_number=2))
