def testModificationTimeCondition(self): with utils.Stubber(os, "lstat", MyStat): test_dir = self._PrepareTimestampedFiles() # We have one "old" file, auth.log, and two "new" ones, dpkg*. paths = [test_dir + "/{dpkg.log,dpkg_false.log,auth.log}"] change_time = rdfvalue.RDFDatetime.FromHumanReadable("2020-01-01") modification_time_condition = rdf_file_finder.FileFinderCondition( condition_type="MODIFICATION_TIME", modification_time=rdf_file_finder.FileFinderModificationTimeCondition( max_last_modified_time=change_time)) self.RunAndCheck( paths, conditions=[modification_time_condition], expected=["dpkg.log", "dpkg_false.log"], unexpected=["auth.log"], base_path=test_dir) # Now just the file from 2022. modification_time_condition = rdf_file_finder.FileFinderCondition( condition_type="MODIFICATION_TIME", modification_time=rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=change_time)) self.RunAndCheck( paths, conditions=[modification_time_condition], expected=["auth.log"], unexpected=["dpkg.log", "dpkg_false.log"], base_path=test_dir)
def testFindsKeyWithLiteralAndModificationTimeConditions(self): client_id = test_lib.TEST_CLIENT_ID modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 + 1)) vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe") session_id = self.RunFlow( [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time), registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ], client_id=client_id) results = self.GetResults(session_id) self.assertEqual(len(results), 1) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(0), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(1)) session_id = self.RunFlow([self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time) ]) self.AssertNoResults(session_id)
def testModificationTimeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440) modification_time_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type. MODIFICATION_TIME, modification_time=rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=change_time)) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[modification_time_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testFindsKeysIfModificationTimeConditionMatches(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 + 1)) session_id = self.RunFlow([self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 2) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). basenames = [os.path.basename(r.stat_entry.pathspec.path) for r in results] self.assertItemsEqual(basenames, ["Sidebar", "MctAdmin"])