def setUpTestData(cls):
# probe 1, users
cls.query_1 = "select * from users"
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery distributed query 1",
status=ProbeSource.ACTIVE,
body={"distributed_query": cls.query_1},
)
cls.probe_1 = cls.probe_source_1.load()
cls.query_1_key = "q_{}".format(cls.probe_1.pk)
# probe 2, processes
cls.query_2 = "select * from processes"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery distributed query 2",
status=ProbeSource.ACTIVE,
body={"distributed_query": cls.query_2},
)
cls.probe_2 = cls.probe_source_2.load()
cls.query_2_key = "q_{}".format(cls.probe_2.pk)
# probe windows, system_info
cls.query_windows = "select * from system_info"
cls.probe_source_windows = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery probe windows",
status=ProbeSource.ACTIVE,
body={"filters": {"inventory": [{"platforms": ["WINDOWS"]}]}, "distributed_query": cls.query_windows},
)
cls.probe_windows = cls.probe_source_windows.load()
cls.query_windows_key = "q_{}".format(cls.probe_windows.pk)
# clear
all_probes.clear()
def test_distributed_read_one_query_plus_default_inventory_query(self):
_, node_key = self.enroll_machine()
# one distributed query probe
dq = "select * from users;"
probe_source = ProbeSource.objects.create(
name="Shellac",
status=ProbeSource.ACTIVE,
model="OsqueryDistributedQueryProbe",
body={"distributed_query": dq})
dq_name = "dq_{}".format(probe_source.pk)
# simulate an all_probes sync
all_probes.clear()
# distributed read
response = self.post_as_json("distributed_read",
{"node_key": node_key})
self.assertEqual(response.status_code, 200)
self.assertEqual(response["Content-Type"], "application/json")
json_response = response.json()
query_names = [
"{}{}".format(INVENTORY_DISTRIBUTED_QUERY_PREFIX, t)
for t in ("os_version", "system_info", "uptime",
"network_interface")
]
query_names.append(dq_name)
self.assertCountEqual(json_response["queries"], query_names)
self.assertEqual(json_response["queries"][dq_name], dq)
# post default inventory snapshot.
self.post_default_inventory_query_snapshot(node_key)
# 2nd distributed read still has the inventory query
# but with the apps and azure ad info queries, now that we know
# what kind of machine it is
response = self.post_as_json("distributed_read",
{"node_key": node_key})
self.assertEqual(response.status_code, 200)
self.assertEqual(response["Content-Type"], "application/json")
json_response = response.json()
query_names = [
"{}{}".format(INVENTORY_DISTRIBUTED_QUERY_PREFIX, t)
for t in ("os_version", "system_info", "uptime",
"network_interface", "apps", "azure_ad_user_info",
"azure_ad_certificate")
]
self.assertCountEqual(json_response["queries"], query_names)
# post default inventory snapshot with one app, and the azure ad info
self.post_default_inventory_query_snapshot(node_key,
with_app=True,
with_azure_ad=True)
# 3rd distributed read empty (2 snapshots done and no other distributed queries available)
response = self.post_as_json("distributed_read",
{"node_key": node_key})
self.assertEqual(response.status_code, 200)
self.assertEqual(response["Content-Type"], "application/json")
json_response = response.json()
self.assertEqual(json_response, {"queries": {}})
def setUpTestData(cls):
# schedule
# probe 1, all machines, schedule
cls.query_1 = {"query": "select * from processes", "interval": 123}
cls.query_1_key = "osquery-probe-1_00adca42"
cls.query_1_result_name = cls.query_1_key
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe 1",
status=ProbeSource.ACTIVE,
body={"queries": [cls.query_1]})
cls.probe_1 = cls.probe_source_1.load()
# query pack
cls.query_pack_discovery = [
"select pid from processes where name = 'foobar';",
"select count(*) from users where username like 'www%';"
]
cls.query_pack_key = "05f720ae"
# probe 2, all machines, query pack
cls.query_2 = {"query": "select * from users"}
cls.query_2_key = "osquery-probe-2_19206bc4"
cls.query_2_result_name = "pack_05f720ae_osquery-probe-2_19206bc4"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe 2",
status=ProbeSource.ACTIVE,
body={
"queries": [cls.query_2],
"discovery": cls.query_pack_discovery
})
cls.probe_2 = cls.probe_source_2.load()
# probe windows, windows machines, query pack
cls.query_windows = {"query": "select * from users"}
cls.query_windows_key = "osquery-probe-windows_19206bc4"
cls.query_windows_result_name = "pack_05f720ae_osquery-probe-windows_19206bc4"
cls.probe_source_windows = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe windows",
status=ProbeSource.ACTIVE,
body={
"filters": {
"inventory": [{
"platforms": ["WINDOWS"]
}]
},
"queries": [cls.query_windows],
"discovery": cls.query_pack_discovery[::-1]
} # reversed !
