class DynamicTypeTest(structs.RDFProtoStruct): """A protobuf with dynamic types.""" type_description = type_info.TypeDescriptorSet( type_info.ProtoString( name="type", field_number=1, # By default return the TestStruct proto. default="TestStruct", description="A string value"), type_info.ProtoDynamicEmbedded( name="dynamic", # The callback here returns the type specified by the type member. dynamic_cb=lambda x: structs.RDFProtoStruct.classes.get(x.type), field_number=2, description="A dynamic value based on another field."), type_info.ProtoEmbedded(name="nested", field_number=3, nested=rdfvalue.User))
class LateBindingTest(structs.RDFProtoStruct): type_description = type_info.TypeDescriptorSet( # A nested protobuf referring to an undefined type. type_info.ProtoNested(name="nested", field_number=1, nested="UndefinedYet"), type_info.ProtoRDFValue(name="rdfvalue", field_number=6, rdf_type="UndefinedRDFValue", description="An undefined RDFValue field."), # A repeated late bound field. type_info.ProtoList( type_info.ProtoRDFValue(name="repeated", field_number=7, rdf_type="UndefinedRDFValue2", description="An undefined RDFValue field.") ), )
def __init__(self): """Initialize the configuration manager.""" # The context is used to provide different configuration directives in # different situations. The context can contain any string describing a # different aspect of the running instance. self.context = [] self.raw_data = OrderedYamlDict() self.validated = set() self.writeback = None self.writeback_data = OrderedYamlDict() self.global_override = dict() self.context_descriptions = {} # This is the type info set describing all configuration # parameters. self.type_infos = type_info.TypeDescriptorSet() # We store the defaults here. self.defaults = {} # A cache of validated and interpolated results. self.FlushCache()
class TestStruct(structs.RDFProtoStruct): """A test struct object.""" type_description = type_info.TypeDescriptorSet( structs.ProtoString( name="foobar", field_number=1, default="string", description="A string value", labels=[structs.SemanticDescriptor.Labels.HIDDEN]), structs.ProtoUnsignedInteger( name="int", field_number=2, default=5, description="An integer value"), structs.ProtoList( structs.ProtoString( name="repeated", field_number=3, description="A repeated string value")), # We can serialize an arbitrary RDFValue. This will be serialized into a # binary string and parsed on demand. structs.ProtoRDFValue( name="urn", field_number=6, default=rdfvalue.RDFURN("www.google.com"), rdf_type="RDFURN", description="An arbitrary RDFValue field."), structs.ProtoEnum( name="type", field_number=7, enum_name="Type", enum=dict(FIRST=1, SECOND=2, THIRD=3), default=3, description="An enum field"), structs.ProtoFloat( name="float", field_number=8, description="A float number", default=1.1),)
class UnionTest(structs.RDFProtoStruct): union_field = "struct_flavor" type_description = type_info.TypeDescriptorSet( type_info.ProtoEnum(name="struct_flavor", field_number=1, enum_name="Type", enum=dict(FIRST=1, SECOND=2, THIRD=3), default=3, description="An union enum field"), type_info.ProtoFloat(name="first", field_number=2, description="A float number", default=1.1), type_info.ProtoString(name="second", field_number=3, default="string", description="A string value"), type_info.ProtoUnsignedInteger(name="third", field_number=4, default=5, description="An integer value"), )
class PartialTest1(structs.RDFProtoStruct): """This is a protobuf with fewer fields than TestStruct.""" type_description = type_info.TypeDescriptorSet( type_info.ProtoUnsignedInteger(name="int", field_number=2), )
class UndefinedYet(structs.RDFProtoStruct): type_description = type_info.TypeDescriptorSet( type_info.ProtoString(name="foobar", field_number=1, description="A string value"), )
class WinSystemActivityInvestigation(flow.GRRFlow): """Do the initial work for a system investigation. This encapsulates the different platform specific modules. """ category = "/Automation/" flow_typeinfo = type_info.TypeDescriptorSet( type_info.Bool( name="list_processes", description="Call the ListProcesses flow.", default=True, ), type_info.Bool( name="list_network_connections", description="Call the Netstat flow.", default=True, ), type_info.MultiSelectList( name="artifact_list", description="A list of Artifact names.", default=[ "ApplicationEventLog", "SystemEventLog", "SecurityEventLog", "TerminalServicesEventLogEvtx", "ApplicationEventLogEvtx", "SystemEventLogEvtx", "SecurityEventLogEvtx" ], ), type_info.Bool( name="collect_av_data", description="Call the Antivirus flows to collect