def setUpTestData(cls): # probe 1, users cls.query_1 = "select * from users" cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery distributed query 1", status=ProbeSource.ACTIVE, body={"distributed_query": cls.query_1}, ) cls.probe_1 = cls.probe_source_1.load() cls.query_1_key = "q_{}".format(cls.probe_1.pk) # probe 2, processes cls.query_2 = "select * from processes" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery distributed query 2", status=ProbeSource.ACTIVE, body={"distributed_query": cls.query_2}, ) cls.probe_2 = cls.probe_source_2.load() cls.query_2_key = "q_{}".format(cls.probe_2.pk) # probe windows, system_info cls.query_windows = "select * from system_info" cls.probe_source_windows = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery probe windows", status=ProbeSource.ACTIVE, body={"filters": {"inventory": [{"platforms": ["WINDOWS"]}]}, "distributed_query": cls.query_windows}, ) cls.probe_windows = cls.probe_source_windows.load() cls.query_windows_key = "q_{}".format(cls.probe_windows.pk) # clear all_probes.clear()
def test_distributed_read_one_query_plus_default_inventory_query(self): _, node_key = self.enroll_machine() # one distributed query probe dq = "select * from users;" probe_source = ProbeSource.objects.create( name="Shellac", status=ProbeSource.ACTIVE, model="OsqueryDistributedQueryProbe", body={"distributed_query": dq}) dq_name = "dq_{}".format(probe_source.pk) # simulate an all_probes sync all_probes.clear() # distributed read response = self.post_as_json("distributed_read", {"node_key": node_key}) self.assertEqual(response.status_code, 200) self.assertEqual(response["Content-Type"], "application/json") json_response = response.json() query_names = [ "{}{}".format(INVENTORY_DISTRIBUTED_QUERY_PREFIX, t) for t in ("os_version", "system_info", "uptime", "network_interface") ] query_names.append(dq_name) self.assertCountEqual(json_response["queries"], query_names) self.assertEqual(json_response["queries"][dq_name], dq) # post default inventory snapshot. self.post_default_inventory_query_snapshot(node_key) # 2nd distributed read still has the inventory query # but with the apps and azure ad info queries, now that we know # what kind of machine it is response = self.post_as_json("distributed_read", {"node_key": node_key}) self.assertEqual(response.status_code, 200) self.assertEqual(response["Content-Type"], "application/json") json_response = response.json() query_names = [ "{}{}".format(INVENTORY_DISTRIBUTED_QUERY_PREFIX, t) for t in ("os_version", "system_info", "uptime", "network_interface", "apps", "azure_ad_user_info", "azure_ad_certificate") ] self.assertCountEqual(json_response["queries"], query_names) # post default inventory snapshot with one app, and the azure ad info self.post_default_inventory_query_snapshot(node_key, with_app=True, with_azure_ad=True) # 3rd distributed read empty (2 snapshots done and no other distributed queries available) response = self.post_as_json("distributed_read", {"node_key": node_key}) self.assertEqual(response.status_code, 200) self.assertEqual(response["Content-Type"], "application/json") json_response = response.json() self.assertEqual(json_response, {"queries": {}})
