Exemple #1
0
    def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
              knowledge_base):
        """Parse the dmidecode output. All data is parsed into a dictionary."""
        _ = stderr, time_taken, args, knowledge_base  # Unused.
        self.CheckReturn(cmd, return_val)
        output = iter(stdout.splitlines())
        system_information = []
        serial_number = ""
        system_manufacturer = ""

        system_info = re.compile(r"\s*System Information")
        for line in output:
            if system_info.match(line):
                # Collect all System Information until we hit a blank line.
                while line:
                    system_information.append(line)
                    line = output.next()
                break

        system_re = re.compile(r"\s*Manufacturer: ([0-9a-zA-Z-]*)")
        serial_re = re.compile(r"\s*Serial Number: ([0-9a-zA-Z-]*)")
        for line in system_information:
            match_sn = serial_re.match(line)
            match_manf = system_re.match(line)
            if match_sn:
                serial_number = match_sn.groups()[0].strip()
            elif match_manf:
                system_manufacturer = match_manf.groups()[0].strip()

        return rdf_client.HardwareInfo(serial_number=serial_number,
                                       system_manufacturer=system_manufacturer)
Exemple #2
0
    def SetupTestClientObject(self,
                              client_nr,
                              add_cert=True,
                              arch="x86_64",
                              last_boot_time=None,
                              fqdn=None,
                              kernel="4.0.0",
                              memory_size=None,
                              os_version="buster/sid",
                              ping=None,
                              system="Linux",
                              labels=None):
        """Prepares a test client object."""
        client_id = "C.1%015x" % client_nr

        client = objects.ClientSnapshot(client_id=client_id)
        client.startup_info.client_info = self._TestClientInfo()
        if last_boot_time is not None:
            client.startup_info.boot_time = last_boot_time

        client.knowledge_base.fqdn = fqdn or "Host-%x.example.com" % client_nr
        client.knowledge_base.os = system
        client.knowledge_base.users = [
            rdf_client.User(username="******"),
            rdf_client.User(username="******"),
        ]
        client.os_version = os_version
        client.arch = arch
        client.kernel = kernel

        client.interfaces = self._TestInterfaces(client_nr)

        client.hardware_info = rdf_client.HardwareInfo(
            system_manufacturer="System-Manufacturer-%x" % client_nr,
            bios_version="Bios-Version-%x" % client_nr)

        if memory_size is not None:
            client.memory_size = memory_size

        ping = ping or rdfvalue.RDFDatetime.Now()
        if add_cert:
            cert = self.ClientCertFromPrivateKey(
                config.CONFIG["Client.private_key"])
        else:
            cert = None

        data_store.REL_DB.WriteClientMetadata(client_id,
                                              last_ping=ping,
                                              certificate=cert,
                                              fleetspeak_enabled=False)
        data_store.REL_DB.WriteClientSnapshot(client)

        client_index.ClientIndex().AddClient(client)

        if labels:
            data_store.REL_DB.AddClientLabels(client_id, "GRR", labels)
            client_index.ClientIndex().AddClientLabels(
                client_id, data_store.REL_DB.ReadClientLabels(client_id))

        return client
Exemple #3
0
  def Parse(self, query, result, knowledge_base):
    """Parse the WMI output to get Identifying Number."""
    # Currently we are only grabbing the Identifying Number
    # as the serial number (catches the unique number for VMs).
    # This could be changed to include more information from
    # Win32_ComputerSystemProduct.
    _ = query, knowledge_base

    yield rdf_client.HardwareInfo(serial_number=result["IdentifyingNumber"],
                                  system_manufacturer=result["Vendor"])
Exemple #4
0
    def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
              knowledge_base):
        """Parse the dmidecode output. All data is parsed into a dictionary."""
        _ = stderr, time_taken, args, knowledge_base  # Unused.
        self.CheckReturn(cmd, return_val)
        output = iter(stdout.splitlines())

        # Compile all regexes in advance.
        sys_info_re = re.compile(r"\s*System Information")
        sys_regexes = {
            "system_manufacturer": self._re_compile("Manufacturer"),
            "serial_number": self._re_compile("Serial Number"),
            "system_product_name": self._re_compile("Product Name"),
            "system_uuid": self._re_compile("UUID"),
            "system_sku_number": self._re_compile("SKU Number"),
            "system_family": self._re_compile("Family"),
            "system_assettag": self._re_compile("Asset Tag")
        }

        bios_info_re = re.compile(r"\s*BIOS Information")
        bios_regexes = {
            "bios_vendor": self._re_compile("Vendor"),
            "bios_version": self._re_compile("Version"),
            "bios_release_date": self._re_compile("Release Date"),
            "bios_rom_size": self._re_compile("ROM Size"),
            "bios_revision": self._re_compile("BIOS Revision")
        }

