def _MeetsConditions(self, source):
"""Check conditions on the source."""
source_conditions_met = True
os_conditions = ConvertSupportedOSToConditions(source)
if os_conditions:
source.conditions.append(os_conditions)
for condition in source.conditions:
source_conditions_met &= artifact_utils.CheckCondition(
condition, self.args.knowledge_base)
return source_conditions_met
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
test_conditions = list(artifact_obj.conditions)
self.ConvertSupportedOSToConditions(artifact_obj, test_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s",
artifact_name, condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the source defined action for each source.
for source in artifact_obj.sources:
# Check conditions on the source.
source_conditions_met = True
self.ConvertSupportedOSToConditions(source, source.conditions)
if source.conditions:
for condition in source.conditions:
if not artifact_utils.CheckCondition(
condition, self.state.knowledge_base):
source_conditions_met = False
if source_conditions_met:
type_name = source.type
source_type = artifact_registry.ArtifactSource.SourceType
self.current_artifact_name = artifact_name
if type_name == source_type.COMMAND:
self.RunCommand(source)
elif (type_name == source_type.DIRECTORY
or type_name == source_type.LIST_FILES):
# TODO(user): LIST_FILES will be replaced in favor of
# DIRECTORY as used by the public artifacts repo.
self.Glob(source, self.GetPathType())
elif type_name == source_type.FILE:
self.GetFiles(source, self.GetPathType(),
self.args.max_file_size)
elif type_name == source_type.GREP:
self.Grep(source, self.GetPathType())
elif type_name == source_type.PATH:
# TODO(user): GRR currently ignores PATH types, they are currently
# only useful to plaso during bootstrapping when the registry is
# unavailable. The intention is to remove this type in favor of a
# default fallback mechanism.
pass
elif type_name == source_type.REGISTRY_KEY:
self.GetRegistryKey(source)
elif type_name == source_type.REGISTRY_VALUE:
self.GetRegistryValue(source)
elif type_name == source_type.WMI:
self.WMIQuery(source)
elif type_name == source_type.REKALL_PLUGIN:
self.RekallPlugin(source)
# ARTIFACT is the legacy name for ARTIFACT_GROUP
# per: https://github.com/ForensicArtifacts/artifacts/pull/143
# TODO(user): remove legacy support after migration.
elif type_name in (source_type.ARTIFACT,
source_type.ARTIFACT_GROUP):
self.CollectArtifacts(source)
elif type_name == source_type.ARTIFACT_FILES:
self.CollectArtifactFiles(source)
elif type_name == source_type.GRR_CLIENT_ACTION:
self.RunGrrClientAction(source)
else:
raise RuntimeError("Invalid type %s in %s" %
(type_name, artifact_name))
else:
logging.debug(
"Artifact %s no sources run due to all sources "
"having failing conditions on %s", artifact_name,
self.client_id)
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
test_conditions = list(artifact_obj.conditions)
self.ConvertSupportedOSToConditions(artifact_obj, test_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_utils.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s",
artifact_name, condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the source defined action for each source.
for source in artifact_obj.sources:
# Check conditions on the source.
source_conditions_met = True
self.ConvertSupportedOSToConditions(source, source.conditions)
if source.conditions:
for condition in source.conditions:
if not artifact_utils.CheckCondition(
condition, self.state.knowledge_base):
source_conditions_met = False
if source_conditions_met:
type_name = source.type
source_type = artifact_registry.ArtifactSource.SourceType
self.current_artifact_name = artifact_name
if type_name == source_type.COMMAND:
self.RunCommand(source)
elif type_name == source_type.FILE:
self.GetFiles(source, self.state.path_type,
self.args.max_file_size)
elif type_name == source_type.GREP:
self.Grep(source, self.state.path_type)
elif type_name == source_type.LIST_FILES:
self.Glob(source, self.state.path_type)
elif type_name == source_type.PATH:
# GRR currently ignores PATH types, they are currently only useful
# to plaso during bootstrapping when the registry is unavailable.
pass
elif type_name == source_type.REGISTRY_KEY:
self.GetRegistryKey(source)
elif type_name == source_type.REGISTRY_VALUE:
self.GetRegistryValue(source)
elif type_name == source_type.WMI:
self.WMIQuery(source)
elif type_name == source_type.REKALL_PLUGIN:
self.RekallPlugin(source)
elif type_name == source_type.ARTIFACT:
self.CollectArtifacts(source)
elif type_name == source_type.ARTIFACT_FILES:
self.CollectArtifactFiles(source)
elif type_name == source_type.GRR_CLIENT_ACTION:
self.RunGrrClientAction(source)
else:
raise RuntimeError("Invalid type %s in %s" %
(type_name, artifact_name))
else:
logging.debug(
"Artifact %s no sources run due to all sources "
"having failing conditions on %s", artifact_name,
self.client_id)
