class SchemaCls(aff4.AFF4Object.SchemaCls):
"""Schema for GRRUser."""
PENDING_NOTIFICATIONS = aff4.Attribute(
"aff4:notification/pending",
rdf_flows.NotificationList,
"The notifications pending for the user.",
default=rdf_flows.NotificationList(),
versioned=False)
SHOWN_NOTIFICATIONS = aff4.Attribute(
"aff4:notifications/shown",
rdf_flows.NotificationList,
"Notifications already shown to the user.",
default=rdf_flows.NotificationList(),
versioned=False)
SHOWN_GLOBAL_NOTIFICATIONS = aff4.Attribute(
"aff4:global_notification/timestamp_list",
GlobalNotificationSet,
"Global notifications shown to this user.",
default=GlobalNotificationSet(),
versioned=False)
GUI_SETTINGS = aff4.Attribute("aff4:gui/settings",
GUISettings,
"GUI Settings",
default=GUISettings())
PASSWORD = aff4.Attribute("aff4:user/password", CryptedPassword,
"Encrypted Password for the user")
class SchemaCls(VFSFile.SchemaCls):
"""The schema for Blob Images."""
HASHES = aff4.Attribute("aff4:hashes", standard.HashList,
"List of hashes of each chunk in this file.")
FINALIZED = aff4.Attribute("aff4:finalized", rdfvalue.RDFBool,
"Once a blobimage is finalized, further writes"
" will raise exceptions.")
class SchemaCls(aff4.AFF4Volume.SchemaCls):
"""Attributes specific to VFSDirectory."""
STAT = aff4.Attribute("aff4:stat", rdf_client.StatEntry,
"A StatEntry describing this file.", "stat")
PATHSPEC = aff4.Attribute(
"aff4:pathspec", rdf_paths.PathSpec,
"The pathspec used to retrieve this object from the client.",
"pathspec")
class SchemaCls(Approval.SchemaCls):
"""The Schema for the ClientAccessApproval class."""
LIFETIME = aff4.Attribute(
"aff4:approval/lifetime",
rdfvalue.RDFInteger,
"The number of seconds an approval is valid for.",
default=0)
BREAK_GLASS = aff4.Attribute(
"aff4:approval/breakglass", rdfvalue.RDFDatetime,
"The date when this break glass approval will expire.")
class SchemaCls(aff4.AFF4Image.SchemaCls):
"""The schema for Blob Images."""
STAT = VFSDirectory.SchemaCls.STAT
HASHES = aff4.Attribute("aff4:hashes", HashList,
"List of hashes of each chunk in this file.")
FINALIZED = aff4.Attribute(
"aff4:finalized", rdfvalue.RDFBool,
"Once a blobimage is finalized, further writes"
" will raise exceptions.")
class SchemaCls(aff4.AFF4Image.SchemaCls):
"""The schema for AFF4 files in the GRR VFS."""
STAT = standard.VFSDirectory.SchemaCls.STAT
CONTENT_LOCK = aff4.Attribute(
"aff4:content_lock", rdfvalue.RDFURN,
"This lock contains a URN pointing to the flow that is currently "
"updating this flow.")
PATHSPEC = aff4.Attribute(
"aff4:pathspec", rdf_paths.PathSpec,
"The pathspec used to retrieve this object from the client.")
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""SchemaCls."""
FILESTORE_FILETYPES = aff4.Attribute(
"aff4:stats/filestore/filetypes", stats.Graph,
"Number of files in the filestore by type")
FILESTORE_FILETYPES_SIZE = aff4.Attribute(
"aff4:stats/filestore/filetypes_size", stats.GraphFloat,
"Total filesize in GB of files in the filestore by type")
FILESTORE_FILESIZE_HISTOGRAM = aff4.Attribute(
"aff4:stats/filestore/filesize", stats.Graph,
"Filesize histogram of files in the filestore")
class SchemaCls(VFSAnalysisFile.SchemaCls):
"""The schema for AFF4 files in the GRR VFS."""
CONTENT_LOCK = aff4.Attribute(
"aff4:content_lock", rdfvalue.RDFURN,
"This lock contains a URN pointing to the flow that is currently "
"updating this flow.")
class SchemaCls(aff4.AFF4ImageBase.SchemaCls):
"""The schema class for AFF4SparseImage."""