def setUpTestData(cls): # schedule # probe 1, all machines, schedule cls.query_1 = {"query": "select * from processes", "interval": 123} cls.query_1_key = "osquery-probe-1_00adca42" cls.query_1_result_name = cls.query_1_key cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe 1", status=ProbeSource.ACTIVE, body={"queries": [cls.query_1]}) cls.probe_1 = cls.probe_source_1.load() # query pack cls.query_pack_discovery = [ "select pid from processes where name = 'foobar';", "select count(*) from users where username like 'www%';" ] cls.query_pack_key = "05f720ae" # probe 2, all machines, query pack cls.query_2 = {"query": "select * from users"} cls.query_2_key = "osquery-probe-2_19206bc4" cls.query_2_result_name = "pack_05f720ae_osquery-probe-2_19206bc4" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe 2", status=ProbeSource.ACTIVE, body={ "queries": [cls.query_2], "discovery": cls.query_pack_discovery }) cls.probe_2 = cls.probe_source_2.load() # probe windows, windows machines, query pack cls.query_windows = {"query": "select * from users"} cls.query_windows_key = "osquery-probe-windows_19206bc4" cls.query_windows_result_name = "pack_05f720ae_osquery-probe-windows_19206bc4" cls.probe_source_windows = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe windows", status=ProbeSource.ACTIVE, body={ "filters": { "inventory": [{ "platforms": ["WINDOWS"] }] }, "queries": [cls.query_windows], "discovery": cls.query_pack_discovery[::-1] } # reversed ! ) cls.probe_windows = cls.probe_source_windows.load() all_probes.clear()
def setUpTestData(cls): # probe 1 cls.query_1_filepath = "/Users/%/.ssh/%%" cls.query_1_filepath_hash = "edef96bc" cls.query_1_key = "osquery-fim-probe-1_c71292f6" cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe 1", status=ProbeSource.ACTIVE, body={"file_paths": [{ "file_path": cls.query_1_filepath }]}) cls.probe_1 = cls.probe_source_1.load() # probe 2 cls.query_2_filepath = "/home/%/.ssh/%%" cls.query_2_filepath_hash = "6ca0f872" cls.query_2_key = "osquery-fim-probe-2_1c6e39ad" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe 2", status=ProbeSource.ACTIVE, body={ "file_paths": [{ "file_path": cls.query_2_filepath, "file_access": True }] }) cls.probe_2 = cls.probe_source_2.load() # probe mbu cls.query_mbu_filepath = "/root/.ssh/%%" cls.query_mbu_filepath_hash = "35c934e0" cls.query_mbu_key = "osquery-fim-probe-mbu_cc871b0b" cls.probe_source_mbu = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe mbu", status=ProbeSource.ACTIVE, body={ "filters": { "inventory": [{ "meta_business_unit_ids": [1] }] }, "file_paths": [{ "file_path": cls.query_mbu_filepath, "file_access": False }] }) cls.probe_mbu = cls.probe_source_mbu.load() # clear all_probes.clear()
def setUpTestData(cls): cls.binary_sha256 = ("b7839029302930293029392039203920" "39203920392039203920392023232323") cls.certificate_sha256 = ("c7839029302930293029392039203920" "39203920392039203920392023232323") # blacklist cls.blacklist_rules = [{"policy": "BLACKLIST", "rule_type": "BINARY", "sha256": cls.binary_sha256}, {"policy": "BLACKLIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256}] cls.probe_source_blacklist = ProbeSource.objects.create( model="SantaProbe", name="santa probe blacklist", status=ProbeSource.ACTIVE, body={"rules": cls.blacklist_rules} ) cls.probe_blacklist = cls.probe_source_blacklist.load() # whitelist cls.whitelist_rules = [{"policy": "WHITELIST", "rule_type": "BINARY", "sha256": cls.binary_sha256}, {"policy": "WHITELIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256}] cls.probe_source_whitelist = ProbeSource.objects.create( model="SantaProbe", name="santa probe whitelist", status=ProbeSource.ACTIVE, body={"rules": cls.whitelist_rules} ) cls.probe_whitelist = cls.probe_source_whitelist.load() # tablet cls.tablet_rules = [{"policy": "BLACKLIST", "rule_type": "BINARY", "sha256": cls.binary_sha256[::-1]}, {"policy": "BLACKLIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256[::-1]}] cls.probe_source_tablet = ProbeSource.objects.create( model="SantaProbe", name="santa probe machine", status=ProbeSource.ACTIVE, body={"filters": {"inventory": [{"types": ["TABLET"]}]}, "rules": cls.tablet_rules} ) cls.probe_tablet = cls.probe_source_tablet.load() all_probes.clear()
