def testInterrogateWindows(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.InterrogatedClient( "TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile", "GetLibraryVersions") self.SetWindowsClient() client_mock.InitializeClient(system="Windows", version="6.1.7600", kernel="6.1.7601") # Run the flow in the simulated way for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Windows", 100 * 1000000) self._CheckClientInfo() self._CheckClientIndex(".*Host.*") self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Windows", "6.1.7600", kernel="6.1.7601") # users Bert and Ernie added by the fixture should not be present (USERS # overriden by kb) # jim parsed from registry profile keys self._CheckUsers(["jim", "kovacs"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckWindowsDiskInfo() self._CheckRegistryPathspec() self._CheckClientKwIndex(["Linux"], 0) self._CheckClientKwIndex(["Windows"], 1) self._CheckClientKwIndex(["Label2"], 1)
def testInterrogateLinuxWithWtmp(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) self.SetupClients(1, system="Linux", os_version="12.04") with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": ["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"], "Artifacts.interrogate_store_in_aff4": [], "Artifacts.netgroup_filter_regexes": [r"^login$"] }): client_mock = action_mocks.InterrogatedClient( "TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile", "GetLibraryVersions", "GetMemorySize", "HashFile") client_mock.InitializeClient() for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Linux", 100 * 1000000) self._CheckClientInfo() self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Linux", "14.4", release="Ubuntu", kernel="3.13.0-39-generic") self._CheckRelease("Ubuntu", "14.4") # users 1,2,3 from wtmp # users yagharek, isaac from netgroup self._CheckUsers( ["yagharek", "isaac", "user1", "user2", "user3"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckClientKwIndex(["Linux"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckClientLibraries() self._CheckMemory()
def testInterrogateLinuxWithWtmp(self): """Test the Interrogate flow.""" test_lib.ClientFixture(self.client_id, token=self.token) vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler config_lib.CONFIG.Set( "Artifacts.knowledge_base", ["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"]) config_lib.CONFIG.Set("Artifacts.netgroup_filter_regexes", [r"^login$"]) self.SetLinuxClient() client_mock = action_mocks.InterrogatedClient("TransferBuffer", "StatFile", "Find", "HashBuffer", "ListDirectory", "FingerprintFile") client_mock.InitializeClient() for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Linux", 100 * 1000000) self._CheckClientInfo() self._CheckClientIndex(".*test.*") self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Linux", "14.4", release="Ubuntu", kernel="3.13.0-39-generic") self._CheckRelease("Ubuntu", "14.4") # users 1,2,3 from wtmp # users yagharek, isaac from netgroup self._CheckUsers(["yagharek", "isaac", "user1", "user2", "user3"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckClientKwIndex(["Linux"], 1) self._CheckClientKwIndex(["Label2"], 1)
def testInterrogateWindows(self): """Test the Interrogate flow.""" fixture_test_lib.ClientFixture(self.client_id, token=self.token) self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64") with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, vfs_test_lib.FakeRegistryVFSHandler): with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, vfs_test_lib.FakeFullVFSHandler): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient(system="Windows", version="6.1.7600", kernel="6.1.7601") # Run the flow in the simulated way for _ in flow_test_lib.TestFlowHelper( discovery.Interrogate.__name__, client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckAFF4Object("test_node", "Windows", 100 * 1000000) self._CheckClientInfo() self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Windows", "6.1.7600", kernel="6.1.7601") # jim parsed from registry profile keys self._CheckUsers(["jim", "kovacs"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabelIndex() self._CheckWindowsDiskInfo() self._CheckRegistryPathspec() self._CheckClientKwIndex(["Linux"], 0) self._CheckClientKwIndex(["Windows"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckMemory()
def testInterrogateCloudMetadataWindows(self): """Check google cloud metadata on windows.""" test_lib.ClientFixture(self.client_id, token=self.token) self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64") with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient( system="Windows", version="6.1.7600", kernel="6.1.7601") with mock.patch.object(platform, "system", return_value="Windows"): for _ in test_lib.TestFlowHelper( "Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckCloudMetadata()
def testInterrogateCloudMetadataLinux(self): """Check google cloud metadata on linux.""" test_lib.ClientFixture(self.client_id, token=self.token) self.SetupClients(1, system="Linux", os_version="12.04") with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeTestDataVFSHandler): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": ["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"], "Artifacts.interrogate_store_in_aff4": [], "Artifacts.netgroup_filter_regexes": [r"^login$"] }): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient() for _ in test_lib.TestFlowHelper("Interrogate", client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckCloudMetadata()
def testStatsHunt(self): interval = rdfvalue.Duration( config_lib.CONFIG["StatsHunt.CollectionInterval"]) batch_size = 3 config_lib.CONFIG.Set("StatsHunt.ClientBatchSize", batch_size) # Make one of the clients windows with aff4.FACTORY.Open(self.client_ids[3], mode="rw", token=self.token) as win_client: win_client.Set(win_client.Schema.SYSTEM("Windows")) with test_lib.FakeTime(0, increment=0.01): with hunts.GRRHunt.StartHunt( hunt_name="StatsHunt", client_rate=0, token=self.token, output_plugins=[ output_plugin.OutputPluginDescriptor( plugin_name="DummyHuntOutputPlugin") ]) as hunt: hunt.Run() hunt_urn = hunt.urn # Run the hunt. self.AssignTasksToClients() client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient() test_lib.TestHuntHelper(client_mock, self.client_ids, False, self.token) # At this time the clients should not receive any messages since messages # are posted in the future. self.assertEqual(client_mock.response_count, 0) # Lets advance the time and re-run the hunt. The clients should now receive # their messages. with test_lib.FakeTime(10 + interval.seconds, increment=0.01): test_lib.TestHuntHelper(client_mock, self.client_ids, False, self.token) self.assertEqual(client_mock.response_count, len(self.client_ids)) # Make sure the last message was of LOW_PRIORITY (all messages should be # LOW_PRIORITY but we only check the last one). self.assertEqual(client_mock.recorded_messages[-1].priority, "LOW_PRIORITY") # Check fastpoll was false for all messages self.assertFalse( any([ x.require_fastpoll for x in client_mock.recorded_messages ])) # Pause the hunt with aff4.FACTORY.OpenWithLock(hunt.urn, token=self.token) as hunt: hunt.GetRunner().Pause() # Advance time and re-run. We get the results back from last time, but don't # schedule any new ones because the hunt is now paused. with test_lib.FakeTime(20 + (interval.seconds * 2), increment=0.01): test_lib.TestHuntHelper(client_mock, self.client_ids, False, self.token) self.assertEqual(client_mock.response_count, len(self.client_ids) * 2) # Advance time and re-run. We should have the same number of responses # still. with test_lib.FakeTime(30 + (interval.seconds * 3), increment=0.01): test_lib.TestHuntHelper(client_mock, self.client_ids, False, self.token) # All clients were called. self.assertEqual(client_mock.response_count, len(self.client_ids) * 2) # Check the results got written to the collection result_collection = aff4.FACTORY.Open(hunt_urn.Add("Results"), token=self.token) # The +1 is here because we write 2 responses for the single windows machine # (dnsconfig and interface) self.assertEqual(len(result_collection), (len(self.client_ids) + 1) * 2)