def testKnowledgeBaseRetrievalLinuxPasswd(self): """Check we can retrieve a Linux kb.""" with vfs_test_lib.FakeTestDataVFSOverrider(): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": ["LinuxWtmp", "LinuxPasswdHomedirs", "LinuxReleaseInfo"], "Artifacts.knowledge_base_additions": [], "Artifacts.knowledge_base_skip": [] }): with test_lib.SuppressLogs(): kb = self._RunKBI() self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. self.assertCountEqual([x.username for x in kb.users], ["user1", "user2", "user3"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1") user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552102) self.assertEqual(user.homedir, "/home/user2") self.assertFalse(kb.GetUser(username="******"))
def testKnowledgeBaseRetrievalLinux(self): """Check we can retrieve a Linux kb.""" self.ClearKB() with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "LinuxWtmp", "NetgroupConfiguration", "LinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.netgroup_filter_regexes": ["^login$"], "Artifacts.netgroup_user_blacklist": ["isaac"] }): with vfs_test_lib.FakeTestDataVFSOverrider(): for _ in flow_test_lib.TestFlowHelper( artifact.KnowledgeBaseInitializationFlow.__name__, self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. yagharek from netgroup. self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3", "yagharek"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1")
def testKnowledgeBaseRetrievalLinuxNoUsers(self): """Cause a users.username dependency failure.""" self.ClearKB() with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.netgroup_filter_regexes": ["^doesntexist$"] }): with vfs_test_lib.FakeTestDataVFSOverrider(): for _ in flow_test_lib.TestFlowHelper( artifact.KnowledgeBaseInitializationFlow.__name__, self.client_mock, require_complete=False, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) self.assertItemsEqual([x.username for x in kb.users], [])
def testFilesArtifact(self): """Check GetFiles artifacts.""" with vfs_test_lib.FakeTestDataVFSOverrider(): self.RunCollectorAndGetCollection( ["TestFilesArtifact"], client_mock=self.client_mock) urn = self.client_id.Add("fs/os/").Add("var/log/auth.log") aff4.FACTORY.Open(urn, aff4_type=aff4_grr.VFSBlobImage, token=self.token)
def testKnowledgeBaseRetrievalLinuxPasswd(self): """Check we can retrieve a Linux kb.""" self.ClearKB() with vfs_test_lib.FakeTestDataVFSOverrider(): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "LinuxWtmp", "LinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.knowledge_base_additions": [], "Artifacts.knowledge_base_skip": [] }): for _ in flow_test_lib.TestFlowHelper( artifact.KnowledgeBaseInitializationFlow.__name__, self.client_mock, client_id=self.client_id, token=self.token): pass client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw") kb = artifact.GetArtifactKnowledgeBase(client) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1") user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552102) self.assertEqual(user.homedir, "/home/user2") self.assertFalse(kb.GetUser(username="******"))
def RunFlow(self, client_id): with vfs_test_lib.FakeTestDataVFSOverrider(): session_id = flow_test_lib.TestFlowHelper( flow_checks.CheckRunner.__name__, client_mock=self.client_mock, client_id=client_id, token=self.token) results = flow_test_lib.GetFlowResults(client_id, session_id) return session_id, {r.check_id: r for r in results}
def testFilesArtifact(self): """Check GetFiles artifacts.""" client_id = test_lib.TEST_CLIENT_ID with vfs_test_lib.FakeTestDataVFSOverrider(): self.RunCollectorAndGetResults(["TestFilesArtifact"], client_mock=self.client_mock, client_id=client_id) cp = db.ClientPath.OS(client_id, ("var", "log", "auth.log")) fd = file_store.OpenFile(cp) self.assertNotEmpty(fd.read())