        # Initialize RDF.
        dmi_info = rdf_client.HardwareInfo()

        for line in output:
            if sys_info_re.match(line):
                # Collect all System Information until we hit a blank line.
                while line:
                    for attr, regex in sys_regexes.iteritems():
                        match = regex.match(line)
                        if match:
                            setattr(dmi_info, attr, match.group(1).strip())
                            break
                    line = output.next()

            elif bios_info_re.match(line):
                # Collect all BIOS Information until we hit a blank line.
                while line:
                    for attr, regex in bios_regexes.iteritems():
                        match = regex.match(line)
                        if match:
                            setattr(dmi_info, attr, match.group(1).strip())
                            break
                    line = output.next()

        return dmi_info
    def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
              knowledge_base):
        """Parse the system profiler output. We get it in the form of a plist."""
        _ = stderr, time_taken, args, knowledge_base  # Unused
        self.CheckReturn(cmd, return_val)

        serial_number = []
        hardware_list = []
        plist = binplist.readPlist(cStringIO.StringIO(stdout))

        if len(plist) > 1:
            raise parsers.ParseError(
                "SPHardwareDataType plist has too many items.")

        hardware_list = plist[0]["_items"][0]
        serial_number = hardware_list["serial_number"]

        yield rdf_client.HardwareInfo(serial_number=serial_number)
Exemple #6
0
    def SetupTestClientObject(self,
                              client_nr,
                              arch="x86_64",
                              kernel="4.0.0",
                              os_version="buster/sid",
                              ping=None,
                              system="Linux"):
        """Prepares a test client object."""

        client_id = "C.1%015x" % client_nr

        client = objects.Client(client_id=client_id)
        client.startup_info.client_info = self._TestClientInfo()

        client.knowledge_base.fqdn = "Host-%x.example.com" % client_nr
        client.knowledge_base.os = system
        client.knowledge_base.users = [
            rdf_client.User(username="******"),
            rdf_client.User(username="******"),
        ]
        client.os_version = os_version
        client.arch = arch
        client.kernel = kernel

        client.interfaces = self._TestInterfaces(client_nr)

        client.hardware_info = rdf_client.HardwareInfo(
            system_manufacturer="System-Manufacturer-%x" % client_nr,
            bios_version="Bios-Version-%x" % client_nr)

        ping = ping or rdfvalue.RDFDatetime.Now()
        cert = self.ClientCertFromPrivateKey(
            config.CONFIG["Client.private_key"])

        data_store.REL_DB.WriteClientMetadata(client_id,
                                              last_ping=ping,
                                              certificate=cert,
                                              fleetspeak_enabled=False)
        data_store.REL_DB.WriteClient(client)

        client_index.ClientIndex().AddClient(client_id, client)

        return client
Exemple #7
0
  def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
            knowledge_base):
    """Parse the system profiler output. We get it in the form of a plist."""
    _ = stderr, time_taken, args, knowledge_base  # Unused
    self.CheckReturn(cmd, return_val)

    plist = binplist.readPlist(cStringIO.StringIO(stdout))

    if len(plist) > 1:
      raise parsers.ParseError("SPHardwareDataType plist has too many items.")

    hardware_list = plist[0]["_items"][0]
    serial_number = getattr(hardware_list, "serial_number", None)
    system_product_name = getattr(hardware_list, "machine_model", None)
    bios_version = getattr(hardware_list, "boot_rom_version", None)

    yield rdf_client.HardwareInfo(
        serial_number=serial_number,
        bios_version=bios_version,
        system_product_name=system_product_name)
Exemple #8
0
    class SchemaCls(standard.VFSDirectory.SchemaCls):
        """The schema for the client."""
        client_index = rdfvalue.RDFURN("aff4:/index/client")

        CERT = aff4.Attribute("metadata:cert", rdf_crypto.RDFX509Cert,
                              "The PEM encoded cert of the client.")

        FILESYSTEM = aff4.Attribute("aff4:filesystem", rdf_client.Filesystems,
                                    "Filesystems on the client.")