PATHSPEC = VFSDirectory.SchemaCls.PATHSPEC
STAT = VFSDirectory.SchemaCls.STAT
_CHUNKSIZE = aff4.Attribute("aff4:chunksize",
rdfvalue.RDFInteger,
"Total size of each chunk.",
default=512 * 1024)
LAST_CHUNK = aff4.Attribute(
"aff4:lastchunk",
rdfvalue.RDFInteger,
"The highest numbered chunk in this object.",
default=-1)
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""Attributes specific to VFSDirectory."""
RULES = aff4.Attribute("aff4:rules",
rdf_foreman.ForemanRules,
"The rules the foreman uses.",
versioned=False,
creates_new_object_version=False,
default=rdf_foreman.ForemanRules())
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""Schema for StatsStoreProcessData."""
METRICS_METADATA = aff4.Attribute(
"aff4:stats_store_process_data/metrics_metadata",
stats_values.StatsStoreMetricsMetadata,
creates_new_object_version=False,
versioned=False)
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""Schema for GlobalNotificationsManager."""
NOTIFICATIONS = aff4.Attribute(
"aff4:global_notification_storage/notifications",
GlobalNotificationSet,
"List of currently active notifications",
versioned=False)
class SchemaCls(aff4.AFF4Stream.SchemaCls):
FILE_ID = aff4.Attribute("aff4:file_id", rdfvalue.RDFString,
"This string uniquely identifies a "
"file stored in the file store. Passing "
"this id to the file store grants read "
"access to the corresponding data.")
STAT = standard.VFSDirectory.SchemaCls.STAT
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""The Schema for the Approval class."""
REQUESTOR = aff4.Attribute("aff4:approval/requestor", rdfvalue.RDFString,
"Requestor of the approval.")
APPROVER = aff4.Attribute("aff4:approval/approver", rdfvalue.RDFString,
"An approver for the request.", "approver")
SUBJECT = aff4.Attribute("aff4:approval/subject", rdfvalue.RDFURN,
"Subject of the approval. I.e. the resource that "
"requires approved access.")
REASON = aff4.Attribute("aff4:approval/reason",
rdfvalue.RDFString,
"The reason for requesting access to this client.")
EMAIL_MSG_ID = aff4.Attribute("aff4:approval/email_msg_id",
rdfvalue.RDFString,
"The email thread message ID for this"
"approval. Storing this allows for "
"conversation threading.")
EMAIL_CC = aff4.Attribute("aff4:approval/email_cc", rdfvalue.RDFString,
"Comma separated list of email addresses to "
"CC on approval emails.")
NOTIFIED_USERS = aff4.Attribute("aff4:approval/notified_users",
rdfvalue.RDFString,
"Comma-separated list of GRR users "
"notified about this approval.")
class SchemaCls(aff4.AFF4Object.SchemaCls):
"""Schema for ClientFleetStats object."""
GRRVERSION_HISTOGRAM = aff4.Attribute(
"aff4:stats/grrversion", stats.GraphSeries,
"GRR version statistics for active "
"clients.")
OS_HISTOGRAM = aff4.Attribute(
"aff4:stats/os_type", stats.GraphSeries,
"Operating System statistics for active clients.")
RELEASE_HISTOGRAM = aff4.Attribute(
"aff4:stats/release", stats.GraphSeries,
"Release statistics for active clients.")
LAST_CONTACTED_HISTOGRAM = aff4.Attribute("aff4:stats/last_contacted",
stats.Graph,
"Last contacted time")
class SchemaCls(FileStoreImage.SchemaCls):
"""Schema class for NSRLFile."""
# We do not need child indexes since the NSRL database is quite big.
ADD_CHILD_INDEX = False
# Make the default SIZE argument as unversioned.
SIZE = aff4.Attribute(
"aff4:size",
rdfvalue.RDFInteger,
"The total size of available data for this stream.",
"size",
default=0,
versioned=False)
TYPE = aff4.Attribute("aff4:type",
rdfvalue.RDFString,
"The name of the AFF4Object derived class.",
"type",
versioned=False)
NSRL = aff4.Attribute("aff4:nsrl",
rdf_nsrl.NSRLInformation,
versioned=False)
class SchemaCls(aff4.AFF4Volume.SchemaCls):
"""Attributes specific to GRRFlow."""
