def _SampleTwoTypeHuntResults(self,
client_id=None,
flow_id=None,
hunt_id=None,
count_per_type=5,
timestamp_start=10):
self.assertIsNotNone(client_id)
self.assertIsNotNone(flow_id)
self.assertIsNotNone(hunt_id)
return [
rdf_flow_objects.FlowResult(
client_id=client_id,
flow_id=flow_id,
hunt_id=hunt_id,
tag="tag_%d" % i,
payload=rdf_client.ClientSummary(
client_id=client_id,
system_manufacturer="manufacturer_%d" % i,
install_date=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
timestamp_start + i))) for i in range(count_per_type)
] + [
rdf_flow_objects.FlowResult(
client_id=client_id,
flow_id=flow_id,
hunt_id=hunt_id,
tag="tag_%d" % i,
payload=rdf_client.ClientCrash(
client_id=client_id,
timestamp=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
timestamp_start + i))) for i in range(count_per_type)
]
def testRdfFormatter(self):
"""Hints format RDF values with arbitrary values and attributes."""
# Create a complex RDF value
rdf = rdf_client.ClientSummary()
rdf.system_info.system = "Linux"
rdf.system_info.fqdn = "coreai.skynet.com"
# Users (repeated)
rdf.users = [rdf_client.User(username=u) for u in ("root", "jconnor")]
# Interface (nested, repeated)
addresses = [
rdf_client_network.NetworkAddress(human_readable_address=a)
for a in ("1.1.1.1", "2.2.2.2", "3.3.3.3")
]
eth0 = rdf_client_network.Interface(ifname="eth0",
addresses=addresses[:2])
ppp0 = rdf_client_network.Interface(ifname="ppp0",
addresses=addresses[2:3])
rdf.interfaces = [eth0, ppp0]
template = (
"{system_info.system} {users.username} {interfaces.ifname} "
"{interfaces.addresses.human_readable_address}\n")
hinter = hints.Hinter(template=template)
expected = "Linux root,jconnor eth0,ppp0 1.1.1.1,2.2.2.2,3.3.3.3"
result = hinter.Render(rdf)
self.assertEqual(expected, result)
def testClientSummaryToExportedNetworkInterfaceConverter(self):
mac_address_bytes = b"123456"
mac_address = text.Hexify(mac_address_bytes)
summary = rdf_client.ClientSummary(interfaces=[
rdf_client_network.Interface(
mac_address=mac_address_bytes,
ifname="eth0",
addresses=[
rdf_client_network.NetworkAddress(
address_type=rdf_client_network.NetworkAddress.Family.INET,
packed_bytes=socket.inet_pton(socket.AF_INET, "127.0.0.1"),
),
rdf_client_network.NetworkAddress(
address_type=rdf_client_network.NetworkAddress.Family.INET,
packed_bytes=socket.inet_pton(socket.AF_INET, "10.0.0.1"),
),
rdf_client_network.NetworkAddress(
address_type=rdf_client_network.NetworkAddress.Family.INET6,
packed_bytes=socket.inet_pton(socket.AF_INET6,
"2001:720:1500:1::a100"),
)
])
])
converter = client_summary.ClientSummaryToExportedNetworkInterfaceConverter(
)
results = list(converter.Convert(self.metadata, summary))
self.assertLen(results, 1)
self.assertEqual(results[0].mac_address, mac_address)
self.assertEqual(results[0].ifname, "eth0")
self.assertEqual(results[0].ip4_addresses, "127.0.0.1 10.0.0.1")
self.assertEqual(results[0].ip6_addresses, "2001:720:1500:1::a100")
def testClientSummaryToExportedClientConverter(self):
summary = rdf_client.ClientSummary()
metadata = base.ExportedMetadata(hostname="ahostname")
converter = client_summary.ClientSummaryToExportedClientConverter()
results = list(converter.Convert(metadata, summary))
self.assertLen(results, 1)
self.assertEqual(results[0].metadata.hostname, "ahostname")
def _SampleSingleTypeHuntResults(self, client_id=None, count=10):
client_id = client_id or "C.1234567890123456"
return [
rdf_flow_objects.FlowResult(
tag="tag_%d" % i,
payload=rdf_client.ClientSummary(
client_id=client_id,
system_manufacturer="manufacturer_%d" % i,
install_date=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
10 + i))) for i in range(count)
]
def GetSummary(self):
"""Gets a client summary object.
