def Process(self, args) -> Iterator[rdf_osquery.OsqueryResult]:
if not config.CONFIG["Osquery.path"]:
raise RuntimeError(
"The `Osquery` action invoked on a client without "
"osquery path specified.")
if not os.path.exists(config.CONFIG["Osquery.path"]):
raise RuntimeError(
"The `Osquery` action invoked on a client where "
"osquery executable is not available.")
if not args.query:
raise ValueError("The `Osquery` was invoked with an empty query.")
output = Query(args)
# For syntax errors, osquery does not fail (exits with 0) but prints stuff
# to the standard error.
if output.stderr and not args.ignore_stderr_errors:
raise QueryError(output.stderr)
json_decoder = json.Decoder(object_pairs_hook=collections.OrderedDict)
table = ParseTable(json_decoder.decode(output.stdout))
table.query = args.query
for chunk in ChunkTable(table,
config.CONFIG["Osquery.max_chunk_size"]):
yield rdf_osquery.OsqueryResult(table=chunk, stderr=output.stderr)
def testGetTableColumns(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="C"))
result = rdf_osquery.OsqueryResult()
result.table = table
cols = list(result.GetTableColumns())
self.assertEqual(["A", "B", "C"], cols)
def testGetTableRows(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"]))
result = rdf_osquery.OsqueryResult()
result.table = table
rows = list(result.GetTableRows())
self.assertEqual([["cell1"], ["cell2"], ["cell3"]], rows)
def testTextWithCommasToCsvBytes(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(
rdf_osquery.OsqueryColumn(name="c,o,l,u,m,n"))
table.rows.append(rdf_osquery.OsqueryRow(values=["c,e,l,l"]))
result = rdf_osquery.OsqueryResult()
result.table = table
output_bytes = api_osquery._ParseToCsvBytes([result])
output_text = list(map(lambda b: b.decode("utf-8"), output_bytes))
self.assertListEqual(["\"c,o,l,u,m,n\"\r\n", "\"c,e,l,l\"\r\n"],
output_text)
def testSomeTextToCsvBytes(self):
table = rdf_osquery.OsqueryTable()
table.header.columns.append(rdf_osquery.OsqueryColumn(name="A"))
table.header.columns.append(rdf_osquery.OsqueryColumn(name="B"))
table.rows.append(rdf_osquery.OsqueryRow(values=["1-A", "1-B"]))
table.rows.append(rdf_osquery.OsqueryRow(values=["2-A", "2-B"]))
result = rdf_osquery.OsqueryResult()
result.table = table
output_bytes = api_osquery._ParseToCsvBytes([result])
output_text = list(map(lambda b: b.decode("utf-8"), output_bytes))
self.assertListEqual(["A,B\r\n", "1-A,1-B\r\n", "2-A,2-B\r\n"],
output_text)
def Process(self, args) -> Iterator[rdf_osquery.OsqueryResult]:
if not config.CONFIG["Osquery.path"]:
raise RuntimeError("The `Osquery` action invoked on a client without "
"osquery path specified.")
if not os.path.exists(config.CONFIG["Osquery.path"]):
raise RuntimeError("The `Osquery` action invoked on a client where "
"osquery executable is not available.")
if not args.query:
raise ValueError("The `Osquery` was invoked with an empty query.")
output = Query(args)
json_decoder = json.Decoder(object_pairs_hook=collections.OrderedDict)
table = ParseTable(json_decoder.decode(output))
table.query = args.query
for chunk in ChunkTable(table, config.CONFIG["Osquery.max_chunk_size"]):
yield rdf_osquery.OsqueryResult(table=chunk)
