def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
knowledge_base):
"""Parse the dmidecode output. All data is parsed into a dictionary."""
_ = stderr, time_taken, args, knowledge_base # Unused.
self.CheckReturn(cmd, return_val)
output = iter(stdout.splitlines())
system_information = []
serial_number = ""
system_manufacturer = ""
system_info = re.compile(r"\s*System Information")
for line in output:
if system_info.match(line):
# Collect all System Information until we hit a blank line.
while line:
system_information.append(line)
line = output.next()
break
system_re = re.compile(r"\s*Manufacturer: ([0-9a-zA-Z-]*)")
serial_re = re.compile(r"\s*Serial Number: ([0-9a-zA-Z-]*)")
for line in system_information:
match_sn = serial_re.match(line)
match_manf = system_re.match(line)
if match_sn:
serial_number = match_sn.groups()[0].strip()
elif match_manf:
system_manufacturer = match_manf.groups()[0].strip()
return rdf_client.HardwareInfo(serial_number=serial_number,
system_manufacturer=system_manufacturer)
def SetupTestClientObject(self,
client_nr,
add_cert=True,
arch="x86_64",
last_boot_time=None,
fqdn=None,
kernel="4.0.0",
memory_size=None,
os_version="buster/sid",
ping=None,
system="Linux",
labels=None):
"""Prepares a test client object."""
client_id = "C.1%015x" % client_nr
client = objects.ClientSnapshot(client_id=client_id)
client.startup_info.client_info = self._TestClientInfo()
if last_boot_time is not None:
client.startup_info.boot_time = last_boot_time
client.knowledge_base.fqdn = fqdn or "Host-%x.example.com" % client_nr
client.knowledge_base.os = system
client.knowledge_base.users = [
rdf_client.User(username="******"),
rdf_client.User(username="******"),
]
client.os_version = os_version
client.arch = arch
client.kernel = kernel
client.interfaces = self._TestInterfaces(client_nr)
client.hardware_info = rdf_client.HardwareInfo(
system_manufacturer="System-Manufacturer-%x" % client_nr,
bios_version="Bios-Version-%x" % client_nr)
if memory_size is not None:
client.memory_size = memory_size
ping = ping or rdfvalue.RDFDatetime.Now()
if add_cert:
cert = self.ClientCertFromPrivateKey(
config.CONFIG["Client.private_key"])
else:
cert = None
data_store.REL_DB.WriteClientMetadata(client_id,
last_ping=ping,
certificate=cert,
fleetspeak_enabled=False)
data_store.REL_DB.WriteClientSnapshot(client)
client_index.ClientIndex().AddClient(client)
if labels:
data_store.REL_DB.AddClientLabels(client_id, "GRR", labels)
client_index.ClientIndex().AddClientLabels(
client_id, data_store.REL_DB.ReadClientLabels(client_id))
return client
def Parse(self, query, result, knowledge_base):
"""Parse the WMI output to get Identifying Number."""
# Currently we are only grabbing the Identifying Number
# as the serial number (catches the unique number for VMs).
# This could be changed to include more information from
# Win32_ComputerSystemProduct.
_ = query, knowledge_base
yield rdf_client.HardwareInfo(serial_number=result["IdentifyingNumber"],
system_manufacturer=result["Vendor"])
def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
knowledge_base):
"""Parse the dmidecode output. All data is parsed into a dictionary."""
_ = stderr, time_taken, args, knowledge_base # Unused.
self.CheckReturn(cmd, return_val)
output = iter(stdout.splitlines())
# Compile all regexes in advance.
sys_info_re = re.compile(r"\s*System Information")
sys_regexes = {
"system_manufacturer": self._re_compile("Manufacturer"),
"serial_number": self._re_compile("Serial Number"),
"system_product_name": self._re_compile("Product Name"),
"system_uuid": self._re_compile("UUID"),
"system_sku_number": self._re_compile("SKU Number"),
"system_family": self._re_compile("Family"),
"system_assettag": self._re_compile("Asset Tag")
}
bios_info_re = re.compile(r"\s*BIOS Information")
bios_regexes = {
"bios_vendor": self._re_compile("Vendor"),
"bios_version": self._re_compile("Version"),
"bios_release_date": self._re_compile("Release Date"),
"bios_rom_size": self._re_compile("ROM Size"),
"bios_revision": self._re_compile("BIOS Revision")
