def testWMIArtifact(self, registry):
"""Test collecting a WMI artifact."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("WMIActiveScriptEventConsumer")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
coll = artifact_collector.ArtifactCollector()
coll.knowledge_base = None
coll.ignore_interpolation_errors = True
expected = rdf_client_action.WMIRequest(
query="SELECT * FROM ActiveScriptEventConsumer",
base_object="winmgmts:\\root\\subscription")
for action, request in coll._ProcessWmiSource(ext_src):
self.assertEqual(request, expected)
self.assertEqual(action, self.windows.WmiQueryFromClient)
self.windows.WmiQueryFromClient.assert_called_with(request)
def testMultipleArtifacts(self, registry):
"""Test collecting multiple artifacts."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 2)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
self.assertEqual(collected_artifacts[1].name, "TestCmdArtifact")
execute_response_1 = collected_artifacts[0].action_results[0].value
execute_response_2 = collected_artifacts[1].action_results[0].value
self.assertGreater(execute_response_1.time_used, 0)
self.assertGreater(execute_response_2.time_used, 0)
def testFilterRequestedArtifactResults(self, registry):
"""Test that only artifacts requested by the user are sent to the server."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src],
requested_by_user=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 1)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
execute_response = collected_artifacts[0].action_results[0].value
self.assertGreater(execute_response.time_used, 0)
def InitializeRequest(self, initial_knowledge_base=None, provides=None):
"""Prepare ClientArtifactCollectorArgs."""
expanded_source = rdf_artifact.ExpandedSource()
expanded_artifact = rdf_artifact.ExpandedArtifact(
name="EmptyArtifact", sources=[expanded_source], provides=provides)
return rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], knowledge_base=initial_knowledge_base)
def testRegistryValueArtifact(self):
"""Test the basic Registry Value collection."""
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="FakeRegistryValue", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
file_stat = list(collected_artifact.action_results)[0].value
self.assertTrue(isinstance(file_stat, rdf_client_fs.StatEntry))
urn = file_stat.pathspec.AFF4Path(self.SetupClient(0))
self.assertTrue(str(urn).endswith("BootExecute"))
def testGRRClientActionEnumerateUsers(self):
"""Test the GRR Client Action EnumerateUsers."""
def MockedOpen(requested_path, mode="rb"):
try:
fixture_path = os.path.join(self.base_path, "VFSFixture",
requested_path.lstrip("/"))
return __builtin__.open.old_target(fixture_path, mode)
except IOError:
return __builtin__.open.old_target(requested_path, mode)
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "EnumerateUsers"
with utils.MultiStubber((__builtin__, "open", MockedOpen),
(glob, "glob", lambda x: ["/var/log/wtmp"])):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
self.assertEqual(len(collected_artifact.action_results), 4)
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client.User)
if value.username not in ["user1", "user2", "user3", "utuser"]:
self.fail("Unexpected user found: %s" % result.username)
def GetRequest(self, source, artifact_name):
expanded_source = rdf_artifact.ExpandedSource(base_source=source)
expanded_artifact = rdf_artifact.ExpandedArtifact(
name=artifact_name, sources=[expanded_source])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], apply_parsers=False)
return request
def testCmdArtifactAction(self):
"""Test the actual client action with parsers."""
client_test_lib.Command("/bin/echo", args=["1"])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "/bin/echo",
"args": ["1"]
})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(name="TestEchoCmdArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
self.assertTrue(len(result.collected_artifacts), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_client.SoftwarePackage)
self.assertEqual(res.description, "1\n")
def testGRRClientActionOSXEnumerateRunningServices(self):
"""Test the GRR Client Action OSXEnumerateRunningServices."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "OSXEnumerateRunningServices"
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def _ExpandArtifactFilesSource(self, source, requested):
"""Recursively expands an artifact files source."""
expanded_source = rdf_artifacts.ExpandedSource(base_source=source)
sub_sources = []
artifact_list = []
if "artifact_list" in source.attributes:
artifact_list = source.attributes["artifact_list"]
for artifact_name in artifact_list:
if artifact_name in self.processed_artifacts:
continue
artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name)
for expanded_artifact in self.Expand(artifact_obj, requested):
sub_sources.extend(expanded_artifact.sources)
expanded_source.artifact_sources = sub_sources
expanded_source.path_type = self._path_type
return [expanded_source]
def testGRRClientActionGetHostname(self):
"""Test the GRR Client Action GetHostname."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "GetHostname"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertTrue(value.string)
def testUnsupportedSourceType(self, registry):
"""Test that an unsupported source type raises an Error."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestAggregationArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
# The type ARTIFACT_GROUP will raise an error because the group should have
# been expanded on the server.
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListNetworkConnections(self):
"""Test the GRR Client Action ListNetworkConnections."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListNetworkConnections"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client_network.NetworkConnection)
def testTSKRaiseValueError(self, registry):
"""Test Raise Error if path type is not OS."""
registry.AddFileSource(self.test_artifacts_file)
ext_src = rdf_artifact.ExpandedSource(
path_type=rdf_paths.PathSpec.PathType.TSK)
ext_art = rdf_artifact.ExpandedArtifact(name="TestArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
artifact = registry.GetArtifact("FakeFileArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
artifact = registry.GetArtifact("BadPathspecArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListProcesses(self):
"""Test the GRR Client Action ListProcesses."""
def ProcessIter():
return iter([client_test_lib.MockWindowsProcess()])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListProcesses"
with utils.Stubber(psutil, "process_iter", ProcessIter):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
value = collected_artifact.action_results[0].value
self.assertIsInstance(value, rdf_client.Process)
self.assertEqual(value.pid, 10)
def testCommandArtifact(self, registry):
"""Test the basic ExecuteCommand action."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(
base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
execute_response = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestCmdArtifact")
self.assertTrue(execute_response.time_used > 0)
def testFakeFileArtifactActionProcessTogether(self):
"""Test collecting a file artifact and parsing the responses together."""
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="FakeFileArtifact2", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertEqual(len(result.collected_artifacts[0].action_results), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_protodict.AttributedDict)
self.assertEqual(len(res.users), 1000)
self.assertEqual(res.filename, file_path)
def _ExpandBasicSource(self, source):
expanded_source = rdf_artifacts.ExpandedSource(
base_source=source,
path_type=self._path_type,
max_bytesize=self._max_file_size)
return [expanded_source]