def setUpTestData(cls): # schedule # probe 1, all machines, schedule cls.query_1 = {"query": "select * from processes", "interval": 123} cls.query_1_key = "osquery-probe-1_00adca42" cls.query_1_result_name = cls.query_1_key cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe 1", status=ProbeSource.ACTIVE, body={"queries": [cls.query_1]} ) cls.probe_1 = cls.probe_source_1.load() # query pack cls.query_pack_discovery = [ "select pid from processes where name = 'foobar';", "select count(*) from users where username like 'www%';" ] cls.query_pack_key = "05f720ae" # probe 2, all machines, query pack cls.query_2 = {"query": "select * from users"} cls.query_2_key = "osquery-probe-2_19206bc4" cls.query_2_result_name = "pack_05f720ae_osquery-probe-2_19206bc4" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe 2", status=ProbeSource.ACTIVE, body={"queries": [cls.query_2], "discovery": cls.query_pack_discovery} ) cls.probe_2 = cls.probe_source_2.load() # probe windows, windows machines, query pack cls.query_windows = {"query": "select * from users"} cls.query_windows_key = "osquery-probe-windows_19206bc4" cls.query_windows_result_name = "pack_05f720ae_osquery-probe-windows_19206bc4" cls.probe_source_windows = ProbeSource.objects.create( model="OsqueryProbe", name="osquery probe windows", status=ProbeSource.ACTIVE, body={"filters": {"inventory": [{"platforms": ["WINDOWS"]}]}, "queries": [cls.query_windows], "discovery": cls.query_pack_discovery[::-1]} # reversed ! ) cls.probe_windows = cls.probe_source_windows.load() all_probes.clear()
def test_default_machine_distributed_queries(self): default_machine = MockMetaMachine([], [], None, None, serial_number="MSN1") # simulate all_probes sync all_probes.clear() queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 2) for key, query in ((self.query_1_key, self.query_1), (self.query_2_key, self.query_2)): self.assertEqual(queries[key], query) # simulate all_probes sync all_probes.clear() extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(extra_queries, {})
def setUpTestData(cls): cls.probe_source = ProbeSource.objects.create( model="BaseProbe", name=get_random_string(), status=ProbeSource.ACTIVE, body={ "filters": { "metadata": [{ "event_types": ["inventory_heartbeat"] }] } }) cls.probe_source_with_incident = ProbeSource.objects.create( model="BaseProbe", name=get_random_string(), status=ProbeSource.ACTIVE, body={ "filters": { "metadata": [{ "event_types": ["inventory_heartbeat"] }] }, "incident_severity": Severity.CRITICAL.value }, ) cls.probe_source_for_incident_with_incident = ProbeSource.objects.create( model="BaseProbe", name=get_random_string(), status=ProbeSource.ACTIVE, body={ "filters": { "metadata": [{ "event_types": ["incident_created"] }] }, "incident_severity": Severity.CRITICAL.value }, # only for the tests! Not useful at all! ) cls.probe = cls.probe_source.load() cls.probe_with_incident = cls.probe_source_with_incident.load() cls.probe_for_incident_with_incident = cls.probe_source_for_incident_with_incident.load( ) all_probes.clear()
def test_windows_machine_distributed_queries(self): windows_machine = MockMetaMachine([], [], "WINDOWS", None, serial_number="MSN2") # simulate all_probes sync all_probes.clear() queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( windows_machine) self.assertEqual(len(queries), 3) for key, query in ((self.query_1_key, self.query_1), (self.query_2_key, self.query_2), (self.query_windows_key, self.query_windows)): self.assertEqual(queries[key], query) # simulate all_probes sync all_probes.clear() extra_queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( windows_machine) self.assertEqual(extra_queries, {})
