def ProcessMessage(self, message=None, event=None):
_ = message
with aff4.FACTORY.Create(aff4.CurrentAuditLog(),
"PackedVersionedCollection",
mode="w",
token=self.token) as fd:
fd.Add(event)
def testFlowExecution(self):
client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")
rollover = config_lib.CONFIG["Logging.aff4_audit_log_rollover"]
# Set time to epoch + 20 intervals
with test_lib.FakeTime(20 * rollover):
for _ in test_lib.TestFlowHelper(
"ListDirectory", client_mock, client_id=self.client_id,
pathspec=rdfvalue.PathSpec(
path=os.path.join(self.base_path, "test_img.dd/test directory"),
pathtype=rdfvalue.PathSpec.PathType.OS),
token=self.token):
pass
for _ in test_lib.TestFlowHelper(
"ListDirectory", client_mock, client_id=self.client_id,
pathspec=rdfvalue.PathSpec(
path=os.path.join(self.base_path, "test_img.dd/test directory"),
pathtype=rdfvalue.PathSpec.PathType.OS),
token=self.token):
pass
parentdir = aff4.FACTORY.Open("aff4:/audit/logs", "AFF4Volume", mode="r",
token=self.token)
logs = list(parentdir.ListChildren())
self.assertEqual(len(logs), 1)
log = aff4.CurrentAuditLog()
events = list(aff4.FACTORY.Open(log, token=self.token))
self.assertEqual(len(events), 2)
for event in events:
self.assertEqual(event.action, rdfvalue.AuditEvent.Action.RUN_FLOW)
self.assertEqual(event.flow_name, "ListDirectory")
self.assertEqual(event.user, self.token.username)
# Set time to epoch + 22 intervals
with test_lib.FakeTime(22 * rollover):
for _ in test_lib.TestFlowHelper(
"ListDirectory", client_mock, client_id=self.client_id,
pathspec=rdfvalue.PathSpec(
path=os.path.join(self.base_path, "test_img.dd/test directory"),
pathtype=rdfvalue.PathSpec.PathType.OS),
token=self.token):
pass
parentdir = aff4.FACTORY.Open("aff4:/audit/logs", "AFF4Volume", mode="r",
token=self.token)
# Now we should have two collections
logs = list(parentdir.ListChildren())
self.assertEqual(len(logs), 2)
# One with two events
events = list(aff4.FACTORY.Open(logs[0], token=self.token))
self.assertEqual(len(events), 2)
# The other with one
events = list(aff4.FACTORY.Open(logs[1], token=self.token))
self.assertEqual(len(events), 1)
def EnsureLogExists(self):
log_urn = aff4.CurrentAuditLog()
if log_urn not in self.created_logs:
aff4.FACTORY.Create(log_urn,
AuditEventCollection,
mode="w",
token=self.token).Close()
self.created_logs.add(log_urn)
return log_urn
def testFlowExecution(self):
client_mock = action_mocks.ListDirectoryClientMock()
rollover = aff4.AUDIT_ROLLOVER_TIME.seconds
# Set time to epoch + 20 intervals
with test_lib.FakeTime(20 * rollover):
for _ in flow_test_lib.TestFlowHelper(
filesystem.ListDirectory.__name__,
client_mock,
client_id=self.client_id,
pathspec=rdf_paths.PathSpec(
path=os.path.join(self.base_path,
"test_img.dd/test directory"),
pathtype=rdf_paths.PathSpec.PathType.OS),
token=self.token):
pass
for _ in flow_test_lib.TestFlowHelper(
filesystem.ListDirectory.__name__,
client_mock,
client_id=self.client_id,
pathspec=rdf_paths.PathSpec(
path=os.path.join(self.base_path,
"test_img.dd/test directory"),
pathtype=rdf_paths.PathSpec.PathType.OS),
token=self.token):
pass
parentdir = aff4.FACTORY.Open("aff4:/audit/logs",
aff4.AFF4Volume,
mode="r",
token=self.token)
logs = list(parentdir.ListChildren())
self.assertEqual(len(logs), 1)
log = aff4.CurrentAuditLog()
stored_events = audit.AuditEventCollection(log, token=self.token)
self.assertEqual(len(stored_events), 2)
for event in stored_events:
self.assertEqual(event.action,
events.AuditEvent.Action.RUN_FLOW)
self.assertEqual(event.flow_name,
filesystem.ListDirectory.__name__)
self.assertEqual(event.user, self.token.username)
# Set time to epoch + 22 intervals
with test_lib.FakeTime(22 * rollover):
for _ in flow_test_lib.TestFlowHelper(
filesystem.ListDirectory.__name__,
client_mock,
client_id=self.client_id,
pathspec=rdf_paths.PathSpec(
path=os.path.join(self.base_path,
"test_img.dd/test directory"),
pathtype=rdf_paths.PathSpec.PathType.OS),
token=self.token):
pass
parentdir = aff4.FACTORY.Open("aff4:/audit/logs",
aff4.AFF4Volume,
mode="r",
token=self.token)
# Now we should have two collections
logs = list(parentdir.ListChildren())
self.assertEqual(len(logs), 2)
# One with two events
stored_events = audit.AuditEventCollection(logs[0],
token=self.token)
self.assertEqual(len(stored_events), 2)
# The other with one
stored_events = audit.AuditEventCollection(logs[1],
token=self.token)
self.assertEqual(len(stored_events), 1)
def ProcessMessage(self, message=None, event=None): _ = message log_urn = aff4.CurrentAuditLog() self.EnsureLogIsIndexed(log_urn) AuditEventCollection.StaticAdd(log_urn, self.token, event)