)
cls.probe_windows = cls.probe_source_windows.load()
all_probes.clear()
def setUpTestData(cls):
# probe 1
cls.query_1_filepath = "/Users/%/.ssh/%%"
cls.query_1_filepath_hash = "edef96bc"
cls.query_1_key = "osquery-fim-probe-1_c71292f6"
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe 1",
status=ProbeSource.ACTIVE,
body={"file_paths": [{
"file_path": cls.query_1_filepath
}]})
cls.probe_1 = cls.probe_source_1.load()
# probe 2
cls.query_2_filepath = "/home/%/.ssh/%%"
cls.query_2_filepath_hash = "6ca0f872"
cls.query_2_key = "osquery-fim-probe-2_1c6e39ad"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe 2",
status=ProbeSource.ACTIVE,
body={
"file_paths": [{
"file_path": cls.query_2_filepath,
"file_access": True
}]
})
cls.probe_2 = cls.probe_source_2.load()
# probe mbu
cls.query_mbu_filepath = "/root/.ssh/%%"
cls.query_mbu_filepath_hash = "35c934e0"
cls.query_mbu_key = "osquery-fim-probe-mbu_cc871b0b"
cls.probe_source_mbu = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe mbu",
status=ProbeSource.ACTIVE,
body={
"filters": {
"inventory": [{
"meta_business_unit_ids": [1]
}]
},
"file_paths": [{
"file_path": cls.query_mbu_filepath,
"file_access": False
}]
})
cls.probe_mbu = cls.probe_source_mbu.load()
# clear
all_probes.clear()
def setUpTestData(cls):
cls.binary_sha256 = ("b7839029302930293029392039203920"
"39203920392039203920392023232323")
cls.certificate_sha256 = ("c7839029302930293029392039203920"
"39203920392039203920392023232323")
# blacklist
cls.blacklist_rules = [{"policy": "BLACKLIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256},
{"policy": "BLACKLIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256}]
cls.probe_source_blacklist = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe blacklist",
status=ProbeSource.ACTIVE,
body={"rules": cls.blacklist_rules}
)
cls.probe_blacklist = cls.probe_source_blacklist.load()
# whitelist
cls.whitelist_rules = [{"policy": "WHITELIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256},
{"policy": "WHITELIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256}]
cls.probe_source_whitelist = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe whitelist",
status=ProbeSource.ACTIVE,
body={"rules": cls.whitelist_rules}
)
cls.probe_whitelist = cls.probe_source_whitelist.load()
# tablet
cls.tablet_rules = [{"policy": "BLACKLIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256[::-1]},
{"policy": "BLACKLIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256[::-1]}]
cls.probe_source_tablet = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe machine",
status=ProbeSource.ACTIVE,
body={"filters": {"inventory": [{"types": ["TABLET"]}]},
"rules": cls.tablet_rules}
)
cls.probe_tablet = cls.probe_source_tablet.load()
all_probes.clear()
def setUpTestData(cls):
# schedule
# probe 1, all machines, schedule
cls.query_1 = {"query": "select * from processes",
"interval": 123}
cls.query_1_key = "osquery-probe-1_00adca42"
cls.query_1_result_name = cls.query_1_key
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe 1",
status=ProbeSource.ACTIVE,
body={"queries": [cls.query_1]}
)
cls.probe_1 = cls.probe_source_1.load()
# query pack
cls.query_pack_discovery = [
"select pid from processes where name = 'foobar';",
"select count(*) from users where username like 'www%';"
]
cls.query_pack_key = "05f720ae"
# probe 2, all machines, query pack
cls.query_2 = {"query": "select * from users"}
cls.query_2_key = "osquery-probe-2_19206bc4"
cls.query_2_result_name = "pack_05f720ae_osquery-probe-2_19206bc4"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe 2",
status=ProbeSource.ACTIVE,
body={"queries": [cls.query_2],
"discovery": cls.query_pack_discovery}
)
cls.probe_2 = cls.probe_source_2.load()
# probe windows, windows machines, query pack
cls.query_windows = {"query": "select * from users"}
cls.query_windows_key = "osquery-probe-windows_19206bc4"
cls.query_windows_result_name = "pack_05f720ae_osquery-probe-windows_19206bc4"
cls.probe_source_windows = ProbeSource.objects.create(
model="OsqueryProbe",
name="osquery probe windows",
status=ProbeSource.ACTIVE,
body={"filters": {"inventory": [{"platforms": ["WINDOWS"]}]},
"queries": [cls.query_windows],
"discovery": cls.query_pack_discovery[::-1]} # reversed !