FLOW_STATE_DICT = aff4.Attribute(
"aff4:flow_state_dict",
rdf_protodict.AttributedDict,
"The current state of this flow.",
"FlowStateDict",
versioned=False,
creates_new_object_version=False)
FLOW_ARGS = aff4.Attribute(
"aff4:flow_args",
rdf_protodict.EmbeddedRDFValue,
"The arguments for this flow.",
"FlowArgs",
versioned=False,
creates_new_object_version=False)
FLOW_CONTEXT = aff4.Attribute(
"aff4:flow_context",
rdf_flows.FlowContext,
"The metadata for this flow.",
"FlowContext",
versioned=False,
creates_new_object_version=False)
FLOW_RUNNER_ARGS = aff4.Attribute(
"aff4:flow_runner_args",
rdf_flows.FlowRunnerArgs,
"The runner arguments used for this flow.",
"FlowRunnerArgs",
versioned=False,
creates_new_object_version=False)
NOTIFICATION = aff4.Attribute("aff4:notification", rdf_flows.Notification,
"Notifications for the flow.")
CLIENT_CRASH = aff4.Attribute(
"aff4:client_crash",
rdf_client.ClientCrash,
"Client crash details in case of a crash.",
default=None,
creates_new_object_version=False)
PENDING_TERMINATION = aff4.Attribute(
"aff4:pending_termination",
PendingFlowTermination,
"If true, this flow will be "
"terminated as soon as any of its "
"states are called.",
creates_new_object_version=False)
class SchemaCls(aff4.AFF4Volume.SchemaCls):
"""Schema for CronJob AFF4 object."""
CRON_ARGS = aff4.Attribute("aff4:cron/args", CreateCronJobFlowArgs,
"This cron jobs' arguments.")
DISABLED = aff4.Attribute(
"aff4:cron/disabled",
rdfvalue.RDFBool,
"If True, don't run this job.",
versioned=False)
CURRENT_FLOW_URN = aff4.Attribute(
"aff4:cron/current_flow_urn",
rdfvalue.RDFURN,
"URN of the currently running flow corresponding to this cron job.",
versioned=False,
lock_protected=True)
LAST_RUN_TIME = aff4.Attribute(
"aff4:cron/last_run",
rdfvalue.RDFDatetime,
"The last time this cron job ran.",
"last_run",
versioned=False,
lock_protected=True)
LAST_RUN_STATUS = aff4.Attribute(
"aff4:cron/last_run_status",
rdf_cronjobs.CronJobRunStatus,
"Result of the last flow",
lock_protected=True,
creates_new_object_version=False)
STATE_DICT = aff4.Attribute(
"aff4:cron/state_dict",
rdf_protodict.AttributedDict,
"Cron flow state that is kept between iterations",
lock_protected=True,
versioned=False)
class SchemaCls(aff4.AFF4Object.SchemaCls):
PROFILE = aff4.Attribute("aff4:profile",
rdf_rekall_types.RekallProfile,
"A Rekall profile.")
class SchemaCls(aff4.AFF4Volume.SchemaCls):
ACTIVE = aff4.Attribute("aff4:filestore_active",
rdfvalue.RDFBool,
"If true this filestore is active.",
default=True)
def CreateClientObject(self, vfs_fixture):
"""Make a new client object."""
# First remove the old fixture just in case its still there.
aff4.FACTORY.Delete(self.client_id, token=self.token)
# Create the fixture at a fixed time.
with test_lib.FakeTime(self.age):
for path, (aff4_type, attributes) in vfs_fixture:
path %= self.args
aff4_object = aff4.FACTORY.Create(self.client_id.Add(path),
aff4_type,
mode="rw",
token=self.token)
for attribute_name, value in attributes.items():
attribute = aff4.Attribute.PREDICATES[attribute_name]
if isinstance(value, (str, unicode)):
# Interpolate the value
value %= self.args
# Is this supposed to be an RDFValue array?
if aff4.issubclass(attribute.attribute_type,
rdf_protodict.RDFValueArray):
rdfvalue_object = attribute()
for item in value:
new_object = rdfvalue_object.rdf_type.FromTextFormat(
utils.SmartStr(item))
rdfvalue_object.Append(new_object)
# It is a text serialized protobuf.
elif aff4.issubclass(attribute.attribute_type,
rdf_structs.RDFProtoStruct):
# Use the alternate constructor - we always write protobufs in
# textual form:
rdfvalue_object = attribute.attribute_type.FromTextFormat(
utils.SmartStr(value))
elif aff4.issubclass(attribute.attribute_type,
rdfvalue.RDFInteger):
rdfvalue_object = attribute(int(value))
else:
rdfvalue_object = attribute(value)
# If we don't already have a pathspec, try and get one from the stat.
if aff4_object.Get(aff4_object.Schema.PATHSPEC) is None:
