def testGRRClientActionEnumerateUsers(self):
"""Test the GRR Client Action EnumerateUsers."""
def MockedOpen(requested_path, mode="rb"):
try:
fixture_path = os.path.join(self.base_path, "VFSFixture",
requested_path.lstrip("/"))
return __builtin__.open.old_target(fixture_path, mode)
except IOError:
return __builtin__.open.old_target(requested_path, mode)
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "EnumerateUsers"
with utils.MultiStubber((__builtin__, "open", MockedOpen),
(glob, "glob", lambda x: ["/var/log/wtmp"])):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
self.assertEqual(len(collected_artifact.action_results), 4)
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client.User)
if value.username not in ["user1", "user2", "user3", "utuser"]:
self.fail("Unexpected user found: %s" % result.username)
def InitializeRequest(self, initial_knowledge_base=None, provides=None):
"""Prepare ClientArtifactCollectorArgs."""
expanded_source = rdf_artifact.ExpandedSource()
expanded_artifact = rdf_artifact.ExpandedArtifact(
name="EmptyArtifact", sources=[expanded_source], provides=provides)
return rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], knowledge_base=initial_knowledge_base)
def testFilterRequestedArtifactResults(self, registry):
"""Test that only artifacts requested by the user are sent to the server."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src],
requested_by_user=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 1)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
execute_response = collected_artifacts[0].action_results[0].value
self.assertGreater(execute_response.time_used, 0)
def testRegistryValueArtifact(self):
"""Test the basic Registry Value collection."""
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
ext_src = rdf_artifact.ExtendedSource(base_source=source)
ext_art = rdf_artifact.ExtendedArtifact(
name="FakeRegistryValue", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
file_stat = list(collected_artifact.action_results)[0].value
self.assertTrue(isinstance(file_stat, rdf_client.StatEntry))
urn = file_stat.pathspec.AFF4Path(self.SetupClient(0))
self.assertTrue(str(urn).endswith("BootExecute"))
def testWMIArtifact(self, registry):
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("WMIActiveScriptEventConsumer")
ext_src = rdf_artifact.ExtendedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertIsInstance(result, rdf_artifact.ClientArtifactCollectorResult)
coll = artifact_collector.ArtifactCollector()
coll.knowledge_base = None
coll.ignore_interpolation_errors = True
expected = rdf_client.WMIRequest(
query="SELECT * FROM ActiveScriptEventConsumer",
base_object="winmgmts:\\root\\subscription")
for action, request in coll._ProcessWmiSource(ext_src):
self.assertEqual(request, expected)
self.assertEqual(action, self.windows.WmiQuery)
self.windows.WmiQuery.Start.assert_called_with(request)
def GetRequest(self, source, artifact_name):
expanded_source = rdf_artifact.ExpandedSource(base_source=source)
expanded_artifact = rdf_artifact.ExpandedArtifact(
name=artifact_name, sources=[expanded_source])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], apply_parsers=False)
return request
def testCmdArtifactAction(self):
"""Test the actual client action with parsers."""
client_test_lib.Command("/bin/echo", args=["1"])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "/bin/echo",
"args": ["1"]
})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(name="TestEchoCmdArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
self.assertTrue(len(result.collected_artifacts), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_client.SoftwarePackage)
self.assertEqual(res.description, "1\n")
def testMultipleArtifacts(self, registry):
"""Test collecting multiple artifacts."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 2)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
self.assertEqual(collected_artifacts[1].name, "TestCmdArtifact")
execute_response_1 = collected_artifacts[0].action_results[0].value
execute_response_2 = collected_artifacts[1].action_results[0].value
self.assertGreater(execute_response_1.time_used, 0)
self.assertGreater(execute_response_2.time_used, 0)
def testGRRClientActionArtifact(self, registry):
"""Test the GetHostname action."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestOSAgnostic")
ext_src = rdf_artifact.ExtendedSource(base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
collected_artifact = list(result.collected_artifacts)[0]
hostname = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestOSAgnostic")
self.assertTrue(hostname.string)
def testGRRClientActionOSXEnumerateRunningServices(self):
"""Test the GRR Client Action OSXEnumerateRunningServices."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "OSXEnumerateRunningServices"
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def GetArtifactCollectorArgs(knowledge_base,
processed_artifacts,
artifact_list,
apply_parsers=True,
ignore_interpolation_errors=False,
use_tsk=False,
max_file_size=500000000):
"""Prepare bundle of artifacts and their dependencies for the client.