)
cls.probe_windows = cls.probe_source_windows.load()
all_probes.clear()
def test_default_machine_distributed_queries(self):
default_machine = MockMetaMachine([], [],
None,
None,
serial_number="MSN1")
# simulate all_probes sync
all_probes.clear()
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
self.assertEqual(len(queries), 2)
for key, query in ((self.query_1_key, self.query_1), (self.query_2_key,
self.query_2)):
self.assertEqual(queries[key], query)
# simulate all_probes sync
all_probes.clear()
extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
self.assertEqual(extra_queries, {})
def setUpTestData(cls):
cls.probe_source = ProbeSource.objects.create(
model="BaseProbe",
name=get_random_string(),
status=ProbeSource.ACTIVE,
body={
"filters": {
"metadata": [{
"event_types": ["inventory_heartbeat"]
}]
}
})
cls.probe_source_with_incident = ProbeSource.objects.create(
model="BaseProbe",
name=get_random_string(),
status=ProbeSource.ACTIVE,
body={
"filters": {
"metadata": [{
"event_types": ["inventory_heartbeat"]
}]
},
"incident_severity": Severity.CRITICAL.value
},
)
cls.probe_source_for_incident_with_incident = ProbeSource.objects.create(
model="BaseProbe",
name=get_random_string(),
status=ProbeSource.ACTIVE,
body={
"filters": {
"metadata": [{
"event_types": ["incident_created"]
}]
},
"incident_severity": Severity.CRITICAL.value
}, # only for the tests! Not useful at all!
)
cls.probe = cls.probe_source.load()
cls.probe_with_incident = cls.probe_source_with_incident.load()
cls.probe_for_incident_with_incident = cls.probe_source_for_incident_with_incident.load(
)
all_probes.clear()
def test_windows_machine_distributed_queries(self):
windows_machine = MockMetaMachine([], [],
"WINDOWS",
None,
serial_number="MSN2")
# simulate all_probes sync
all_probes.clear()
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
windows_machine)
self.assertEqual(len(queries), 3)
for key, query in ((self.query_1_key, self.query_1), (self.query_2_key,
self.query_2),
(self.query_windows_key, self.query_windows)):
self.assertEqual(queries[key], query)
# simulate all_probes sync
all_probes.clear()
extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
windows_machine)
self.assertEqual(extra_queries, {})
def setUpTestData(cls):
# probe 1
cls.query_1_filepath = "/Users/%/.ssh/%%"
cls.query_1_filepath_hash = "edef96bc"
cls.query_1_key = "osquery-fim-probe-1_c71292f6"
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe 1",
status=ProbeSource.ACTIVE,
body={"file_paths": [{"file_path": cls.query_1_filepath}]},
)
cls.probe_1 = cls.probe_source_1.load()
# probe 2
cls.query_2_filepath = "/home/%/.ssh/%%"
cls.query_2_filepath_hash = "6ca0f872"
cls.query_2_key = "osquery-fim-probe-2_1c6e39ad"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe 2",
status=ProbeSource.ACTIVE,
body={"file_paths": [{"file_path": cls.query_2_filepath, "file_access": True}]},
)
cls.probe_2 = cls.probe_source_2.load()
# probe mbu
cls.query_mbu_filepath = "/root/.ssh/%%"
cls.query_mbu_filepath_hash = "35c934e0"
cls.query_mbu_key = "osquery-fim-probe-mbu_cc871b0b"
cls.probe_source_mbu = ProbeSource.objects.create(
model="OsqueryFIMProbe",
name="osquery fim probe mbu",
status=ProbeSource.ACTIVE,
body={
"filters": {"inventory": [{"meta_business_unit_ids": [1]}]},
"file_paths": [{"file_path": cls.query_mbu_filepath, "file_access": False}],
},
)
cls.probe_mbu = cls.probe_source_mbu.load()
# clear
all_probes.clear()
def setUpTestData(cls):