}
# Initialize RDF.
dmi_info = rdf_client.HardwareInfo()
for line in output:
if sys_info_re.match(line):
# Collect all System Information until we hit a blank line.
while line:
for attr, regex in sys_regexes.iteritems():
match = regex.match(line)
if match:
setattr(dmi_info, attr, match.group(1).strip())
break
line = output.next()
elif bios_info_re.match(line):
# Collect all BIOS Information until we hit a blank line.
while line:
for attr, regex in bios_regexes.iteritems():
match = regex.match(line)
if match:
setattr(dmi_info, attr, match.group(1).strip())
break
line = output.next()
return dmi_info
def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
knowledge_base):
"""Parse the system profiler output. We get it in the form of a plist."""
_ = stderr, time_taken, args, knowledge_base # Unused
self.CheckReturn(cmd, return_val)
serial_number = []
hardware_list = []
plist = binplist.readPlist(cStringIO.StringIO(stdout))
if len(plist) > 1:
raise parsers.ParseError(
"SPHardwareDataType plist has too many items.")
hardware_list = plist[0]["_items"][0]
serial_number = hardware_list["serial_number"]
yield rdf_client.HardwareInfo(serial_number=serial_number)
def SetupTestClientObject(self,
client_nr,
arch="x86_64",
kernel="4.0.0",
os_version="buster/sid",
ping=None,
system="Linux"):
"""Prepares a test client object."""
client_id = "C.1%015x" % client_nr
client = objects.Client(client_id=client_id)
client.startup_info.client_info = self._TestClientInfo()
client.knowledge_base.fqdn = "Host-%x.example.com" % client_nr
client.knowledge_base.os = system
client.knowledge_base.users = [
rdf_client.User(username="******"),
rdf_client.User(username="******"),
]
client.os_version = os_version
client.arch = arch
client.kernel = kernel
client.interfaces = self._TestInterfaces(client_nr)
client.hardware_info = rdf_client.HardwareInfo(
system_manufacturer="System-Manufacturer-%x" % client_nr,
bios_version="Bios-Version-%x" % client_nr)
ping = ping or rdfvalue.RDFDatetime.Now()
cert = self.ClientCertFromPrivateKey(
config.CONFIG["Client.private_key"])
data_store.REL_DB.WriteClientMetadata(client_id,
last_ping=ping,
certificate=cert,
fleetspeak_enabled=False)
data_store.REL_DB.WriteClient(client)
client_index.ClientIndex().AddClient(client_id, client)
return client
def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
knowledge_base):
"""Parse the system profiler output. We get it in the form of a plist."""
_ = stderr, time_taken, args, knowledge_base # Unused
self.CheckReturn(cmd, return_val)
plist = binplist.readPlist(cStringIO.StringIO(stdout))
if len(plist) > 1:
raise parsers.ParseError("SPHardwareDataType plist has too many items.")
hardware_list = plist[0]["_items"][0]
serial_number = getattr(hardware_list, "serial_number", None)
system_product_name = getattr(hardware_list, "machine_model", None)
bios_version = getattr(hardware_list, "boot_rom_version", None)
yield rdf_client.HardwareInfo(
serial_number=serial_number,
bios_version=bios_version,
system_product_name=system_product_name)
class SchemaCls(standard.VFSDirectory.SchemaCls):
"""The schema for the client."""
client_index = rdfvalue.RDFURN("aff4:/index/client")
CERT = aff4.Attribute("metadata:cert", rdf_crypto.RDFX509Cert,
"The PEM encoded cert of the client.")
FILESYSTEM = aff4.Attribute("aff4:filesystem", rdf_client.Filesystems,
"Filesystems on the client.")