# If the attribute was a stat, it has a pathspec nested in it.
# We should add that pathspec as an attribute.
if attribute.attribute_type == rdf_client.StatEntry:
stat_object = attribute.attribute_type.FromTextFormat(
utils.SmartStr(value))
if stat_object.pathspec:
pathspec_attribute = aff4.Attribute(
"aff4:pathspec", rdf_paths.PathSpec,
"The pathspec used to retrieve "
"this object from the client.", "pathspec")
aff4_object.AddAttribute(
pathspec_attribute, stat_object.pathspec)
if attribute in ["aff4:content", "aff4:content"]:
# For AFF4MemoryStreams we need to call Write() instead of
# directly setting the contents..
aff4_object.Write(rdfvalue_object)
else:
aff4_object.AddAttribute(attribute, rdfvalue_object)
# Populate the KB from the client attributes.
if aff4_type == aff4_grr.VFSGRRClient:
kb = rdf_client.KnowledgeBase()
artifact.SetCoreGRRKnowledgeBaseValues(kb, aff4_object)
aff4_object.Set(aff4_object.Schema.KNOWLEDGE_BASE, kb)
# Make sure we do not actually close the object here - we only want to
# sync back its attributes, not run any finalization code.
aff4_object.Flush()
if aff4_type == aff4_grr.VFSGRRClient:
index = client_index.CreateClientIndex(token=self.token)
index.AddClient(aff4_object)
class SchemaCls(standard.VFSDirectory.SchemaCls):
STATS = aff4.Attribute("aff4:stats",
rdf_client.ClientStats,
"Client Stats.",
"Client stats",
creates_new_object_version=False)
class SchemaCls(aff4.AFF4Object.SchemaCls):
COMPONENT = aff4.Attribute("aff4:component",
rdf_client.ClientComponentSummary,
"The component of the client.")
class SchemaCls(aff4.AFF4Object.SchemaCls):
INSTALLED_PACKAGES = aff4.Attribute("aff4:info/packages",
client.SoftwarePackages,
"Installed software packages.",
default="")
class SchemaCls(standard.VFSDirectory.SchemaCls):
"""The schema for the client."""
client_index = rdfvalue.RDFURN("aff4:/index/client")
FLEETSPEAK_ENABLED = aff4.Attribute(
"metadata:IsFleetspeak", rdfvalue.RDFBool,
"Whether this client uses Fleetspeak for comms.")
CERT = aff4.Attribute("metadata:cert", rdf_crypto.RDFX509Cert,
"The PEM encoded cert of the client.")
FILESYSTEM = aff4.Attribute("aff4:filesystem", rdf_client.Filesystems,
"Filesystems on the client.")
CLIENT_INFO = aff4.Attribute("metadata:ClientInfo",
rdf_client.ClientInformation,
"GRR client information",
"GRR client",
default=rdf_client.ClientInformation())
LAST_BOOT_TIME = aff4.Attribute("metadata:LastBootTime",
rdfvalue.RDFDatetime,
"When the machine was last booted",
"BootTime")
FIRST_SEEN = aff4.Attribute(
"metadata:FirstSeen", rdfvalue.RDFDatetime,
"First time the client registered with us", "FirstSeen")
# Information about the host.
HOSTNAME = aff4.Attribute("metadata:hostname",
rdfvalue.RDFString,
"Hostname of the host.",
"Host",
index=client_index)
FQDN = aff4.Attribute("metadata:fqdn",
rdfvalue.RDFString,
"Fully qualified hostname of the host.",
"FQDN",
index=client_index)
SYSTEM = aff4.Attribute("metadata:system", rdfvalue.RDFString,
"Operating System class.", "System")
UNAME = aff4.Attribute("metadata:uname", rdfvalue.RDFString,
"Uname string.", "Uname")
OS_RELEASE = aff4.Attribute("metadata:os_release", rdfvalue.RDFString,
"OS Major release number.", "Release")
OS_VERSION = aff4.Attribute("metadata:os_version",
rdf_client.VersionString,
"OS Version number.", "Version")