Returns:
rdf_client.ClientSummary
Raises:
ValueError: on bad cloud type
"""
summary = rdf_client.ClientSummary()
summary.client_id = self.client_id
summary.timestamp = self.timestamp
summary.system_info.release = self.os_release
summary.system_info.version = str(self.os_version or "")
summary.system_info.kernel = self.kernel
summary.system_info.machine = self.arch
summary.system_info.install_date = self.install_time
kb = self.knowledge_base
if kb:
summary.system_info.fqdn = kb.fqdn
summary.system_info.system = kb.os
summary.users = kb.users
summary.interfaces = self.interfaces
summary.client_info = self.startup_info.client_info
if kb.os_release:
summary.system_info.release = kb.os_release
if kb.os_major_version:
summary.system_info.version = "%d.%d" % (
kb.os_major_version, kb.os_minor_version)
summary.edr_agents = self.edr_agents
summary.fleetspeak_validation_info = self.fleetspeak_validation_info
hwi = self.hardware_info
if hwi:
summary.serial_number = hwi.serial_number
summary.system_manufacturer = hwi.system_manufacturer
summary.system_uuid = hwi.system_uuid
cloud_instance = self.cloud_instance
if cloud_instance:
summary.cloud_type = cloud_instance.cloud_type
if cloud_instance.cloud_type == "GOOGLE":
summary.cloud_instance_id = cloud_instance.google.unique_id
elif cloud_instance.cloud_type == "AMAZON":
summary.cloud_instance_id = cloud_instance.amazon.instance_id
else:
raise ValueError("Bad cloud type: %s" %
cloud_instance.cloud_type)
return summary
def GetSummary(self):
"""Gets a client summary object.
Returns:
rdf_client.ClientSummary
Raises:
ValueError: on bad cloud type
"""
self.max_age = 0
summary = rdf_client.ClientSummary(client_id=self.urn)
summary.system_info.system = self.Get(self.Schema.SYSTEM)
summary.system_info.release = self.Get(self.Schema.OS_RELEASE)
summary.system_info.version = str(self.Get(self.Schema.OS_VERSION, ""))
summary.system_info.kernel = self.Get(self.Schema.KERNEL)
summary.system_info.fqdn = self.Get(self.Schema.FQDN)
summary.system_info.machine = self.Get(self.Schema.ARCH)
summary.system_info.install_date = self.Get(self.Schema.INSTALL_DATE)
kb = self.Get(self.Schema.KNOWLEDGE_BASE)
if kb:
summary.users = kb.users
summary.interfaces = self.Get(self.Schema.INTERFACES)
summary.client_info = self.Get(self.Schema.CLIENT_INFO)
hwi = self.Get(self.Schema.HARDWARE_INFO)
if hwi:
summary.serial_number = hwi.serial_number
summary.system_manufacturer = hwi.system_manufacturer
summary.system_uuid = hwi.system_uuid
summary.timestamp = self.age
cloud_instance = self.Get(self.Schema.CLOUD_INSTANCE)
if cloud_instance:
summary.cloud_type = cloud_instance.cloud_type
if cloud_instance.cloud_type == "GOOGLE":
summary.cloud_instance_id = cloud_instance.google.unique_id
elif cloud_instance.cloud_type == "AMAZON":
summary.cloud_instance_id = cloud_instance.amazon.instance_id
else:
raise ValueError("Bad cloud type: %s" %
cloud_instance.cloud_type)
return summary