Args:
knowledge_base: contains information about the client
processed_artifacts: artifacts that are in the final extended artifact
artifact_list: list of artifact names to be collected
apply_parsers: if True, apply any relevant parser to the collected data
ignore_interpolation_errors: from ArtifactCollectorFlowArgs
use_tsk: from ArtifactCollectorFlowArgs
max_file_size: from ArtifactCollectorFlowArgs
Returns:
rdf value bundle containing a list of extended artifacts and the
knowledge base
"""
bundle = rdf_artifacts.ClientArtifactCollectorArgs()
bundle.knowledge_base = knowledge_base
# TODO(user): Check if the knowledge base is provided. What does the
# ArtifactCollector do if it's not present?
# Switch the Interrogate flow from the ArtifactCollector flow to the
# ClientArtifactCollector? (Think about a way to avoid a dependency loop.)
bundle.apply_parsers = apply_parsers
bundle.ignore_interpolation_errors = ignore_interpolation_errors
bundle.max_file_size = max_file_size
bundle.use_tsk = use_tsk
for artifact_name in artifact_list:
if artifact_name in processed_artifacts:
continue
artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name)
if not MeetsConditions(knowledge_base, artifact_obj):
continue
extended_artifact = _ExtendArtifact(knowledge_base, use_tsk,
max_file_size, processed_artifacts,
artifact_obj)
bundle.artifacts.append(extended_artifact)
return bundle
def testCommandArtifact(self, registry):
"""Test the basic ExecuteCommand action."""
client_test_lib.Command("/usr/bin/dpkg", args=["--list"], system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExtendedSource(base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
collected_artifact = list(result.collected_artifacts)[0]
execute_response = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestCmdArtifact")
self.assertTrue(execute_response.time_used > 0)
def testGRRClientActionGetHostname(self):
"""Test the GRR Client Action GetHostname."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "GetHostname"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertTrue(value.string)
def testUnsupportedSourceType(self, registry):
"""Test that an unsupported source type raises an Error."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestAggregationArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
# The type ARTIFACT_GROUP will raise an error because the group should have
# been expanded on the server.
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListNetworkConnections(self):
"""Test the GRR Client Action ListNetworkConnections."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListNetworkConnections"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client_network.NetworkConnection)
def testFakeFileArtifactAction(self):
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
ext_src = rdf_artifact.ExtendedSource(base_source=source)
ext_art = rdf_artifact.ExtendedArtifact(
name="FakeFileArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertEqual(len(result.collected_artifacts[0].action_results), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_protodict.AttributedDict)
self.assertEqual(len(res.users), 1000)
self.assertEqual(res.filename, file_path)
def testTSKRaiseValueError(self, registry):
"""Test Raise Error if path type is not OS."""
registry.AddFileSource(self.test_artifacts_file)
ext_src = rdf_artifact.ExpandedSource(
path_type=rdf_paths.PathSpec.PathType.TSK)
ext_art = rdf_artifact.ExpandedArtifact(name="TestArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
artifact = registry.GetArtifact("FakeFileArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
artifact = registry.GetArtifact("BadPathspecArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListProcesses(self):
"""Test the GRR Client Action ListProcesses."""
def ProcessIter():
return iter([client_test_lib.MockWindowsProcess()])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListProcesses"
with utils.Stubber(psutil, "process_iter", ProcessIter):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
value = collected_artifact.action_results[0].value
self.assertIsInstance(value, rdf_client.Process)
self.assertEqual(value.pid, 10)
def testFakeFileArtifactActionProcessTogether(self):
"""Test collecting a file artifact and parsing the responses together."""
parsers.MULTI_FILE_PARSER_FACTORY.Register("Fake", FakeFileMultiParser)
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="FakeFileArtifact2", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertEqual(len(result.collected_artifacts[0].action_results), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_protodict.AttributedDict)
self.assertEqual(len(res.users), 1000)
self.assertEqual(res.filename, file_path)
def GetArtifactCollectorArgs(flow_args, knowledge_base):
"""Prepare bundle of artifacts and their dependencies for the client.
Args:
flow_args: An `ArtifactCollectorFlowArgs` instance.
knowledge_base: contains information about the client
Returns:
rdf value object containing a list of extended artifacts and the
knowledge base
"""
args = rdf_artifacts.ClientArtifactCollectorArgs()
args.knowledge_base = knowledge_base
args.apply_parsers = flow_args.apply_parsers
args.ignore_interpolation_errors = flow_args.ignore_interpolation_errors
args.max_file_size = flow_args.max_file_size
if not flow_args.recollect_knowledge_base:
artifact_names = flow_args.artifact_list
else:
artifact_names = GetArtifactsForCollection(knowledge_base.os,
flow_args.artifact_list)
expander = ArtifactExpander(knowledge_base,
_GetPathType(flow_args, knowledge_base.os),
flow_args.max_file_size)
for artifact_name in artifact_names:
rdf_artifact = artifact_registry.REGISTRY.GetArtifact(artifact_name)
if not MeetsConditions(knowledge_base, rdf_artifact):
continue
if artifact_name in expander.processed_artifacts:
continue
requested_by_user = artifact_name in flow_args.artifact_list
for expanded_artifact in expander.Expand(rdf_artifact, requested_by_user):
args.artifacts.append(expanded_artifact)
return args
