def testSupportedOS(self): """Test supported_os inside the collector object.""" # Run with false condition. client_mock = action_mocks.ActionMock("ListProcesses") coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION, attributes={"client_action": "ListProcesses"}, supported_os=["Windows"]) self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "AFF4Volume") # Now run with matching or condition. coll1.conditions = [] coll1.supported_os = ["Linux", "Windows"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "RDFValueCollection") # Now run with impossible or condition. coll1.conditions = ["os == 'Linux' or os == 'Windows'"] coll1.supported_os = ["NotTrue"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "AFF4Volume")
def testRunGrrClientActionArtifactSplit(self): """Test that artifacts get split into separate collections.""" client_mock = action_mocks.ActionMock("ListProcesses", "StatFile") client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION, attributes={"client_action": r"ListProcesses"}) self.fakeartifact.sources.append(coll1) self.fakeartifact2.sources.append(coll1) artifact_list = ["FakeArtifact", "FakeArtifact2"] for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, output="test_artifact", split_output_by_artifact=True): pass # Check that we got two separate collections based on artifact name fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("test_artifact_FakeArtifact"), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process)) self.assertTrue(len(fd) > 5) fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("test_artifact_FakeArtifact2"), token=self.token) self.assertTrue(len(fd) > 5) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
def testConditions(self): """Test we can get a GRR client artifact with conditions.""" # Run with false condition. client_mock = action_mocks.ActionMock("ListProcesses") coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION, attributes={"client_action": "ListProcesses"}, conditions=["os == 'Windows'"]) self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "AFF4Volume") # Now run with matching or condition. coll1.conditions = ["os == 'Linux' or os == 'Windows'"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "RDFValueCollection") # Now run with impossible or condition. coll1.conditions.append("os == 'NotTrue'") self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__.__name__, "AFF4Volume")
def testGetArtifact1(self): """Test we can get a basic artifact.""" client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "Find", "FingerprintFile", "HashBuffer") client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() # Dynamically add a ArtifactSource specifying the base path. file_path = os.path.join(self.base_path, "test_img.dd") coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.FILE, attributes={"paths": [file_path]}) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, use_tsk=False, token=self.token, client_id=self.client_id): pass # Test the AFF4 file that was created. fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path), token=self.token) fd2 = open(file_path) fd2.seek(0, 2) self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
def testRunGrrClientActionArtifact(self): """Test we can get a GRR client artifact.""" client_mock = action_mocks.ActionMock("ListProcesses") client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION, attributes={"client_action": r"ListProcesses"}) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, output="test_artifact"): pass # Test the AFF4 file that was created. fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("test_artifact"), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process)) self.assertTrue(len(fd) > 5)
def testSupportedOS(self): """Test supported_os inside the collector object.""" with utils.Stubber(psutil, "process_iter", ProcessIter): # Run with false condition. client_mock = action_mocks.ActionMock(standard.ListProcesses) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. GRR_CLIENT_ACTION, attributes={"client_action": "ListProcesses"}, supported_os=["Windows"]) self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertEqual(len(fd), 0) # Now run with matching or condition. coll1.conditions = [] coll1.supported_os = ["Linux", "Windows"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertNotEqual(len(fd), 0) # Now run with impossible or condition. coll1.conditions = ["os == 'Linux' or os == 'Windows'"] coll1.supported_os = ["NotTrue"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertEqual(len(fd), 0)
