Python ArtifactSourceの例

コード例 #1

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testSupportedOS(self):
        """Test supported_os inside the collector object."""
        # Run with false condition.
        client_mock = action_mocks.ActionMock("ListProcesses")
        coll1 = artifact_registry.ArtifactSource(
            type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
            attributes={"client_action": "ListProcesses"},
            supported_os=["Windows"])
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "AFF4Volume")

        # Now run with matching or condition.
        coll1.conditions = []
        coll1.supported_os = ["Linux", "Windows"]
        self.fakeartifact.sources = []
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "RDFValueCollection")

        # Now run with impossible or condition.
        coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
        coll1.supported_os = ["NotTrue"]
        self.fakeartifact.sources = []
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "AFF4Volume")

コード例 #2

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testRunGrrClientActionArtifactSplit(self):
        """Test that artifacts get split into separate collections."""
        client_mock = action_mocks.ActionMock("ListProcesses", "StatFile")
        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        client.Set(client.Schema.SYSTEM("Linux"))
        client.Flush()

        coll1 = artifact_registry.ArtifactSource(
            type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
            attributes={"client_action": r"ListProcesses"})
        self.fakeartifact.sources.append(coll1)
        self.fakeartifact2.sources.append(coll1)
        artifact_list = ["FakeArtifact", "FakeArtifact2"]
        for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                         client_mock,
                                         artifact_list=artifact_list,
                                         token=self.token,
                                         client_id=self.client_id,
                                         output="test_artifact",
                                         split_output_by_artifact=True):
            pass

        # Check that we got two separate collections based on artifact name
        fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
            self.client_id).Add("test_artifact_FakeArtifact"),
                               token=self.token)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
        self.assertTrue(len(fd) > 5)

        fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
            self.client_id).Add("test_artifact_FakeArtifact2"),
                               token=self.token)
        self.assertTrue(len(fd) > 5)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))

コード例 #3

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testConditions(self):
        """Test we can get a GRR client artifact with conditions."""
        # Run with false condition.
        client_mock = action_mocks.ActionMock("ListProcesses")
        coll1 = artifact_registry.ArtifactSource(
            type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
            attributes={"client_action": "ListProcesses"},
            conditions=["os == 'Windows'"])
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "AFF4Volume")

        # Now run with matching or condition.
        coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
        self.fakeartifact.sources = []
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "RDFValueCollection")

        # Now run with impossible or condition.
        coll1.conditions.append("os == 'NotTrue'")
        self.fakeartifact.sources = []
        self.fakeartifact.sources.append(coll1)
        fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
        self.assertEqual(fd.__class__.__name__, "AFF4Volume")

コード例 #4

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testGetArtifact1(self):
        """Test we can get a basic artifact."""

        client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
                                              "Find", "FingerprintFile",
                                              "HashBuffer")
        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        client.Set(client.Schema.SYSTEM("Linux"))
        client.Flush()

        # Dynamically add a ArtifactSource specifying the base path.
        file_path = os.path.join(self.base_path, "test_img.dd")
        coll1 = artifact_registry.ArtifactSource(
            type=artifact_registry.ArtifactSource.SourceType.FILE,
            attributes={"paths": [file_path]})
        self.fakeartifact.sources.append(coll1)

        artifact_list = ["FakeArtifact"]
        for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                         client_mock,
                                         artifact_list=artifact_list,
                                         use_tsk=False,
                                         token=self.token,
                                         client_id=self.client_id):
            pass

        # Test the AFF4 file that was created.
        fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path),
                                token=self.token)
        fd2 = open(file_path)
        fd2.seek(0, 2)

        self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))

コード例 #5

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testRunGrrClientActionArtifact(self):
        """Test we can get a GRR client artifact."""
        client_mock = action_mocks.ActionMock("ListProcesses")
        client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
        client.Set(client.Schema.SYSTEM("Linux"))
        client.Flush()

        coll1 = artifact_registry.ArtifactSource(
            type=artifact_registry.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
            attributes={"client_action": r"ListProcesses"})
        self.fakeartifact.sources.append(coll1)
        artifact_list = ["FakeArtifact"]
        for _ in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                         client_mock,
                                         artifact_list=artifact_list,
                                         token=self.token,
                                         client_id=self.client_id,
                                         output="test_artifact"):
            pass

        # Test the AFF4 file that was created.
        fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
            self.client_id).Add("test_artifact"),
                               token=self.token)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
        self.assertTrue(len(fd) > 5)

コード例 #6

ファイル: collectors_test.py プロジェクト: ytisf/grr

    def testSupportedOS(self):
        """Test supported_os inside the collector object."""
        with utils.Stubber(psutil, "process_iter", ProcessIter):
            # Run with false condition.
            client_mock = action_mocks.ActionMock(standard.ListProcesses)
            coll1 = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.
                GRR_CLIENT_ACTION,
                attributes={"client_action": "ListProcesses"},
                supported_os=["Windows"])
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertEqual(len(fd), 0)