quarantine/logs.", default=True, ), type_info.Bool( name="collect_prefetch", description="List the prefetch directory.", default=True, ), type_info.Bool( name="list_common_dirs", description="List common system directories.", default=True, ), type_info.Bool(name="use_tsk", description="Use raw filesystem access where possible.", default=True), type_info.Bool( name="timeline_collected_data", description="Once complete create a timeline for the host.", default=True), ) common_dirs = [ "c:\\", "c:\\users", "c:\\windows", "c:\\windows\\system32\\drivers", "c:\\windows\\logs", "c:\\program files" ] @flow.StateHandler(next_state="FinishFlow") def Start(self): """Start.""" self.client = aff4.FACTORY.Open(self.client_id, token=self.token) self.system = str(self.client.Get(self.client.Schema.SYSTEM)) self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION)) self.os_major_version = self.os_version.split(".")[0] if self.use_tsk: self.path_type = rdfvalue.PathSpec.PathType.TSK else: self.path_type = rdfvalue.PathSpec.PathType.OS if self.collect_av_data: self.CallFlow("SophosCollector", pathtype=self.path_type, next_state="FinishFlow") if self.list_processes: self.CallFlow("ListProcesses", next_state="FinishFlow") if self.list_network_connections: self.CallFlow("Netstat", next_state="FinishFlow") # Execution events. if self.collect_prefetch: self.CallFlow("ListDirectory", path=r"C:\Windows\Prefetch", pathtype=self.path_type, next_state="FinishFlow") if self.list_common_dirs: for common_dir in self.common_dirs: self.CallFlow("ListDirectory", path=common_dir, pathtype=self.path_type, next_state="FinishFlow") if self.artifact_list: self.CallFlow("ArtifactCollectorFlow", artifact_list=list(self.artifact_list), use_tsk=self.use_tsk, next_state="FinishFlow") @flow.StateHandler() def FinishFlow(self, responses): """Complete anything we need to do for each flow finishing.""" flow_name = self.__class__.__name__ if responses.success: self.Log("Flow %s completed successfully", flow_name) else: self.Log("Flow %s failed to complete", flow_name) # If no more flows, we're done and we can run the timeline. if self.OutstandingRequests( ) == 1: # We're processing last request now. if self.timeline_collected_data: self.CallFlow("MACTimes", path="/", next_state="End")
class LinSystemActivityInvestigation(flow.GRRFlow): """Do the initial work for a Linux system investigation. This encapsulates the different platform specific modules. """ category = "/Automation/" flow_typeinfo = type_info.TypeDescriptorSet( type_info.Bool( name="list_processes", description="Call the ListProcesses flow.", default=True, ), type_info.Bool( name="list_network_connections", description="Call the Netstat flow.", default=True, ), type_info.MultiSelectList( name="artifact_list", description="A list of Artifact names.", default=["AuthLog", "LinuxWtmp"], ), type_info.Bool(name="use_tsk", description="Use raw filesystem access where possible.", default=True), type_info.Bool( name="timeline_collected_data", description="Once complete create a timeline for the host.", default=True), ) @flow.StateHandler(next_state="FinishFlow") def Start(self): """Start.""" self.client = aff4.FACTORY.Open(self.client_id, token=self.token) self.system = str(self.client.Get(self.client.Schema.SYSTEM)) self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION)) self.os_major_version = self.os_version.split(".")[0] if self.use_tsk: self.path_type = rdfvalue.PathSpec.PathType.TSK else: self.path_type = rdfvalue.PathSpec.PathType.OS if self.list_processes: self.CallFlow("ListProcesses", next_state="FinishFlow") if self.list_network_connections: self.CallFlow("Netstat", next_state="FinishFlow") if self.artifact_list: self.CallFlow("ArtifactCollectorFlow", artifact_list=self.artifact_list, use_tsk=self.use_tsk, next_state="FinishFlow") @flow.StateHandler() def FinishFlow(self, responses): """Complete anything we need to do for each flow finishing.""" flow_name = self.__class__.__name__ if responses.success: self.Log("Flow %s completed successfully", flow_name) else: self.Log("Flow %s failed to complete", flow_name) # If no more flows, we're done and we can run the timeline. if self.OutstandingRequests( ) == 1: # We're processing last request now. if self.timeline_collected_data: self.CallFlow("MACTimes", path="/", next_state="End")
class TestEmbeddedStruct(rdf_structs.RDFProtoStruct): """Custom struct for testing schema generation.""" type_description = type_info.TypeDescriptorSet( rdf_structs.ProtoString(name="e_string_field", field_number=1), rdf_structs.ProtoDouble(name="e_double_field", field_number=2))