def testGrep(self): class MockCallFlow(object): def CallFlow(self, *args, **kwargs): self.args = args self.kwargs = kwargs mock_call_flow = MockCallFlow() with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow", mock_call_flow.CallFlow): collect_flow = collectors.ArtifactCollectorFlow(None, token=self.token) collect_flow.state.Register("knowledge_base", rdf_client.KnowledgeBase()) collect_flow.current_artifact_name = "blah" collect_flow.state.knowledge_base.MergeOrAddUser( rdf_client.KnowledgeBaseUser(username="******")) collect_flow.state.knowledge_base.MergeOrAddUser( rdf_client.KnowledgeBaseUser(username="******")) collector = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType.GREP, attributes={ "paths": ["/etc/passwd"], "content_regex_list": [r"^a%%users.username%%b$"] }) collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK) conditions = mock_call_flow.kwargs["conditions"] self.assertEqual(len(conditions), 1) regexes = conditions[0].contents_regex_match.regex.SerializeToString() self.assertItemsEqual(regexes.split("|"), ["(^atest1b$)", "(^atest2b$)"]) self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testRegistryValueArtifact(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" r"\Control\Session Manager"), "value": "BootExecute" }] }) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s # Test the statentry got stored with the correct aff4path. fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry)) self.assertTrue(str(fd[0].aff4path).endswith("BootExecute"))
def testRegistryDefaultValueArtifact(self): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler): with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE/SOFTWARE/ListingTest"), "value": "" }] }) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry)) self.assertEqual(fd[0].registry_data.GetValue(), "DefaultValue")
def testRunGrrClientActionArtifact(self): """Test we can get a GRR client artifact.""" with utils.Stubber(psutil, "process_iter", ProcessIter): client_mock = action_mocks.ActionMock(standard.ListProcesses) client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. GRR_CLIENT_ACTION, attributes={"client_action": r"ListProcesses"}) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s # Test the AFF4 file that was created. fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process)) self.assertTrue(len(fd) == 1)
def testRegistryValueArtifact(self): with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, vfs_test_lib.FakeRegistryVFSHandler): with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, vfs_test_lib.FakeFullVFSHandler): client_mock = action_mocks.ActionMock(standard.StatFile) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" r"\Control\Session Manager"), "value": "BootExecute" }] }) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in flow_test_lib.TestFlowHelper( collectors.ArtifactCollectorFlow.__name__, client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s # Test the statentry got stored. fd = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry)) urn = fd[0].pathspec.AFF4Path(self.client_id) self.assertTrue(str(urn).endswith("BootExecute"))
def testConditions(self): """Test we can get a GRR client artifact with conditions.""" with utils.Stubber(psutil, "process_iter", ProcessIter): # Run with false condition. client_mock = action_mocks.ActionMock(standard.ListProcesses) coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. GRR_CLIENT_ACTION, attributes={"client_action": standard.ListProcesses.__name__}, conditions=["os == 'Windows'"]) self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertEqual(len(fd), 0) # Now run with matching or condition. coll1.conditions = ["os == 'Linux' or os == 'Windows'"] self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertNotEqual(len(fd), 0) # Now run with impossible or condition. coll1.conditions.append("os == 'NotTrue'") self.fakeartifact.sources = [] self.fakeartifact.sources.append(coll1) fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"]) self.assertEqual(fd.__class__, sequential_collection.GeneralIndexedCollection) self.assertEqual(len(fd), 0)
def testRunGrrClientActionArtifact(self): """Test we can get a GRR client artifact.""" with utils.Stubber(psutil, "process_iter", ProcessIter): client_mock = action_mocks.ActionMock(standard.ListProcesses) client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. GRR_CLIENT_ACTION, attributes={"client_action": standard.ListProcesses.__name__}) self.fakeartifact.sources.append(coll1) artifact_list = ["FakeArtifact"] for s in flow_test_lib.TestFlowHelper( collectors.ArtifactCollectorFlow.__name__, client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process)) self.assertTrue(len(fd) == 1)
def testRunGrrClientActionArtifactSplit(self): """Test that artifacts get split into separate collections.""" with utils.Stubber(psutil, "process_iter", ProcessIter): client_mock = action_mocks.ActionMock(standard.ListProcesses) client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") client.Set(client.Schema.SYSTEM("Linux")) client.Flush() coll1 = artifact_registry.ArtifactSource( type=artifact_registry.ArtifactSource.SourceType. GRR_CLIENT_ACTION, attributes={"client_action": r"ListProcesses"}) self.fakeartifact.sources.append(coll1) self.fakeartifact2.sources.append(coll1) artifact_list = ["FakeArtifact", "FakeArtifact2"] for s in test_lib.TestFlowHelper("ArtifactCollectorFlow", client_mock, artifact_list=artifact_list, token=self.token, client_id=self.client_id, split_output_by_artifact=True): session_id = s # Check that we got two separate collections based on artifact name fd = aff4.FACTORY.Open(session_id.Add( "%s_%s" % (flow_runner.RESULTS_SUFFIX, "FakeArtifact")), token=self.token) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process)) self.assertEqual(len(fd), 1) fd = aff4.FACTORY.Open(session_id.Add( "%s_%s" % (flow_runner.RESULTS_SUFFIX, "FakeArtifact2")), token=self.token) self.assertEqual(len(fd), 1) self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))