def Handle(self, args, token=None): client_urn = self.GetClientTarget(args, token=token) size_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition( max_file_size=args.max_file_size)) file_finder_args = file_finder.FileFinderArgs( paths=args.paths, action=file_finder.FileFinderAction(action_type=args.action), conditions=[size_condition]) # Check our flow throttling limits, will raise if there are problems. throttler = throttle.FlowThrottler() throttler.EnforceLimits(client_urn, token.username, file_finder.FileFinder.__name__, file_finder_args, token=token) # Limit the whole flow to 200MB so if a glob matches lots of small files we # still don't have too much impact. runner_args = flow_runner.FlowRunnerArgs( client_id=client_urn, flow_name=file_finder.FileFinder.__name__, network_bytes_limit=200 * 1000 * 1000) flow_id = flow.GRRFlow.StartFlow(runner_args=runner_args, token=token, args=file_finder_args) return ApiStartRobotGetFilesOperationResult( operation_id=utils.SmartUnicode(flow_id))
class TestFileFinderOSLinuxProc(transfer.TestGetFileOSLinux): """Download a /proc/sys entry with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward" client_min_version = 3007 sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = { "paths": ["/proc/sys/net/ipv4/ip_forward"], "conditions": filecondition, "action": action } def CheckFile(self, fd): data = fd.Read(10) # Some value was read from the sysctl. self.assertTrue(data)
def testSizeCondition(self): # There are two values, one is 20 bytes, the other 53. self.RunFlow( ["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"], [registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition(min_file_size=50))]) results = self.GetResults() self.assertEqual(len(results), 1) self.assertGreater(results[0].stat_entry.st_size, 50)
def testSizeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] sizes = [os.stat(os.path.join(self.fixture_path, f)).st_size for f in expected_files] size_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition(max_file_size=max(sizes) + 1)) for action in sorted(file_finder.FileFinderAction.Action.enum_dict.values( )): self.RunFlowAndCheckResults(action=action, conditions=[size_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testSizeAndRegexConditionsWithDifferentActions(self): files_over_size_limit = ["auth.log"] filtered_files = ["dpkg.log", "dpkg_false.log"] expected_files = [] non_expected_files = files_over_size_limit + filtered_files sizes = [ os.stat(os.path.join(self.fixture_path, f)).st_size for f in files_over_size_limit ] size_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition(max_file_size=min(sizes) - 1)) regex_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type. CONTENTS_REGEX_MATCH, contents_regex_match=file_finder. FileFinderContentsRegexMatchCondition( mode=file_finder.FileFinderContentsRegexMatchCondition.Mode. ALL_HITS, bytes_before=10, bytes_after=10, regex="session opened for user .*?john")) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[size_condition, regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that order of conditions doesn't influence results for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[regex_condition, size_condition], expected_files=expected_files, non_expected_files=non_expected_files)
class TestFileFinderOSLinux(base.VFSPathContentIsELF): """Download a file with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/bin/ps" sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/bin/ps"], "conditions": filecondition, "action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists): """Download a /proc/sys entry with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward" client_min_version = 3007 sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/proc/sys/net/ipv4/ip_forward"], "conditions": filecondition, "action": action}
def Render(self, args, token=None): client_urn = self.GetClientTarget(args, token=token) size_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition( max_file_size=args.max_file_size)) file_finder_args = file_finder.FileFinderArgs( paths=args.paths, action=file_finder.FileFinderAction(action_type=args.action), conditions=[size_condition]) # Check our flow throttling limits, will raise if there are problems. throttler = throttle.FlowThrottler() throttler.EnforceLimits(client_urn, token.username, "FileFinder", file_finder_args, token=token) # Limit the whole flow to 200MB so if a glob matches lots of small files we # still don't have too much impact. runner_args = flow_runner.FlowRunnerArgs(client_id=client_urn, flow_name="FileFinder", network_bytes_limit=200 * 1000 * 1000) flow_id = flow.GRRFlow.StartFlow(runner_args=runner_args, token=token, args=file_finder_args) # Provide a url where the caller can check on the flow status. status_url = urlparse.urljoin( config_lib.CONFIG["AdminUI.url"], "/api/flows/%s/%s/status" % (client_urn.Basename(), flow_id.Basename())) return dict( flow_id=api_value_renderers.RenderValue(flow_id), flow_args=api_value_renderers.RenderValue(file_finder_args), runner_args=api_value_renderers.RenderValue(runner_args), status_url=status_url)
class TestFileFinderOSWindows(transfer.TestGetFileOSWindows): """Download a file with FileFinder. Exercise globbing, interpolation and filtering. """ flow = "FileFinder" test_output_path = "/fs/os/.*/Windows/System32/notepad.exe" sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "conditions": filecondition, "action": action}