# probe 1, users
cls.query_1 = "select * from users"
cls.probe_source_1 = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery distributed query 1",
status=ProbeSource.ACTIVE,
body={"distributed_query": cls.query_1})
cls.probe_1 = cls.probe_source_1.load()
cls.query_1_key = "dq_{}".format(cls.probe_1.pk)
# probe 2, processes
cls.query_2 = "select * from processes"
cls.probe_source_2 = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery distributed query 2",
status=ProbeSource.ACTIVE,
body={"distributed_query": cls.query_2})
cls.probe_2 = cls.probe_source_2.load()
cls.query_2_key = "dq_{}".format(cls.probe_2.pk)
# probe windows, system_info
cls.query_windows = "select * from system_info"
cls.probe_source_windows = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="osquery probe windows",
status=ProbeSource.ACTIVE,
body={
"filters": {
"inventory": [{
"platforms": ["WINDOWS"]
}]
},
"distributed_query": cls.query_windows
})
cls.probe_windows = cls.probe_source_windows.load()
cls.query_windows_key = "dq_{}".format(cls.probe_windows.pk)
# clear
all_probes.clear()
def test_default_machine_older_distributed_queries(self):
default_machine = MockMetaMachine([], [],
None,
None,
serial_number="MSN3")
# simulate all_probes sync
all_probes.clear()
# consume all queries
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
self.assertEqual(len(queries), 2)
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
self.assertEqual(len(queries), 0)
# make a query that is one hour too old
probe_source_too_old = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="QUERY TOO OLD",
status=ProbeSource.ACTIVE,
body={"distributed_query": "SELECT 'QUERY TOO OLD';"},
)
# simulate all_probes sync
all_probes.clear()
probe_source_too_old.created_at = timezone.now(
) - MAX_DISTRIBUTED_QUERY_AGE - timedelta(hours=1)
probe_source_too_old.save()
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
# it's not there
self.assertEqual(len(queries), 0)
# make a query that is one hour younger than the limit
probe_source_ok = ProbeSource.objects.create(
model="OsqueryDistributedQueryProbe",
name="QUERY OK",
status=ProbeSource.ACTIVE,
body={"distributed_query": "SELECT 'QUERY OK';"},
)
probe_source_ok.created_at = timezone.now(
) - MAX_DISTRIBUTED_QUERY_AGE + timedelta(hours=1)
probe_source_ok.save()
# simulate all_probes sync
all_probes.clear()
# it's there
queries = DistributedQueryProbeMachine.objects.new_queries_for_machine(
default_machine)
self.assertEqual(len(queries), 1)
self.assertEqual(queries["dq_{}".format(probe_source_ok.pk)],
"SELECT 'QUERY OK';")
def setUpTestData(cls):
cls.binary_sha256 = ("b7839029302930293029392039203920"
"39203920392039203920392023232323")
cls.certificate_sha256 = ("c7839029302930293029392039203920"
"39203920392039203920392023232323")
# blacklist
cls.blacklist_rules = [{
"policy": "BLACKLIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256
}, {
"policy": "BLACKLIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256
}]
cls.probe_source_blacklist = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe blacklist",
status=ProbeSource.ACTIVE,
body={"rules": cls.blacklist_rules})
cls.probe_blacklist = cls.probe_source_blacklist.load()
# whitelist
cls.whitelist_rules = [{
"policy": "WHITELIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256
}, {
"policy": "WHITELIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256
}]
cls.probe_source_whitelist = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe whitelist",