CLIENT_INFO = aff4.Attribute("metadata:ClientInfo",
rdf_client.ClientInformation,
"GRR client information",
"GRR client",
default=rdf_client.ClientInformation())
LAST_BOOT_TIME = aff4.Attribute("metadata:LastBootTime",
rdfvalue.RDFDatetime,
"When the machine was last booted",
"BootTime")
FIRST_SEEN = aff4.Attribute(
"metadata:FirstSeen", rdfvalue.RDFDatetime,
"First time the client registered with us", "FirstSeen")
# Information about the host.
HOSTNAME = aff4.Attribute("metadata:hostname",
rdfvalue.RDFString,
"Hostname of the host.",
"Host",
index=client_index)
FQDN = aff4.Attribute("metadata:fqdn",
rdfvalue.RDFString,
"Fully qualified hostname of the host.",
"FQDN",
index=client_index)
SYSTEM = aff4.Attribute("metadata:system", rdfvalue.RDFString,
"Operating System class.", "System")
UNAME = aff4.Attribute("metadata:uname", rdfvalue.RDFString,
"Uname string.", "Uname")
OS_RELEASE = aff4.Attribute("metadata:os_release", rdfvalue.RDFString,
"OS Major release number.", "Release")
OS_VERSION = aff4.Attribute("metadata:os_version",
rdf_client.VersionString,
"OS Version number.", "Version")
# ARCH values come from platform.uname machine value, e.g. x86_64, AMD64.
ARCH = aff4.Attribute("metadata:architecture", rdfvalue.RDFString,
"Architecture.", "Architecture")
INSTALL_DATE = aff4.Attribute("metadata:install_date",
rdfvalue.RDFDatetime, "Install Date.",
"Install")
# The knowledge base is used for storing data about the host and users.
# This is currently a slightly odd object as we only use some of the fields.
# The proto itself is used in Artifact handling outside of GRR (e.g. Plaso).
# Over time we will migrate fields into this proto, but for now it is a mix.
KNOWLEDGE_BASE = aff4.Attribute("metadata:knowledge_base",
rdf_client.KnowledgeBase,
"Artifact Knowledge Base",
"KnowledgeBase")
GRR_CONFIGURATION = aff4.Attribute(
"aff4:client_configuration", rdf_protodict.Dict,
"Running configuration for the GRR client.", "Config")
LIBRARY_VERSIONS = aff4.Attribute(
"aff4:library_versions", rdf_protodict.Dict,
"Running library versions for the client.", "Libraries")
USERNAMES = aff4.Attribute("aff4:user_names",
SpaceSeparatedStringArray,
"A space separated list of system users.",
"Usernames",
index=client_index)
# This information is duplicated from the INTERFACES attribute but is done
# to allow for fast searching by mac address.
MAC_ADDRESS = aff4.Attribute("aff4:mac_addresses",
rdfvalue.RDFString,
"A hex encoded MAC address.",
"MAC",
index=client_index)
KERNEL = aff4.Attribute("aff4:kernel_version", rdfvalue.RDFString,
"Kernel version string.", "KernelVersion")
# Same for IP addresses.
HOST_IPS = aff4.Attribute("aff4:host_ips",
rdfvalue.RDFString,
"An IP address.",
"Host_ip",
index=client_index)
PING = aff4.Attribute(
"metadata:ping",
rdfvalue.RDFDatetime,
"The last time the server heard from this client.",
"LastCheckin",
versioned=False,
default=0)
CLOCK = aff4.Attribute("metadata:clock",
rdfvalue.RDFDatetime,
"The last clock read on the client "
"(Can be used to estimate client clock skew).",
"Clock",
versioned=False)
CLIENT_IP = aff4.Attribute(
"metadata:client_ip",
rdfvalue.RDFString,
"The ip address this client connected from.",
"Client_ip",
versioned=False)
# This is the last foreman rule that applied to us
LAST_FOREMAN_TIME = aff4.Attribute(
"aff4:last_foreman_time",
rdfvalue.RDFDatetime,
"The last time the foreman checked us.",
versioned=False)
LAST_CRASH = aff4.Attribute("aff4:last_crash",
rdf_client.ClientCrash,
"Last client crash.",
creates_new_object_version=False,
versioned=False)
VOLUMES = aff4.Attribute("aff4:volumes", rdf_client.Volumes,
"Client disk volumes.")