def setUpTestData(cls): # probe 1 cls.query_1_filepath = "/Users/%/.ssh/%%" cls.query_1_filepath_hash = "edef96bc" cls.query_1_key = "osquery-fim-probe-1_c71292f6" cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe 1", status=ProbeSource.ACTIVE, body={"file_paths": [{"file_path": cls.query_1_filepath}]}, ) cls.probe_1 = cls.probe_source_1.load() # probe 2 cls.query_2_filepath = "/home/%/.ssh/%%" cls.query_2_filepath_hash = "6ca0f872" cls.query_2_key = "osquery-fim-probe-2_1c6e39ad" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe 2", status=ProbeSource.ACTIVE, body={"file_paths": [{"file_path": cls.query_2_filepath, "file_access": True}]}, ) cls.probe_2 = cls.probe_source_2.load() # probe mbu cls.query_mbu_filepath = "/root/.ssh/%%" cls.query_mbu_filepath_hash = "35c934e0" cls.query_mbu_key = "osquery-fim-probe-mbu_cc871b0b" cls.probe_source_mbu = ProbeSource.objects.create( model="OsqueryFIMProbe", name="osquery fim probe mbu", status=ProbeSource.ACTIVE, body={ "filters": {"inventory": [{"meta_business_unit_ids": [1]}]}, "file_paths": [{"file_path": cls.query_mbu_filepath, "file_access": False}], }, ) cls.probe_mbu = cls.probe_source_mbu.load() # clear all_probes.clear()
def setUpTestData(cls): # probe 1, users cls.query_1 = "select * from users" cls.probe_source_1 = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery distributed query 1", status=ProbeSource.ACTIVE, body={"distributed_query": cls.query_1}) cls.probe_1 = cls.probe_source_1.load() cls.query_1_key = "dq_{}".format(cls.probe_1.pk) # probe 2, processes cls.query_2 = "select * from processes" cls.probe_source_2 = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery distributed query 2", status=ProbeSource.ACTIVE, body={"distributed_query": cls.query_2}) cls.probe_2 = cls.probe_source_2.load() cls.query_2_key = "dq_{}".format(cls.probe_2.pk) # probe windows, system_info cls.query_windows = "select * from system_info" cls.probe_source_windows = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="osquery probe windows", status=ProbeSource.ACTIVE, body={ "filters": { "inventory": [{ "platforms": ["WINDOWS"] }] }, "distributed_query": cls.query_windows }) cls.probe_windows = cls.probe_source_windows.load() cls.query_windows_key = "dq_{}".format(cls.probe_windows.pk) # clear all_probes.clear()
def test_default_machine_older_distributed_queries(self): default_machine = MockMetaMachine([], [], None, None, serial_number="MSN3") # simulate all_probes sync all_probes.clear() # consume all queries queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 2) queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 0) # make a query that is one hour too old probe_source_too_old = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="QUERY TOO OLD", status=ProbeSource.ACTIVE, body={"distributed_query": "SELECT 'QUERY TOO OLD';"}, ) # simulate all_probes sync all_probes.clear() probe_source_too_old.created_at = timezone.now( ) - MAX_DISTRIBUTED_QUERY_AGE - timedelta(hours=1) probe_source_too_old.save() queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) # it's not there self.assertEqual(len(queries), 0) # make a query that is one hour younger than the limit probe_source_ok = ProbeSource.objects.create( model="OsqueryDistributedQueryProbe", name="QUERY OK", status=ProbeSource.ACTIVE, body={"distributed_query": "SELECT 'QUERY OK';"}, ) probe_source_ok.created_at = timezone.now( ) - MAX_DISTRIBUTED_QUERY_AGE + timedelta(hours=1) probe_source_ok.save() # simulate all_probes sync all_probes.clear() # it's there queries = DistributedQueryProbeMachine.objects.new_queries_for_machine( default_machine) self.assertEqual(len(queries), 1) self.assertEqual(queries["dq_{}".format(probe_source_ok.pk)], "SELECT 'QUERY OK';")