# ARCH values come from platform.uname machine value, e.g. x86_64, AMD64.
ARCH = aff4.Attribute("metadata:architecture", rdfvalue.RDFString,
"Architecture.", "Architecture")
INSTALL_DATE = aff4.Attribute("metadata:install_date",
rdfvalue.RDFDatetime, "Install Date.",
"Install")
# The knowledge base is used for storing data about the host and users.
# This is currently a slightly odd object as we only use some of the fields.
# The proto itself is used in Artifact handling outside of GRR (e.g. Plaso).
# Over time we will migrate fields into this proto, but for now it is a mix.
KNOWLEDGE_BASE = aff4.Attribute("metadata:knowledge_base",
rdf_client.KnowledgeBase,
"Artifact Knowledge Base",
"KnowledgeBase")
GRR_CONFIGURATION = aff4.Attribute(
"aff4:client_configuration", rdf_protodict.Dict,
"Running configuration for the GRR client.", "Config")
LIBRARY_VERSIONS = aff4.Attribute(
"aff4:library_versions", rdf_protodict.Dict,
"Running library versions for the client.", "Libraries")
USERNAMES = aff4.Attribute("aff4:user_names",
SpaceSeparatedStringArray,
"A space separated list of system users.",
"Usernames",
index=client_index)
# This information is duplicated from the INTERFACES attribute but is done
# to allow for fast searching by mac address.
MAC_ADDRESS = aff4.Attribute("aff4:mac_addresses",
rdfvalue.RDFString,
"A hex encoded MAC address.",
"MAC",
index=client_index)
KERNEL = aff4.Attribute("aff4:kernel_version", rdfvalue.RDFString,
"Kernel version string.", "KernelVersion")
# Same for IP addresses.
HOST_IPS = aff4.Attribute("aff4:host_ips",
rdfvalue.RDFString,
"An IP address.",
"Host_ip",
index=client_index)
PING = aff4.Attribute(
"metadata:ping",
rdfvalue.RDFDatetime,
"The last time the server heard from this client.",
"LastCheckin",
versioned=False,
default=0)
CLOCK = aff4.Attribute("metadata:clock",
rdfvalue.RDFDatetime,
"The last clock read on the client "
"(Can be used to estimate client clock skew).",
"Clock",
versioned=False)
CLIENT_IP = aff4.Attribute(
"metadata:client_ip",
rdfvalue.RDFString,
"The ip address this client connected from.",
"Client_ip",
versioned=False)
# This is the last foreman rule that applied to us
LAST_FOREMAN_TIME = aff4.Attribute(
"aff4:last_foreman_time",
rdfvalue.RDFDatetime,
"The last time the foreman checked us.",
versioned=False)
LAST_CRASH = aff4.Attribute("aff4:last_crash",
rdf_client.ClientCrash,
"Last client crash.",
creates_new_object_version=False,
versioned=False)
VOLUMES = aff4.Attribute("aff4:volumes", rdf_client.Volumes,
"Client disk volumes.")
INTERFACES = aff4.Attribute("aff4:interfaces", rdf_client.Interfaces,
"Network interfaces.", "Interfaces")
HARDWARE_INFO = aff4.Attribute("aff4:hardware_info",
rdf_client.HardwareInfo,
"Various hardware information.",
default=rdf_client.HardwareInfo())
MEMORY_SIZE = aff4.Attribute(
"aff4:memory_size", rdfvalue.ByteSize,
"Amount of memory this client's machine has.")
# Cloud VM information.
CLOUD_INSTANCE = aff4.Attribute("metadata:cloud_instance",
cloud.CloudInstance,
"Information about cloud machines.")
class SchemaCls(VFSFile.SchemaCls):
LAYOUT = aff4.Attribute("aff4:memory/geometry",
rdf_rekall_types.MemoryInformation,
"The memory layout of this image.")
class SchemaCls(VFSFile.SchemaCls):
DELEGATE = aff4.Attribute("aff4:delegate", rdfvalue.RDFURN,
"The URN of the delegate of this object.")
class SchemaCls(standard.VFSDirectory.SchemaCls):
KNOWLEDGE_BASE = aff4.Attribute("metadata:temp_knowledge_base",
rdf_client.KnowledgeBase,
"Artifact Knowledge Base",
"KnowledgeBase")