def RunFlow(self): with test_lib.Instrument(flow.GRRFlow, "SendReply") as send_reply: with vfs_test_lib.FakeTestDataVFSOverrider(): session_id = flow_test_lib.TestFlowHelper( flow_checks.CheckRunner.__name__, client_mock=self.client_mock, client_id=self.client_id, token=self.token) session = aff4.FACTORY.Open(session_id, token=self.token) results = { r.check_id: r for _, r in send_reply.args if isinstance(r, checks.CheckResult) } return session, results
def testFilesArtifact(self): """Check GetFiles artifacts.""" client_id = test_lib.TEST_CLIENT_ID with vfs_test_lib.FakeTestDataVFSOverrider(): self.RunCollectorAndGetCollection(["TestFilesArtifact"], client_mock=self.client_mock, client_id=client_id) if data_store.RelationalDBEnabled(): cp = db.ClientPath.OS(client_id.Basename(), ("var", "log", "auth.log")) fd = file_store.OpenFile(cp) self.assertNotEmpty(fd.read()) else: urn = client_id.Add("fs/os/").Add("var/log/auth.log") aff4.FACTORY.Open( urn, aff4_type=aff4_grr.VFSBlobImage, token=self.token)
def testKnowledgeBaseRetrievalLinuxNoUsers(self): """Cause a users.username dependency failure.""" with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs", "LinuxReleaseInfo" ], "Artifacts.netgroup_filter_regexes": ["^doesntexist$"] }): with vfs_test_lib.FakeTestDataVFSOverrider(): with test_lib.SuppressLogs(): kb = self._RunKBI(require_complete=False) self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) self.assertCountEqual([x.username for x in kb.users], [])
def testLinuxPasswdHomedirsArtifact(self): """Check LinuxPasswdHomedirs artifacts.""" with vfs_test_lib.FakeTestDataVFSOverrider(): fd = self.RunCollectorAndGetCollection( ["LinuxPasswdHomedirs"], client_mock=self.client_mock) self.assertEqual(len(fd), 3) self.assertItemsEqual([x.username for x in fd], [u"exomemory", u"gevulot", u"gogol"]) for user in fd: if user.username == u"exomemory": self.assertEqual(user.full_name, u"Never Forget (admin)") self.assertEqual(user.gid, 47) self.assertEqual(user.homedir, u"/var/lib/exomemory") self.assertEqual(user.shell, u"/bin/sh") self.assertEqual(user.uid, 46)
def testInterrogateLinuxWithWtmp(self): """Test the Interrogate flow.""" self.client_id = self.SetupClient(0, system="Linux", os_version="12.04") data_store.REL_DB.WriteClientMetadata(self.client_id.Basename(), fleetspeak_enabled=False) with vfs_test_lib.FakeTestDataVFSOverrider(): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": ["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"], "Artifacts.netgroup_filter_regexes": [r"^login$"] }): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient() for _ in flow_test_lib.TestFlowHelper( discovery.Interrogate.__name__, client_mock, token=self.token, client_id=self.client_id): pass self.fd = aff4.FACTORY.Open(self.client_id, token=self.token) self._CheckBasicInfo("test_node.test", "Linux", 100 * 1000000) self._CheckClientInfo() self._CheckGRRConfig() self._CheckNotificationsCreated() self._CheckClientSummary("Linux", "14.4", release="Ubuntu", kernel="3.13.0-39-generic") self._CheckRelease("Ubuntu", "14.4") # users 1,2,3 from wtmp # users yagharek, isaac from netgroup self._CheckUsers( ["yagharek", "isaac", "user1", "user2", "user3"]) self._CheckNetworkInfo() self._CheckVFS() self._CheckLabels() self._CheckLabelIndex() self._CheckClientKwIndex(["Linux"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckClientLibraries() self._CheckMemory()
