def testInterrogateCloudMetadataLinux(self):
"""Check google cloud metadata on linux."""
client_id, client_urn = self._SetupMinimalClient()
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
with test_lib.SuppressLogs():
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
if data_store.RelationalDBReadEnabled():
client = self._OpenClient(client_id)
self._CheckCloudMetadataRelational(client)
else:
client = aff4.FACTORY.Open(client_urn, token=self.token)
self._CheckCloudMetadataAFF4(client)
def testFleetspeakClient(self, mock_labels_fn):
mock_labels_fn.return_value = ["foo", "bar"]
client_id = "C.0000000000000001"
data_store.REL_DB.WriteClientMetadata(client_id,
fleetspeak_enabled=True)
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(fqdn="fleetspeak.test.com",
system="Linux",
release="Ubuntu",
version="14.4")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
flow_test_lib.TestFlowHelper(discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
snapshot = data_store.REL_DB.ReadClientSnapshot(client_id)
self.assertEqual(snapshot.knowledge_base.fqdn, "fleetspeak.test.com")
self.assertEqual(snapshot.knowledge_base.os, "Linux")
self._CheckClientInfo(snapshot)
self._CheckGRRConfig(snapshot)
self._CheckNotificationsCreated(self.token.username, client_id)
self._CheckRelease(snapshot, "Ubuntu", "14.4")
self._CheckNetworkInfo(snapshot)
labels = data_store.REL_DB.ReadClientLabels(client_id)
self.assertCountEqual([l.name for l in labels], ["foo", "bar"])
def testFleetspeakClient_OnlyGRRLabels(self, mock_labels_fn):
mock_labels_fn.return_value = []
client_id = "C.0000000000000001"
data_store.REL_DB.WriteClientMetadata(client_id,
fleetspeak_enabled=True)
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(fqdn="fleetspeak.test.com",
system="Linux",
release="Ubuntu",
version="14.4")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
with self.assertStatsCounterDelta(
1, discovery.FLEETSPEAK_UNLABELED_CLIENTS):
flow_test_lib.TestFlowHelper(discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
rdf_labels = data_store.REL_DB.ReadClientLabels(client_id)
expected_labels = [
action_mocks.InterrogatedClient.LABEL1,
action_mocks.InterrogatedClient.LABEL2,
]
self.assertCountEqual([l.name for l in rdf_labels], expected_labels)
def testInterrogateCloudMetadataWindows(self):
"""Check google cloud metadata on windows."""
self.client_id = self.SetupClient(0,
system="Windows",
os_version="6.2",
arch="AMD64")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
with mock.patch.object(platform,
"system",
return_value="Windows"):
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id)
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckCloudMetadata()
def testInterrogateCloudMetadataWindows(self):
"""Check google cloud metadata on windows."""
client_id = self.SetupClient(0, system="Windows")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
with mock.patch.object(platform,
"system",
return_value="Windows"):
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
if data_store.RelationalDBReadEnabled():
client = self._OpenClient(client_id.Basename())
self._CheckCloudMetadataRelational(client)
else:
client = aff4.FACTORY.Open(client_id, token=self.token)
self._CheckCloudMetadataAFF4(client)
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
self.client_id = self.SetupClient(0,
system="Windows",
kernel="10.0.14393",
os_version="6.2",
arch="AMD64")
data_store.REL_DB.WriteClientMetadata(self.client_id.Basename(),
fleetspeak_enabled=False)
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
# Run the flow in the simulated way
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckBasicInfo("test_node.test", "Windows",
100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsers(["jim", "kovacs"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabels()
self._CheckLabelIndex()
self._CheckWindowsDiskInfo()
self._CheckRegistryPathspec()
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckMemory()
def testSourceFlowIdIsSet(self):
client_id = self._SetupMinimalClient()
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
with test_lib.SuppressLogs():
flow_id = flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
creator=self.test_username,
client_id=client_id)
client = self._OpenClient(client_id)
self.assertNotEmpty(client.metadata.source_flow_id)
self.assertEqual(client.metadata.source_flow_id, flow_id)
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
client_id = self._SetupMinimalClient()
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
with test_lib.ConfigOverrider({
"Artifacts.non_kb_interrogate_artifacts":
["WMILogicalDisks"],
}):
# Run the flow in the simulated way
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
client = self._OpenClient(client_id)
self._CheckBasicInfo(client, "test_node.test", "Windows",
100 * 1000000)
self._CheckClientInfo(client)
self._CheckGRRConfig(client)
self._CheckNotificationsCreated(self.token.username, client_id)
self._CheckClientSummary(client_id,
client.GetSummary(),
"Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsers(client, ["jim", "kovacs"])
self._CheckNetworkInfo(client)
# No VFS test for the relational db.
self._CheckLabels(client_id)
self._CheckLabelIndex(client_id)
self._CheckWindowsDiskInfo(client)