def setUpTestData(cls): cls.binary_sha256 = ("b7839029302930293029392039203920" "39203920392039203920392023232323") cls.certificate_sha256 = ("c7839029302930293029392039203920" "39203920392039203920392023232323") # blacklist cls.blacklist_rules = [{ "policy": "BLACKLIST", "rule_type": "BINARY", "sha256": cls.binary_sha256 }, { "policy": "BLACKLIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256 }] cls.probe_source_blacklist = ProbeSource.objects.create( model="SantaProbe", name="santa probe blacklist", status=ProbeSource.ACTIVE, body={"rules": cls.blacklist_rules}) cls.probe_blacklist = cls.probe_source_blacklist.load() # whitelist cls.whitelist_rules = [{ "policy": "WHITELIST", "rule_type": "BINARY", "sha256": cls.binary_sha256 }, { "policy": "WHITELIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256 }] cls.probe_source_whitelist = ProbeSource.objects.create( model="SantaProbe", name="santa probe whitelist", status=ProbeSource.ACTIVE, body={"rules": cls.whitelist_rules}) cls.probe_whitelist = cls.probe_source_whitelist.load() # tablet cls.tablet_rules = [{ "policy": "BLACKLIST", "rule_type": "BINARY", "sha256": cls.binary_sha256[::-1] }, { "policy": "BLACKLIST", "rule_type": "CERTIFICATE", "sha256": cls.certificate_sha256[::-1] }] cls.probe_source_tablet = ProbeSource.objects.create( model="SantaProbe", name="santa probe machine", status=ProbeSource.ACTIVE, body={ "filters": { "inventory": [{ "types": ["TABLET"] }] }, "rules": cls.tablet_rules }) cls.probe_tablet = cls.probe_source_tablet.load() all_probes.clear()
def setUpTestData(cls): # probe user preference file cls.query_pfu_query = ( "select username, filename, key, value from " "(select * from users where directory like '/Users/%') u, " "preferences p, file f " "WHERE (" "(p.path like u.directory || '/Library/Preferences/%onepassword4%') or " "(p.path like u.directory || '/Library/Preferences/%/%onepassword4%')" ") and (" "(key = 'LockTimeout' and ((CAST(value as integer) < 1) or (CAST(value as integer) > 10))) or " "(key = 'LockOnScreenSaver' and ((value <> 'true')))) " "and f.path = p.path" ) cls.query_pfu_key = "osquery-compliance-probe-pfu_pf_{}".format(cls.sha1_8(cls.query_pfu_query)) cls.probe_source_pfu = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe pfu", status=ProbeSource.ACTIVE, body={"preference_files": [{"type": "USERS", "rel_path": "%onepassword4%", "keys": [{"key": "LockTimeout", "min_value": 1, "max_value": 10}, {"key": "LockOnScreenSaver", "value": "true"}], }]} ) cls.probe_pfu = cls.probe_source_pfu.load() # probe global preference file cls.query_pfg_query = ( "select filename, key, value from " "preferences p, file f " "WHERE (" "(p.path = '/Library/Preferences/Bluetooth')" ") and (" "(key = 'ControllerPowerState' and ((value <> '0')))" ") and f.path = p.path" ) cls.query_pfg_key = "osquery-compliance-probe-pfg_pf_{}".format(cls.sha1_8(cls.query_pfg_query)) cls.probe_source_pfg = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe pfg", status=ProbeSource.ACTIVE, body={"preference_files": [{"type": "GLOBAL", "rel_path": "Bluetooth", "keys": [{"key": "ControllerPowerState", "value": "0"}], "interval": 45 }]} ) cls.probe_pfg = cls.probe_source_pfg.load() # probe file checksum cls.query_fc_query = ( "select path, sha256 from hash where ((" "path = '/home/yo/.bashrc' and " "sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'" "))" ) cls.query_fc_key = "osquery-compliance-probe-fc_fc_{}".format(cls.sha1_8(cls.query_fc_query)) cls.probe_source_fc = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe fc", status=ProbeSource.ACTIVE, body={"file_checksums": [{"path": "/home/yo/.bashrc", "sha256": "01234567890123456789012345678901" "23456789012345678901234567890123", "interval": 100}]} ) cls.probe_fc = cls.probe_source_fc.load() # probe tag / file checksum cls.query_tag_query = ( "select path, sha256 from hash where ((" "path = '/home/tag/.bashrc' and " "sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'" "))" ) cls.query_tag_key = "osquery-compliance-probe-tag_fc_{}".format(cls.sha1_8(cls.query_tag_query)) cls.probe_source_tag = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe tag", status=ProbeSource.ACTIVE, body={"filters": {"inventory": [{"tag_ids": [1]}]}, "file_checksums": [{"path": "/home/tag/.bashrc", "sha256": "01234567890123456789012345678901" "23456789012345678901234567890123", }]} ) cls.probe_tag = cls.probe_source_tag.load() # clear all_probes.clear()
