def test_config(self):
node = NodeFactory(host_identifier='foo')
tag = Tag.create(value='foo')
node.tags.append(tag)
node.save()
query1 = Query.create(name='bar', sql='select * from osquery_info;')
query2 = Query.create(name='foobar', sql='select * from system_info;')
query2.tags.append(tag)
query2.save()
pack = Pack.create(name='baz')
pack.queries.append(query1)
pack.tags.append(tag)
pack.save()
file_path = FilePath.create(category='foobar', target_paths=[
'/home/foobar/%%',
])
file_path.tags.append(tag)
file_path.save()
assert tag in pack.tags
assert tag in query2.tags
assert tag in file_path.tags
assert tag not in query1.tags
assert query1 in pack.queries
assert query2 not in pack.queries
assert pack in node.packs
assert query2 in node.queries
assert query1 not in node.queries
config = node.get_config()
assert pack.name in config['packs']
assert query1.name in config['packs'][pack.name]['queries']
assert query1.sql == config['packs'][pack.name]['queries'][query1.name]['query']
assert query2.name not in config['packs']
assert query2.name in config['schedule']
assert query2.sql == config['schedule'][query2.name]['query']
assert file_path.category in config['file_paths']
def addpack(packname, filepath):
from polylogyx.models import Pack
if Pack.query.filter_by(name=packname).first():
raise ValueError("Pack already exists!")
try:
jsonStr = open(filepath, 'r').read()
data = json.loads(jsonStr)
pack = Pack.create(name=packname)
for query_name, query in data['queries'].items():
q = Query.query.filter(Query.name == query_name).first()
if not q:
q = Query.create(name=query_name, **query)
pack.queries.append(q)
print("Adding new query %s to pack %s", q.name, pack.name)
continue
if q in pack.queries:
continue
if q.sql == query['query']:
print("Adding existing query %s to pack %s", q.name, pack.name)
pack.queries.append(q)
else:
q2 = Query.create(name=query_name, **query)
print(
"Created another query named %s, but different sql: %r vs %r",
query_name, q2.sql.encode('utf-8'), q.sql.encode('utf-8'))
pack.queries.append(q2)
pack.save()
except Exception as error:
print("Failed to create pack {0} - {1}".format(packname, error))
exit(1)
else:
print("Created pack {0}".format(pack.name))
exit(0)
def create_query_obj(name,
sql,
interval,
platform,
version,
description,
value,
shard,
snapshot=False):
return Query(name=name,
sql=sql,
interval=interval,
platform=platform,
version=version,
description=description,
value=value,
shard=shard,
snapshot=snapshot)
def create_query_pack_from_upload(upload,category):
'''
Create a pack and queries from a query pack file. **Note**, if a
pack already exists under the filename being uploaded, then any
queries defined here will be added to the existing pack! However,
if a query with a particular name already exists, and its sql is
NOT the same, then a new query with the same name but different id
will be created (as to avoid clobbering the existing query). If its
sql is identical, then the query will be reused.
'''
# The json package on Python 3 expects a `str` input, so we're going to
# read the body and possibly convert to the right type
from werkzeug import datastructures
if not type(upload) == datastructures.FileStorage:
body = upload.data.read()
else:
body = upload
if not isinstance(body, six.string_types):
body = body.decode('utf-8')
try:
data = json.loads(body)
except ValueError:
flash(u"Could not load pack as JSON - ensure it is JSON encoded",
'danger')
return None
else:
if 'queries' not in data:
flash(u"No queries in pack", 'danger')
return None
name = splitext(basename(upload.data.filename))[0]
pack = Pack.query.filter(Pack.name == name).first()
if not pack:
current_app.logger.debug("Creating pack %s", name)
pack = Pack.create(name=name,category=category, **data)
for query_name, query in data['queries'].items():
if not validate_osquery_query(query['query']):
flash('Invalid osquery query: "{0}"'.format(query['query']), 'danger')
return None
q = Query.query.filter(Query.name == query_name).first()
if not q:
q = Query.create(name=query_name, **query)
pack.queries.append(q)
current_app.logger.debug("Adding new query %s to pack %s",
q.name, pack.name)
continue
else:
if q.sql == query['query']:
current_app.logger.debug("Adding existing query %s to pack %s",
q.name, pack.name)
pack.queries.append(q)
else:
q2 = Query.create(name=query_name, **query)
current_app.logger.debug(
"Created another query named %s, but different sql: %r vs %r",
query_name, q2.sql.encode('utf-8'), q.sql.encode('utf-8'))
pack.queries.append(q2)
if q in pack.queries:
continue
else:
pack.save()
flash(u"Imported query pack {0}".format(pack.name), 'success')
return pack
def add_query(query_name, **query):
return Query.create(name=query_name, **query)