def Issue(self, state, results): """Collect anomalous findings into a CheckResult. Comparisons with anomalous conditions collect anomalies into a single CheckResult message. The contents of the result varies depending on whether the method making the comparison is a Check, Method or Probe. - Probes evaluate raw host data and generate Anomalies. These are condensed into a new CheckResult. - Checks and Methods evaluate the results of probes (i.e. CheckResults). If there are multiple probe results, all probe anomalies are aggregated into a single new CheckResult for the Check or Method. Args: state: A text description of what combination of results were anomalous (e.g. some condition was missing or present.) results: Anomalies or CheckResult messages. Returns: A CheckResult message. """ result = rdfvalue.CheckResult() anomaly = rdfvalue.Anomaly(type="ANALYSIS_ANOMALY", explanation=self.hint.Explanation(state)) # If there are CheckResults we're aggregating methods or probes. # Merge all current results into one CheckResult. # Otherwise, the results are raw host data. # Generate a new CheckResult and add the specific findings. if results and all( isinstance(r, rdfvalue.CheckResult) for r in results): result.ExtendAnomalies(results) else: anomaly.finding = self.hint.Render(results) result.anomaly = anomaly return result
def setUp(self): super(ProcessHostDataTests, self).setUp() registered = checks.CheckRegistry.checks.keys() if "SW-CHECK" not in registered: checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sw.yaml")]) if "SSHD-CHECK" not in registered: checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sshd.yaml")]) self.netcat = rdfvalue.CheckResult( check_id="SW-CHECK", anomaly=[ anomaly_rdf.Anomaly( finding=["netcat-traditional 1.10-40 is installed"], explanation="Found: l337 software installed", type="ANALYSIS_ANOMALY") ]) self.sshd = rdfvalue.CheckResult( check_id="SSHD-CHECK", anomaly=[ anomaly_rdf.Anomaly( finding=["Configured protocols: 2,1"], explanation="Found: Sshd allows protocol 1.", type="ANALYSIS_ANOMALY") ]) self.windows = rdfvalue.CheckResult( check_id="SW-CHECK", anomaly=[ anomaly_rdf.Anomaly( finding=["Java 6.0.240 is installed"], explanation="Found: Old Java installation.", type="ANALYSIS_ANOMALY"), anomaly_rdf.Anomaly(finding=["Adware 2.1.1 is installed"], explanation="Found: Malicious software.", type="ANALYSIS_ANOMALY") ]) self.host_data = { "WMIInstalledSoftware": WMI_SW, "DebianPackagesStatus": DPKG_SW, "SshdConfigFile": SSHD_CFG }
def Detect(self, baseline, host_data): """Run host_data through detectors and return them if a detector triggers. Args: baseline: The base set of rdf values used to evaluate whether an issue exists. host_data: The rdf values passed back by the filters. Returns: A CheckResult message containing anomalies if any detectors identified an issue, None otherwise. """ result = rdfvalue.CheckResult() for detector in self.detectors: for finding in detector(baseline, host_data): if finding: result.ExtendAnomalies(finding) if result: return result
def testNfsExportsCheck(self): """Ensure NFS export checks work as expected.""" self.LoadCheck("nfs.yaml") # Create some host_data.. host_data = {} self.SetKnowledgeBase("test.example.com", "Linux", host_data) parser = config_file.NfsExportsParser() with open(self.TestDataPath("exports")) as export_fd: host_data["NfsExportsFile"] = list(parser.Parse(None, export_fd, None)) results = self.RunChecks(host_data) anom = rdfvalue.Anomaly( explanation="Found: Default r/w NFS exports are too permissive.", finding=["/path/to/foo: defaults:rw,sync hosts:host1,host2 options:ro", ("/path/to/bar: defaults:rw " "hosts:*.example.org,192.168.1.0/24 " "options:all_squash,ro")], type="ANALYSIS_ANOMALY") expected = rdfvalue.CheckResult(check_id="CCE-4350-5", anomaly=anom) self.assertResultEqual(expected, results["CCE-4350-5"])