        CLIENT_INFO = aff4.Attribute("metadata:ClientInfo",
                                     rdf_client.ClientInformation,
                                     "GRR client information",
                                     "GRR client",
                                     default=rdf_client.ClientInformation())

        LAST_BOOT_TIME = aff4.Attribute("metadata:LastBootTime",
                                        rdfvalue.RDFDatetime,
                                        "When the machine was last booted",
                                        "BootTime")

        FIRST_SEEN = aff4.Attribute(
            "metadata:FirstSeen", rdfvalue.RDFDatetime,
            "First time the client registered with us", "FirstSeen")

        # Information about the host.
        HOSTNAME = aff4.Attribute("metadata:hostname",
                                  rdfvalue.RDFString,
                                  "Hostname of the host.",
                                  "Host",
                                  index=client_index)
        FQDN = aff4.Attribute("metadata:fqdn",
                              rdfvalue.RDFString,
                              "Fully qualified hostname of the host.",
                              "FQDN",
                              index=client_index)

        SYSTEM = aff4.Attribute("metadata:system", rdfvalue.RDFString,
                                "Operating System class.", "System")
        UNAME = aff4.Attribute("metadata:uname", rdfvalue.RDFString,
                               "Uname string.", "Uname")
        OS_RELEASE = aff4.Attribute("metadata:os_release", rdfvalue.RDFString,
                                    "OS Major release number.", "Release")
        OS_VERSION = aff4.Attribute("metadata:os_version",
                                    rdf_client.VersionString,
                                    "OS Version number.", "Version")

        # ARCH values come from platform.uname machine value, e.g. x86_64, AMD64.
        ARCH = aff4.Attribute("metadata:architecture", rdfvalue.RDFString,
                              "Architecture.", "Architecture")
        INSTALL_DATE = aff4.Attribute("metadata:install_date",
                                      rdfvalue.RDFDatetime, "Install Date.",
                                      "Install")

        # The knowledge base is used for storing data about the host and users.
        # This is currently a slightly odd object as we only use some of the fields.
        # The proto itself is used in Artifact handling outside of GRR (e.g. Plaso).
        # Over time we will migrate fields into this proto, but for now it is a mix.
        KNOWLEDGE_BASE = aff4.Attribute("metadata:knowledge_base",
                                        rdf_client.KnowledgeBase,
                                        "Artifact Knowledge Base",
                                        "KnowledgeBase")

        GRR_CONFIGURATION = aff4.Attribute(
            "aff4:client_configuration", rdf_protodict.Dict,
            "Running configuration for the GRR client.", "Config")

        LIBRARY_VERSIONS = aff4.Attribute(
            "aff4:library_versions", rdf_protodict.Dict,
            "Running library versions for the client.", "Libraries")

        USERNAMES = aff4.Attribute("aff4:user_names",
                                   SpaceSeparatedStringArray,
                                   "A space separated list of system users.",
                                   "Usernames",
                                   index=client_index)

        # This information is duplicated from the INTERFACES attribute but is done
        # to allow for fast searching by mac address.
        MAC_ADDRESS = aff4.Attribute("aff4:mac_addresses",
                                     rdfvalue.RDFString,
                                     "A hex encoded MAC address.",
                                     "MAC",
                                     index=client_index)

        KERNEL = aff4.Attribute("aff4:kernel_version", rdfvalue.RDFString,
                                "Kernel version string.", "KernelVersion")

        # Same for IP addresses.
        HOST_IPS = aff4.Attribute("aff4:host_ips",
                                  rdfvalue.RDFString,
                                  "An IP address.",
                                  "Host_ip",
                                  index=client_index)

        PING = aff4.Attribute(
            "metadata:ping",
            rdfvalue.RDFDatetime,
            "The last time the server heard from this client.",
            "LastCheckin",
            versioned=False,
            default=0)

        CLOCK = aff4.Attribute("metadata:clock",
                               rdfvalue.RDFDatetime,
                               "The last clock read on the client "
                               "(Can be used to estimate client clock skew).",
                               "Clock",
                               versioned=False)

        CLIENT_IP = aff4.Attribute(
            "metadata:client_ip",
            rdfvalue.RDFString,
            "The ip address this client connected from.",
            "Client_ip",
            versioned=False)

        # This is the last foreman rule that applied to us
        LAST_FOREMAN_TIME = aff4.Attribute(
            "aff4:last_foreman_time",
            rdfvalue.RDFDatetime,
            "The last time the foreman checked us.",
            versioned=False)

        LAST_CRASH = aff4.Attribute("aff4:last_crash",
                                    rdf_client.ClientCrash,
                                    "Last client crash.",
                                    creates_new_object_version=False,
                                    versioned=False)

        VOLUMES = aff4.Attribute("aff4:volumes", rdf_client.Volumes,
                                 "Client disk volumes.")