def testLinuxPasswdHomedirsArtifact(self): """Check LinuxPasswdHomedirs artifacts.""" with vfs_test_lib.FakeTestDataVFSOverrider(): fd = self.RunCollectorAndGetResults(["LinuxPasswdHomedirs"], client_mock=self.client_mock, client_id=test_lib.TEST_CLIENT_ID) self.assertLen(fd, 5) self.assertCountEqual( [x.username for x in fd], [u"exomemory", u"gevulot", u"gogol", u"user1", u"user2"]) for user in fd: if user.username == u"exomemory": self.assertEqual(user.full_name, u"Never Forget (admin)") self.assertEqual(user.gid, 47) self.assertEqual(user.homedir, u"/var/lib/exomemory") self.assertEqual(user.shell, u"/bin/sh") self.assertEqual(user.uid, 46)
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self): with vfs_test_lib.FakeTestDataVFSOverrider(): with vfs_test_lib.VFSOverrider( rdf_paths.PathSpec.PathType.MEMORY, vfs_test_lib.FakeTestDataVFSHandler): paths = ["/var/log/auth.log", "/etc/ssh/sshd_config"] cmlc = rdf_file_finder.FileFinderContentsLiteralMatchCondition literal_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=cmlc( mode="ALL_HITS", bytes_before=10, bytes_after=10, literal="session opened for user dearjohn")) # Check this condition with all the actions. This makes sense, as we may # download memeory or send it to the socket. for action in self.CONDITION_TESTS_ACTIONS: for s in flow_test_lib.TestFlowHelper( file_finder.FileFinder.__name__, self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdf_paths.PathSpec.PathType.MEMORY, conditions=[literal_condition], action=rdf_file_finder.FileFinderAction( action_type=action), token=self.token): session_id = s self.CheckFilesInCollection(["auth.log"], session_id=session_id) fd = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(), paths[0]) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testInterrogateLinuxWithWtmp(self): """Test the Interrogate flow.""" client_id = self._SetupMinimalClient() with vfs_test_lib.FakeTestDataVFSOverrider(): with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "LinuxWtmp", "NetgroupConfiguration", "LinuxReleaseInfo" ], "Artifacts.netgroup_filter_regexes": [r"^login$"] }): client_mock = action_mocks.InterrogatedClient() client_mock.InitializeClient(version="14.4", release="Ubuntu") with test_lib.SuppressLogs(): flow_test_lib.TestFlowHelper( discovery.Interrogate.__name__, client_mock, token=self.token, client_id=client_id) client = self._OpenClient(client_id) self._CheckBasicInfo(client, "test_node.test", "Linux", 100 * 1000000) self._CheckClientInfo(client) self._CheckGRRConfig(client) self._CheckNotificationsCreated(self.token.username, client_id) self._CheckClientSummary( client_id, client.GetSummary(), "Linux", "14.4", release="Ubuntu", kernel="3.13.0-39-generic") self._CheckRelease(client, "Ubuntu", "14.4") # users 1,2,3 from wtmp, users yagharek, isaac from netgroup self._CheckUsers(client, ["yagharek", "isaac", "user1", "user2", "user3"]) self._CheckNetworkInfo(client) # No VFS test when running on the relational db. self._CheckLabels(client_id) self._CheckLabelIndex(client_id) self._CheckClientKwIndex(["Linux"], 1) self._CheckClientKwIndex(["Label2"], 1) self._CheckClientLibraries(client) self._CheckMemory(client)
def testKnowledgeBaseRetrievalLinux(self): """Check we can retrieve a Linux kb.""" with test_lib.ConfigOverrider({ "Artifacts.knowledge_base": [ "LinuxWtmp", "NetgroupConfiguration", "LinuxPasswdHomedirs", "LinuxRelease" ], "Artifacts.netgroup_filter_regexes": ["^login$"], "Artifacts.netgroup_user_blacklist": ["isaac"] }): with vfs_test_lib.FakeTestDataVFSOverrider(): kb = self._RunKBI() self.assertEqual(kb.os_major_version, 14) self.assertEqual(kb.os_minor_version, 4) # user 1,2,3 from wtmp. yagharek from netgroup. self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2", "user3", "yagharek"]) user = kb.GetUser(username="******") self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552099) self.assertEqual(user.homedir, "/home/user1")