status=ProbeSource.ACTIVE,
body={"rules": cls.whitelist_rules})
cls.probe_whitelist = cls.probe_source_whitelist.load()
# tablet
cls.tablet_rules = [{
"policy": "BLACKLIST",
"rule_type": "BINARY",
"sha256": cls.binary_sha256[::-1]
}, {
"policy": "BLACKLIST",
"rule_type": "CERTIFICATE",
"sha256": cls.certificate_sha256[::-1]
}]
cls.probe_source_tablet = ProbeSource.objects.create(
model="SantaProbe",
name="santa probe machine",
status=ProbeSource.ACTIVE,
body={
"filters": {
"inventory": [{
"types": ["TABLET"]
}]
},
"rules": cls.tablet_rules
})
cls.probe_tablet = cls.probe_source_tablet.load()
all_probes.clear()
def setUpTestData(cls):
# probe user preference file
cls.query_pfu_query = (
"select username, filename, key, value from "
"(select * from users where directory like '/Users/%') u, "
"preferences p, file f "
"WHERE ("
"(p.path like u.directory || '/Library/Preferences/%onepassword4%') or "
"(p.path like u.directory || '/Library/Preferences/%/%onepassword4%')"
") and ("
"(key = 'LockTimeout' and ((CAST(value as integer) < 1) or (CAST(value as integer) > 10))) or "
"(key = 'LockOnScreenSaver' and ((value <> 'true')))) "
"and f.path = p.path"
)
cls.query_pfu_key = "osquery-compliance-probe-pfu_pf_{}".format(cls.sha1_8(cls.query_pfu_query))
cls.probe_source_pfu = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe pfu",
status=ProbeSource.ACTIVE,
body={"preference_files": [{"type": "USERS",
"rel_path": "%onepassword4%",
"keys": [{"key": "LockTimeout", "min_value": 1, "max_value": 10},
{"key": "LockOnScreenSaver", "value": "true"}],
}]}
)
cls.probe_pfu = cls.probe_source_pfu.load()
# probe global preference file
cls.query_pfg_query = (
"select filename, key, value from "
"preferences p, file f "
"WHERE ("
"(p.path = '/Library/Preferences/Bluetooth')"
") and ("
"(key = 'ControllerPowerState' and ((value <> '0')))"
") and f.path = p.path"
)
cls.query_pfg_key = "osquery-compliance-probe-pfg_pf_{}".format(cls.sha1_8(cls.query_pfg_query))
cls.probe_source_pfg = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe pfg",
status=ProbeSource.ACTIVE,
body={"preference_files": [{"type": "GLOBAL",
"rel_path": "Bluetooth",
"keys": [{"key": "ControllerPowerState", "value": "0"}],
"interval": 45
}]}
)
cls.probe_pfg = cls.probe_source_pfg.load()
# probe file checksum
cls.query_fc_query = (
"select path, sha256 from hash where (("
"path = '/home/yo/.bashrc' and "
"sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'"
"))"
)
cls.query_fc_key = "osquery-compliance-probe-fc_fc_{}".format(cls.sha1_8(cls.query_fc_query))
cls.probe_source_fc = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe fc",
status=ProbeSource.ACTIVE,
body={"file_checksums": [{"path": "/home/yo/.bashrc",
"sha256": "01234567890123456789012345678901"
"23456789012345678901234567890123",
"interval": 100}]}
)
cls.probe_fc = cls.probe_source_fc.load()
# probe tag / file checksum
cls.query_tag_query = (
"select path, sha256 from hash where (("
"path = '/home/tag/.bashrc' and "
"sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'"
"))"
)
cls.query_tag_key = "osquery-compliance-probe-tag_fc_{}".format(cls.sha1_8(cls.query_tag_query))
cls.probe_source_tag = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe tag",
status=ProbeSource.ACTIVE,
body={"filters": {"inventory": [{"tag_ids": [1]}]},
"file_checksums": [{"path": "/home/tag/.bashrc",
"sha256": "01234567890123456789012345678901"