# No registry pathspec test for the relational db.
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckMemory(client)
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
self.client_id = self.SetupClient(0,
system="Linux",
os_version="12.04")
data_store.REL_DB.WriteClientMetadata(self.client_id.Basename(),
fleetspeak_enabled=False)
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckBasicInfo("test_node.test", "Linux", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease("Ubuntu", "14.4")
# users 1,2,3 from wtmp
# users yagharek, isaac from netgroup
self._CheckUsers(
["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabels()
self._CheckLabelIndex()
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries()
self._CheckMemory()
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
fixture_test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Linux", os_version="12.04")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.interrogate_store_in_aff4": [],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Linux", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease("Ubuntu", "14.4")
# users 1,2,3 from wtmp
# users yagharek, isaac from netgroup
self._CheckUsers(
["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries()
self._CheckMemory()
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
client_id = self._SetupMinimalClient()
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration", "LinuxReleaseInfo"
],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(version="14.4", release="Ubuntu")
with test_lib.SuppressLogs():
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
client = self._OpenClient(client_id)
self._CheckBasicInfo(client, "test_node.test", "Linux", 100 * 1000000)
self._CheckClientInfo(client)
self._CheckGRRConfig(client)
self._CheckNotificationsCreated(self.token.username, client_id)
self._CheckClientSummary(
client_id,
client.GetSummary(),
"Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease(client, "Ubuntu", "14.4")
# users 1,2,3 from wtmp, users yagharek, isaac from netgroup
self._CheckUsers(client, ["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo(client)
# No VFS test when running on the relational db.
self._CheckLabels(client_id)
self._CheckLabelIndex(client_id)
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries(client)
self._CheckMemory(client)
def testInterrogateCloudMetadataLinux(self):
"""Check google cloud metadata on linux."""
client_id = self._SetupMinimalClient()
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxReleaseInfo"],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
with test_lib.SuppressLogs():
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
creator=self.test_username,
client_id=client_id)
client = self._OpenClient(client_id)
self._CheckCloudMetadata(client)
def testInterrogateCloudMetadataLinux(self):
"""Check google cloud metadata on linux."""
self.SetupClients(1, system="Linux", os_version="12.04")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckCloudMetadata()
def testInterrogateCloudMetadataWindows(self):
"""Check google cloud metadata on windows."""
client_id = self._SetupMinimalClient()
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
with mock.patch.object(platform,
"system",
return_value="Windows"):
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
creator=self.test_username,
client_id=client_id)
client = self._OpenClient(client_id)
self._CheckCloudMetadata(client)
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
client_id, client_urn = self._SetupMinimalClient()
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(
system="Windows", version="6.1.7600", kernel="6.1.7601")
# Run the flow in the simulated way
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
if data_store.RelationalDBReadEnabled():
client = self._OpenClient(client_id)
self._CheckBasicInfoRelational(client, "test_node.test", "Windows",
100 * 1000000)
self._CheckClientInfoRelational(client)
self._CheckGRRConfigRelational(client)
self._CheckNotificationsCreatedRelational(self.token.username, client_id)
self._CheckClientSummary(
client_id,
client.GetSummary(),
"Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsersRelational(client, ["jim", "kovacs"])
self._CheckNetworkInfoRelational(client)
# No VFS test for the relational db.
self._CheckLabelsRelational(client_id)
self._CheckLabelIndexRelational(client_id)
self._CheckWindowsDiskInfoRelational(client)
# No registry pathspec test for the relational db.
self._CheckClientKwIndexRelational(["Linux"], 0)
self._CheckClientKwIndexRelational(["Windows"], 1)
self._CheckClientKwIndexRelational(["Label2"], 1)
self._CheckMemoryRelational(client)
else:
client = aff4.FACTORY.Open(client_urn, token=self.token)
self._CheckBasicInfoAFF4(client, "test_node.test", "Windows",
100 * 1000000)
self._CheckClientInfoAFF4(client)
self._CheckGRRConfigAFF4(client)
self._CheckNotificationsCreatedAFF4(self.token.username, client_urn)
self._CheckClientSummary(
client_urn,
client.GetSummary(),
"Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsersAFF4(client, ["jim", "kovacs"])
self._CheckNetworkInfoAFF4(client)
self._CheckVFS(client_urn)
self._CheckLabelsAFF4(client)
self._CheckLabelIndexAFF4(client_urn, token=self.token)
self._CheckWindowsDiskInfoAFF4(client)
self._CheckRegistryPathspecAFF4(client_urn)
self._CheckClientKwIndexAFF4(["Linux"], 0)
self._CheckClientKwIndexAFF4(["Windows"], 1)
self._CheckClientKwIndexAFF4(["Label2"], 1)
self._CheckMemoryAFF4(client)