def setUpTestData(cls): # probe user preference file cls.query_pfu_query = ( "select username, filename, key, value from " "(select * from users where directory like '/Users/%') u, " "preferences p, file f " "WHERE (" "(p.path like u.directory || '/Library/Preferences/%onepassword4%') or " "(p.path like u.directory || '/Library/Preferences/%/%onepassword4%')" ") and (" "(key = 'LockTimeout' and ((CAST(value as integer) < 1) or (CAST(value as integer) > 10))) or " "(key = 'LockOnScreenSaver' and ((value <> 'true')))) " "and f.path = p.path") cls.query_pfu_key = "osquery-compliance-probe-pfu_pf_{}".format( cls.sha1_8(cls.query_pfu_query)) cls.probe_source_pfu = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe pfu", status=ProbeSource.ACTIVE, body={ "preference_files": [{ "type": "USERS", "rel_path": "%onepassword4%", "keys": [{ "key": "LockTimeout", "min_value": 1, "max_value": 10 }, { "key": "LockOnScreenSaver", "value": "true" }], }] }) cls.probe_pfu = cls.probe_source_pfu.load() # probe global preference file cls.query_pfg_query = ( "select filename, key, value from " "preferences p, file f " "WHERE (" "(p.path = '/Library/Preferences/Bluetooth')" ") and (" "(key = 'ControllerPowerState' and ((value <> '0')))" ") and f.path = p.path") cls.query_pfg_key = "osquery-compliance-probe-pfg_pf_{}".format( cls.sha1_8(cls.query_pfg_query)) cls.probe_source_pfg = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe pfg", status=ProbeSource.ACTIVE, body={ "preference_files": [{ "type": "GLOBAL", "rel_path": "Bluetooth", "keys": [{ "key": "ControllerPowerState", "value": "0" }], "interval": 45 }] }) cls.probe_pfg = cls.probe_source_pfg.load() # probe file checksum cls.query_fc_query = ( "select path, sha256 from hash where ((" "path = '/home/yo/.bashrc' and " "sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'" "))") cls.query_fc_key = "osquery-compliance-probe-fc_fc_{}".format( cls.sha1_8(cls.query_fc_query)) cls.probe_source_fc = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe fc", status=ProbeSource.ACTIVE, body={ "file_checksums": [{ "path": "/home/yo/.bashrc", "sha256": "01234567890123456789012345678901" "23456789012345678901234567890123", "interval": 100 }] }) cls.probe_fc = cls.probe_source_fc.load() # probe tag / file checksum cls.query_tag_query = ( "select path, sha256 from hash where ((" "path = '/home/tag/.bashrc' and " "sha256 <> '0123456789012345678901234567890123456789012345678901234567890123'" "))") cls.query_tag_key = "osquery-compliance-probe-tag_fc_{}".format( cls.sha1_8(cls.query_tag_query)) cls.probe_source_tag = ProbeSource.objects.create( model="OsqueryComplianceProbe", name="osquery compliance probe tag", status=ProbeSource.ACTIVE, body={ "filters": { "inventory": [{ "tag_ids": [1] }] }, "file_checksums": [{ "path": "/home/tag/.bashrc", "sha256": "01234567890123456789012345678901" "23456789012345678901234567890123", }] }) cls.probe_tag = cls.probe_source_tag.load() # clear all_probes.clear()
def clear_probes_cache(self, body, message): self.log_info("clear probes cache") all_probes.clear() message.ack()
def test_all_probes(self): all_probes.clear() self.assertEqual(list(all_probes), [self.probe])
def clear_probes_cache(self, body, message): all_probes.clear() message.ack()