            # Now run with matching or condition.
            coll1.conditions = []
            coll1.supported_os = ["Linux", "Windows"]
            self.fakeartifact.sources = []
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertNotEqual(len(fd), 0)

            # Now run with impossible or condition.
            coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
            coll1.supported_os = ["NotTrue"]
            self.fakeartifact.sources = []
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertEqual(len(fd), 0)

コード例 #7

ファイル: collectors_test.py プロジェクト: lismore/grr

    def testGrep(self):
        class MockCallFlow(object):
            def CallFlow(self, *args, **kwargs):
                self.args = args
                self.kwargs = kwargs

        mock_call_flow = MockCallFlow()
        with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
                           mock_call_flow.CallFlow):

            collect_flow = collectors.ArtifactCollectorFlow(None,
                                                            token=self.token)
            collect_flow.state.Register("knowledge_base",
                                        rdf_client.KnowledgeBase())
            collect_flow.current_artifact_name = "blah"
            collect_flow.state.knowledge_base.MergeOrAddUser(
                rdf_client.KnowledgeBaseUser(username="******"))
            collect_flow.state.knowledge_base.MergeOrAddUser(
                rdf_client.KnowledgeBaseUser(username="******"))

            collector = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.GREP,
                attributes={
                    "paths": ["/etc/passwd"],
                    "content_regex_list": [r"^a%%users.username%%b$"]
                })
            collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK)

        conditions = mock_call_flow.kwargs["conditions"]
        self.assertEqual(len(conditions), 1)
        regexes = conditions[0].contents_regex_match.regex.SerializeToString()
        self.assertItemsEqual(regexes.split("|"),
                              ["(^atest1b$)", "(^atest2b$)"])
        self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])

コード例 #8

ファイル: collectors_test.py プロジェクト: ytisf/grr

    def testRegistryValueArtifact(self):
        with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
                                   test_lib.FakeRegistryVFSHandler):
            with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                       test_lib.FakeFullVFSHandler):

                client_mock = action_mocks.ActionMock(standard.StatFile)
                coll1 = artifact_registry.ArtifactSource(
                    type=artifact_registry.ArtifactSource.SourceType.
                    REGISTRY_VALUE,
                    attributes={
                        "key_value_pairs": [{
                            "key":
                            (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
                             r"\Control\Session Manager"),
                            "value":
                            "BootExecute"
                        }]
                    })
                self.fakeartifact.sources.append(coll1)
                artifact_list = ["FakeArtifact"]
                for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                                 client_mock,
                                                 artifact_list=artifact_list,
                                                 token=self.token,
                                                 client_id=self.client_id):
                    session_id = s

        # Test the statentry got stored with the correct aff4path.
        fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
                               token=self.token)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
        self.assertTrue(str(fd[0].aff4path).endswith("BootExecute"))

コード例 #9

ファイル: collectors_test.py プロジェクト: ytisf/grr

    def testRegistryDefaultValueArtifact(self):
        with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
                                   test_lib.FakeRegistryVFSHandler):
            with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                       test_lib.FakeFullVFSHandler):

                client_mock = action_mocks.ActionMock(standard.StatFile)
                coll1 = artifact_registry.ArtifactSource(
                    type=artifact_registry.ArtifactSource.SourceType.
                    REGISTRY_VALUE,
                    attributes={
                        "key_value_pairs": [{
                            "key":
                            (r"HKEY_LOCAL_MACHINE/SOFTWARE/ListingTest"),
                            "value":
                            ""
                        }]
                    })
                self.fakeartifact.sources.append(coll1)
                artifact_list = ["FakeArtifact"]
                for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                                 client_mock,
                                                 artifact_list=artifact_list,
                                                 token=self.token,
                                                 client_id=self.client_id):
                    session_id = s

        fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
                               token=self.token)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
        self.assertEqual(fd[0].registry_data.GetValue(), "DefaultValue")

コード例 #10

ファイル: collectors_test.py プロジェクト: ytisf/grr

    def testRunGrrClientActionArtifact(self):
        """Test we can get a GRR client artifact."""
        with utils.Stubber(psutil, "process_iter", ProcessIter):
            client_mock = action_mocks.ActionMock(standard.ListProcesses)
            client = aff4.FACTORY.Open(self.client_id,
                                       token=self.token,
                                       mode="rw")
            client.Set(client.Schema.SYSTEM("Linux"))
            client.Flush()

            coll1 = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.
                GRR_CLIENT_ACTION,
                attributes={"client_action": r"ListProcesses"})
            self.fakeartifact.sources.append(coll1)
            artifact_list = ["FakeArtifact"]
            for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                             client_mock,
                                             artifact_list=artifact_list,
                                             token=self.token,
                                             client_id=self.client_id):
                session_id = s

            # Test the AFF4 file that was created.
            fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
                                   token=self.token)
            self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
            self.assertTrue(len(fd) == 1)