        INTERFACES = aff4.Attribute("aff4:interfaces", rdf_client.Interfaces,
                                    "Network interfaces.", "Interfaces")

        HARDWARE_INFO = aff4.Attribute("aff4:hardware_info",
                                       rdf_client.HardwareInfo,
                                       "Various hardware information.",
                                       default=rdf_client.HardwareInfo())

        MEMORY_SIZE = aff4.Attribute(
            "aff4:memory_size", rdfvalue.ByteSize,
            "Amount of memory this client's machine has.")

        # Cloud VM information.
        CLOUD_INSTANCE = aff4.Attribute("metadata:cloud_instance",
                                        cloud.CloudInstance,
                                        "Information about cloud machines.")
Exemple #9
0
  def testGetClientSummary(self):
    hostname = "test"
    system = "Linux"
    os_release = "12.02"
    kernel = "3.15-rc2"
    fqdn = "test.test.com"
    arch = "amd64"
    install_time = rdfvalue.RDFDatetime.Now()
    user = "******"
    userobj = rdf_client.User(username=user)
    interface = rdf_client.Interface(ifname="eth0")
    google_cloud_instance = cloud.GoogleCloudInstance(
        instance_id="1771384456894610289",
        zone="projects/123456789733/zones/us-central1-a",
        project_id="myproject",
        unique_id="us-central1-a/myproject/1771384456894610289")
    cloud_instance = cloud.CloudInstance(
        cloud_type="GOOGLE", google=google_cloud_instance)

    serial_number = "DSD33679FZ"
    system_manufacturer = "Foobar Inc."
    system_uuid = "C31292AD-6Z4F-55D8-28AC-EC1100E42222"
    hwinfo = rdf_client.HardwareInfo(
        serial_number=serial_number,
        system_manufacturer=system_manufacturer,
        system_uuid=system_uuid)

    timestamp = 1
    with utils.Stubber(time, "time", lambda: timestamp):
      with aff4.FACTORY.Create(
          "C.0000000000000000",
          aff4_grr.VFSGRRClient,
          mode="rw",
          token=self.token) as fd:
        kb = rdf_client.KnowledgeBase()
        kb.users.Append(userobj)
        empty_summary = fd.GetSummary()
        self.assertEqual(empty_summary.client_id, "C.0000000000000000")
        self.assertFalse(empty_summary.system_info.version)
        self.assertEqual(empty_summary.timestamp.AsSecondsSinceEpoch(), 1)

        # This will cause TYPE to be written with current time = 101 when the
        # object is closed
        timestamp += 100
        fd.Set(fd.Schema.HOSTNAME(hostname))
        fd.Set(fd.Schema.SYSTEM(system))
        fd.Set(fd.Schema.OS_RELEASE(os_release))
        fd.Set(fd.Schema.KERNEL(kernel))
        fd.Set(fd.Schema.FQDN(fqdn))
        fd.Set(fd.Schema.ARCH(arch))
        fd.Set(fd.Schema.INSTALL_DATE(install_time))
        fd.Set(fd.Schema.KNOWLEDGE_BASE(kb))
        fd.Set(fd.Schema.USERNAMES([user]))
        fd.Set(fd.Schema.HARDWARE_INFO(hwinfo))
        fd.Set(fd.Schema.INTERFACES([interface]))
        fd.Set(fd.Schema.CLOUD_INSTANCE(cloud_instance))

      with aff4.FACTORY.Open(
          "C.0000000000000000",
          aff4_grr.VFSGRRClient,
          mode="rw",
          token=self.token) as fd:
        summary = fd.GetSummary()
        self.assertEqual(summary.system_info.system, system)
        self.assertEqual(summary.system_info.release, os_release)
        self.assertEqual(summary.system_info.kernel, kernel)
        self.assertEqual(summary.system_info.fqdn, fqdn)
        self.assertEqual(summary.system_info.machine, arch)
        self.assertEqual(summary.system_info.install_date, install_time)
        self.assertItemsEqual(summary.users, [userobj])
        self.assertItemsEqual(summary.interfaces, [interface])
        self.assertFalse(summary.client_info)

        self.assertEqual(summary.timestamp.AsSecondsSinceEpoch(), 101)
        self.assertEqual(summary.cloud_type, "GOOGLE")
        self.assertEqual(summary.cloud_instance_id,
                         "us-central1-a/myproject/1771384456894610289")

        self.assertEqual(summary.serial_number, serial_number)
        self.assertEqual(summary.system_manufacturer, system_manufacturer)
        self.assertEqual(summary.system_uuid, system_uuid)