def testTypeInfoBoolObjects(self): """Test the type info objects behave as expected.""" a = type_info.Bool() self.assertRaises(type_info.TypeValueError, a.Validate, 2) self.assertRaises(type_info.TypeValueError, a.Validate, None) a.Validate(True) # 1 is a valid substitute for True. a.Validate(1)
def DEFINE_boolean(name, default, help):
"""A helper for defining boolean options."""
CONFIG.AddOption(
type_info.Bool(name=name, default=default, description=help))
class WinSystemActivityInvestigation(flow.GRRFlow):
"""Do the initial work for a system investigation.
This encapsulates the different platform specific modules.
"""
category = "/Automation/"
flow_typeinfo = type_info.TypeDescriptorSet(
type_info.Bool(
name="list_processes",
description="Call the ListProcesses flow.",
default=True,
),
type_info.Bool(
name="list_network_connections",
description="Call the Netstat flow.",
default=True,
),
type_info.MultiSelectList(
name="artifact_list",
description="A list of Artifact names.",
default=[
"ApplicationEventLog", "SystemEventLog", "SecurityEventLog",
"TerminalServicesEventLogEvtx", "ApplicationEventLogEvtx",
"SystemEventLogEvtx", "SecurityEventLogEvtx"
],
),
type_info.Bool(
name="collect_av_data",
description="Call the Antivirus flows to collect quarantine/logs.",
default=True,
),
type_info.Bool(
name="collect_prefetch",
description="List the prefetch directory.",
default=True,
),
type_info.Bool(
name="list_common_dirs",
description="List common system directories.",
default=True,
),
type_info.Bool(name="use_tsk",
description="Use raw filesystem access where possible.",
default=True),
type_info.Bool(
name="timeline_collected_data",
description="Once complete create a timeline for the host.",
default=True),
)
common_dirs = [
"c:\\", "c:\\users", "c:\\windows", "c:\\windows\\system32\\drivers",
"c:\\windows\\logs", "c:\\program files"
]
@flow.StateHandler(next_state="FinishFlow")
def Start(self):
"""Start."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.system = str(self.client.Get(self.client.Schema.SYSTEM))
self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION))
self.os_major_version = self.os_version.split(".")[0]
if self.use_tsk:
self.path_type = rdfvalue.PathSpec.PathType.TSK
else:
self.path_type = rdfvalue.PathSpec.PathType.OS
if self.collect_av_data:
self.CallFlow("SophosCollector",
pathtype=self.path_type,
next_state="FinishFlow")
if self.list_processes:
self.CallFlow("ListProcesses", next_state="FinishFlow")
if self.list_network_connections:
self.CallFlow("Netstat", next_state="FinishFlow")
# Execution events.
if self.collect_prefetch:
self.CallFlow("ListDirectory",
path=r"C:\Windows\Prefetch",
pathtype=self.path_type,
next_state="FinishFlow")
if self.list_common_dirs:
for common_dir in self.common_dirs:
self.CallFlow("ListDirectory",
path=common_dir,
pathtype=self.path_type,
next_state="FinishFlow")
if self.artifact_list:
self.CallFlow("ArtifactCollectorFlow",
artifact_list=list(self.artifact_list),
use_tsk=self.use_tsk,
next_state="FinishFlow")
@flow.StateHandler()
def FinishFlow(self, responses):
"""Complete anything we need to do for each flow finishing."""
flow_name = self.__class__.__name__
if responses.success:
self.Log("Flow %s completed successfully", flow_name)
else:
self.Log("Flow %s failed to complete", flow_name)
# If no more flows, we're done and we can run the timeline.
if self.OutstandingRequests(
) == 1: # We're processing last request now.
if self.timeline_collected_data:
self.CallFlow("MACTimes", path="/", next_state="End")
class LinSystemActivityInvestigation(flow.GRRFlow):
"""Do the initial work for a Linux system investigation.
This encapsulates the different platform specific modules.
"""
category = "/Automation/"
flow_typeinfo = type_info.TypeDescriptorSet(
type_info.Bool(
name="list_processes",
description="Call the ListProcesses flow.",
default=True,
),
type_info.Bool(
name="list_network_connections",
description="Call the Netstat flow.",
default=True,
),
type_info.MultiSelectList(
name="artifact_list",
description="A list of Artifact names.",
default=["AuthLog", "LinuxWtmp"],
),
type_info.Bool(name="use_tsk",
description="Use raw filesystem access where possible.",
default=True),
type_info.Bool(
name="timeline_collected_data",
description="Once complete create a timeline for the host.",
default=True),
)
@flow.StateHandler(next_state="FinishFlow")
def Start(self):
"""Start."""
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
self.system = str(self.client.Get(self.client.Schema.SYSTEM))
self.os_version = str(self.client.Get(self.client.Schema.OS_VERSION))
self.os_major_version = self.os_version.split(".")[0]
if self.use_tsk:
self.path_type = rdfvalue.PathSpec.PathType.TSK
else:
self.path_type = rdfvalue.PathSpec.PathType.OS
if self.list_processes:
self.CallFlow("ListProcesses", next_state="FinishFlow")
if self.list_network_connections:
self.CallFlow("Netstat", next_state="FinishFlow")
if self.artifact_list:
self.CallFlow("ArtifactCollectorFlow",
artifact_list=self.artifact_list,
use_tsk=self.use_tsk,
next_state="FinishFlow")
@flow.StateHandler()
def FinishFlow(self, responses):
"""Complete anything we need to do for each flow finishing."""
flow_name = self.__class__.__name__
if responses.success:
self.Log("Flow %s completed successfully", flow_name)
else:
self.Log("Flow %s failed to complete", flow_name)
# If no more flows, we're done and we can run the timeline.
if self.OutstandingRequests(
) == 1: # We're processing last request now.
if self.timeline_collected_data:
self.CallFlow("MACTimes", path="/", next_state="End")