コード例 #11

    def testRegistryValueArtifact(self):
        with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
                                       vfs_test_lib.FakeRegistryVFSHandler):
            with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
                                           vfs_test_lib.FakeFullVFSHandler):

                client_mock = action_mocks.ActionMock(standard.StatFile)
                coll1 = artifact_registry.ArtifactSource(
                    type=artifact_registry.ArtifactSource.SourceType.
                    REGISTRY_VALUE,
                    attributes={
                        "key_value_pairs": [{
                            "key":
                            (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
                             r"\Control\Session Manager"),
                            "value":
                            "BootExecute"
                        }]
                    })
                self.fakeartifact.sources.append(coll1)
                artifact_list = ["FakeArtifact"]
                for s in flow_test_lib.TestFlowHelper(
                        collectors.ArtifactCollectorFlow.__name__,
                        client_mock,
                        artifact_list=artifact_list,
                        token=self.token,
                        client_id=self.client_id):
                    session_id = s

        # Test the statentry got stored.
        fd = flow.GRRFlow.ResultCollectionForFID(session_id, token=self.token)
        self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
        urn = fd[0].pathspec.AFF4Path(self.client_id)
        self.assertTrue(str(urn).endswith("BootExecute"))

コード例 #12

    def testConditions(self):
        """Test we can get a GRR client artifact with conditions."""
        with utils.Stubber(psutil, "process_iter", ProcessIter):
            # Run with false condition.
            client_mock = action_mocks.ActionMock(standard.ListProcesses)
            coll1 = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.
                GRR_CLIENT_ACTION,
                attributes={"client_action": standard.ListProcesses.__name__},
                conditions=["os == 'Windows'"])
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertEqual(len(fd), 0)

            # Now run with matching or condition.
            coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
            self.fakeartifact.sources = []
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertNotEqual(len(fd), 0)

            # Now run with impossible or condition.
            coll1.conditions.append("os == 'NotTrue'")
            self.fakeartifact.sources = []
            self.fakeartifact.sources.append(coll1)
            fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
            self.assertEqual(fd.__class__,
                             sequential_collection.GeneralIndexedCollection)
            self.assertEqual(len(fd), 0)

コード例 #13

    def testRunGrrClientActionArtifact(self):
        """Test we can get a GRR client artifact."""
        with utils.Stubber(psutil, "process_iter", ProcessIter):
            client_mock = action_mocks.ActionMock(standard.ListProcesses)
            client = aff4.FACTORY.Open(self.client_id,
                                       token=self.token,
                                       mode="rw")
            client.Set(client.Schema.SYSTEM("Linux"))
            client.Flush()

            coll1 = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.
                GRR_CLIENT_ACTION,
                attributes={"client_action": standard.ListProcesses.__name__})
            self.fakeartifact.sources.append(coll1)
            artifact_list = ["FakeArtifact"]
            for s in flow_test_lib.TestFlowHelper(
                    collectors.ArtifactCollectorFlow.__name__,
                    client_mock,
                    artifact_list=artifact_list,
                    token=self.token,
                    client_id=self.client_id):
                session_id = s

            fd = flow.GRRFlow.ResultCollectionForFID(session_id,
                                                     token=self.token)
            self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
            self.assertTrue(len(fd) == 1)

コード例 #14

ファイル: collectors_test.py プロジェクト: ytisf/grr

    def testRunGrrClientActionArtifactSplit(self):
        """Test that artifacts get split into separate collections."""
        with utils.Stubber(psutil, "process_iter", ProcessIter):
            client_mock = action_mocks.ActionMock(standard.ListProcesses)
            client = aff4.FACTORY.Open(self.client_id,
                                       token=self.token,
                                       mode="rw")
            client.Set(client.Schema.SYSTEM("Linux"))
            client.Flush()

            coll1 = artifact_registry.ArtifactSource(
                type=artifact_registry.ArtifactSource.SourceType.
                GRR_CLIENT_ACTION,
                attributes={"client_action": r"ListProcesses"})
            self.fakeartifact.sources.append(coll1)
            self.fakeartifact2.sources.append(coll1)
            artifact_list = ["FakeArtifact", "FakeArtifact2"]
            for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
                                             client_mock,
                                             artifact_list=artifact_list,
                                             token=self.token,
                                             client_id=self.client_id,
                                             split_output_by_artifact=True):
                session_id = s

            # Check that we got two separate collections based on artifact name
            fd = aff4.FACTORY.Open(session_id.Add(
                "%s_%s" % (flow_runner.RESULTS_SUFFIX, "FakeArtifact")),
                                   token=self.token)
            self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
            self.assertEqual(len(fd), 1)

            fd = aff4.FACTORY.Open(session_id.Add(
                "%s_%s" % (flow_runner.RESULTS_SUFFIX, "FakeArtifact2")),
                                   token=self.token)
            self.assertEqual(len(fd), 1)
            self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))