"23456789012345678901234567890123",
}]}
)
cls.probe_tag = cls.probe_source_tag.load()
# clear
all_probes.clear()
def setUpTestData(cls):
# probe user preference file
cls.query_pfu_query = (
"select username, filename, key, value from "
"(select * from users where directory like '/Users/%') u, "
"preferences p, file f "
"WHERE ("
"(p.path like u.directory || '/Library/Preferences/%onepassword4%') or "
"(p.path like u.directory || '/Library/Preferences/%/%onepassword4%')"
") and ("
"(key = 'LockTimeout' and ((CAST(value as integer) < 1) or (CAST(value as integer) > 10))) or "
"(key = 'LockOnScreenSaver' and ((value <> 'true')))) "
"and f.path = p.path")
cls.query_pfu_key = "osquery-compliance-probe-pfu_pf_{}".format(
cls.sha1_8(cls.query_pfu_query))
cls.probe_source_pfu = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe pfu",
status=ProbeSource.ACTIVE,
body={
"preference_files": [{
"type":
"USERS",
"rel_path":
"%onepassword4%",
"keys": [{
"key": "LockTimeout",
"min_value": 1,
"max_value": 10
}, {
"key": "LockOnScreenSaver",
"value": "true"
}],
}]
})
cls.probe_pfu = cls.probe_source_pfu.load()
# probe global preference file
cls.query_pfg_query = (
"select filename, key, value from "
"preferences p, file f "
"WHERE ("
"(p.path = '/Library/Preferences/Bluetooth')"
") and ("
"(key = 'ControllerPowerState' and ((value <> '0')))"
") and f.path = p.path")
cls.query_pfg_key = "osquery-compliance-probe-pfg_pf_{}".format(
cls.sha1_8(cls.query_pfg_query))
cls.probe_source_pfg = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe pfg",
status=ProbeSource.ACTIVE,
body={
"preference_files": [{
"type":
"GLOBAL",
"rel_path":
"Bluetooth",
"keys": [{
"key": "ControllerPowerState",
"value": "0"
}],
"interval":
45
}]
})
cls.probe_pfg = cls.probe_source_pfg.load()
# probe file checksum
cls.query_fc_query = (
"select path, sha256 from hash where (("
"path = '/home/yo/.bashrc' and "
"sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'"
"))")
cls.query_fc_key = "osquery-compliance-probe-fc_fc_{}".format(
cls.sha1_8(cls.query_fc_query))
cls.probe_source_fc = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe fc",
status=ProbeSource.ACTIVE,
body={
"file_checksums": [{
"path":
"/home/yo/.bashrc",
"sha256":
"01234567890123456789012345678901"
"23456789012345678901234567890123",
"interval":
100
}]
})
cls.probe_fc = cls.probe_source_fc.load()
# probe tag / file checksum
cls.query_tag_query = (
"select path, sha256 from hash where (("
"path = '/home/tag/.bashrc' and "
"sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'"
"))")
cls.query_tag_key = "osquery-compliance-probe-tag_fc_{}".format(
cls.sha1_8(cls.query_tag_query))
cls.probe_source_tag = ProbeSource.objects.create(
model="OsqueryComplianceProbe",
name="osquery compliance probe tag",
status=ProbeSource.ACTIVE,
body={
"filters": {
"inventory": [{
"tag_ids": [1]
}]
},
"file_checksums": [{
"path":
"/home/tag/.bashrc",
"sha256":
"01234567890123456789012345678901"
"23456789012345678901234567890123",
}]
})
cls.probe_tag = cls.probe_source_tag.load()
# clear
all_probes.clear()
def clear_probes_cache(self, body, message):
self.log_info("clear probes cache")
all_probes.clear()
message.ack()
def test_all_probes(self):
all_probes.clear()
self.assertEqual(list(all_probes), [self.probe])
def clear_probes_cache(self, body, message):
self.log_info("clear probes cache")
all_probes.clear()
message.ack()
def clear_probes_cache(self, body, message):
all_probes.clear()
message.ack()