INTERFACES = aff4.Attribute("aff4:interfaces", rdf_client.Interfaces,
"Network interfaces.", "Interfaces")
HARDWARE_INFO = aff4.Attribute("aff4:hardware_info",
rdf_client.HardwareInfo,
"Various hardware information.",
default=rdf_client.HardwareInfo())
MEMORY_SIZE = aff4.Attribute(
"aff4:memory_size", rdfvalue.ByteSize,
"Amount of memory this client's machine has.")
# Cloud VM information.
CLOUD_INSTANCE = aff4.Attribute("metadata:cloud_instance",
cloud.CloudInstance,
"Information about cloud machines.")
def testGetClientSummary(self):
hostname = "test"
system = "Linux"
os_release = "12.02"
kernel = "3.15-rc2"
fqdn = "test.test.com"
arch = "amd64"
install_time = rdfvalue.RDFDatetime.Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
google_cloud_instance = cloud.GoogleCloudInstance(
instance_id="1771384456894610289",
zone="projects/123456789733/zones/us-central1-a",
project_id="myproject",
unique_id="us-central1-a/myproject/1771384456894610289")
cloud_instance = cloud.CloudInstance(
cloud_type="GOOGLE", google=google_cloud_instance)
serial_number = "DSD33679FZ"
system_manufacturer = "Foobar Inc."
system_uuid = "C31292AD-6Z4F-55D8-28AC-EC1100E42222"
hwinfo = rdf_client.HardwareInfo(
serial_number=serial_number,
system_manufacturer=system_manufacturer,
system_uuid=system_uuid)
timestamp = 1
with utils.Stubber(time, "time", lambda: timestamp):
with aff4.FACTORY.Create(
"C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
kb = rdf_client.KnowledgeBase()
kb.users.Append(userobj)
empty_summary = fd.GetSummary()
self.assertEqual(empty_summary.client_id, "C.0000000000000000")
self.assertFalse(empty_summary.system_info.version)
self.assertEqual(empty_summary.timestamp.AsSecondsSinceEpoch(), 1)
# This will cause TYPE to be written with current time = 101 when the
# object is closed
timestamp += 100
fd.Set(fd.Schema.HOSTNAME(hostname))
fd.Set(fd.Schema.SYSTEM(system))
fd.Set(fd.Schema.OS_RELEASE(os_release))
fd.Set(fd.Schema.KERNEL(kernel))
fd.Set(fd.Schema.FQDN(fqdn))
fd.Set(fd.Schema.ARCH(arch))
fd.Set(fd.Schema.INSTALL_DATE(install_time))
fd.Set(fd.Schema.KNOWLEDGE_BASE(kb))
fd.Set(fd.Schema.USERNAMES([user]))
fd.Set(fd.Schema.HARDWARE_INFO(hwinfo))
fd.Set(fd.Schema.INTERFACES([interface]))
fd.Set(fd.Schema.CLOUD_INSTANCE(cloud_instance))
with aff4.FACTORY.Open(
"C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
summary = fd.GetSummary()
self.assertEqual(summary.system_info.system, system)
self.assertEqual(summary.system_info.release, os_release)
self.assertEqual(summary.system_info.kernel, kernel)
self.assertEqual(summary.system_info.fqdn, fqdn)
self.assertEqual(summary.system_info.machine, arch)
self.assertEqual(summary.system_info.install_date, install_time)
self.assertItemsEqual(summary.users, [userobj])
self.assertItemsEqual(summary.interfaces, [interface])
self.assertFalse(summary.client_info)
self.assertEqual(summary.timestamp.AsSecondsSinceEpoch(), 101)
self.assertEqual(summary.cloud_type, "GOOGLE")
self.assertEqual(summary.cloud_instance_id,
"us-central1-a/myproject/1771384456894610289")
self.assertEqual(summary.serial_number, serial_number)
self.assertEqual(summary.system_manufacturer, system_manufacturer)
self.assertEqual(summary.system_uuid, system_uuid)
