def GetKnowledgeBase(rdf_client_obj, allow_uninitialized=False):
"""Returns a knowledgebase from an rdf client object."""
if not allow_uninitialized:
if rdf_client_obj is None:
raise artifact_utils.KnowledgeBaseUninitializedError(
"No client snapshot given.")
if rdf_client_obj.knowledge_base is None:
raise artifact_utils.KnowledgeBaseUninitializedError(
"KnowledgeBase empty for %s." % rdf_client_obj.client_id)
kb = rdf_client_obj.knowledge_base
if not kb.os:
raise artifact_utils.KnowledgeBaseAttributesMissingError(
"KnowledgeBase missing OS for %s. Knowledgebase content: %s" %
(rdf_client_obj.client_id, kb))
if rdf_client_obj is None or rdf_client_obj.knowledge_base is None:
return rdf_client.KnowledgeBase()
version = rdf_client_obj.os_version.split(".")
kb = rdf_client_obj.knowledge_base
try:
kb.os_major_version = int(version[0])
if len(version) > 1:
kb.os_minor_version = int(version[1])
except ValueError:
pass
return kb
def GetArtifactKnowledgeBase(client_obj, allow_uninitialized=False):
"""This generates an artifact knowledge base from a GRR client.
Args:
client_obj: A GRRClient object which is opened for reading.
allow_uninitialized: If True we accept an uninitialized knowledge_base.
Returns:
A KnowledgeBase semantic value.
Raises:
ArtifactProcessingError: If called when the knowledge base has not been
initialized.
KnowledgeBaseUninitializedError: If we failed to initialize the knowledge
base.
This is needed so that the artifact library has a standardized
interface to the data that is actually stored in the GRRClient object in
the GRR datastore.
We expect that the client KNOWLEDGE_BASE is already filled out through the,
KnowledgeBaseInitialization flow, but attempt to make some intelligent
guesses if things failed.
"""
client_schema = client_obj.Schema
kb = client_obj.Get(client_schema.KNOWLEDGE_BASE)
if not allow_uninitialized:
if not kb:
raise artifact_utils.KnowledgeBaseUninitializedError(
"KnowledgeBase empty for %s." % client_obj.urn)
if not kb.os:
raise artifact_utils.KnowledgeBaseAttributesMissingError(
"KnowledgeBase missing OS for %s. Knowledgebase content: %s" %
(client_obj.urn, kb))
if not kb:
kb = client_schema.KNOWLEDGE_BASE()
SetCoreGRRKnowledgeBaseValues(kb, client_obj)
if kb.os == "Windows":
# Add fallback values.
if not kb.environ_allusersappdata and kb.environ_allusersprofile:
# Guess if we don't have it already.
if kb.os_major_version >= 6:
kb.environ_allusersappdata = u"c:\\programdata"
kb.environ_allusersprofile = u"c:\\programdata"
else:
kb.environ_allusersappdata = (
u"c:\\documents and settings\\All Users\\"
"Application Data")
kb.environ_allusersprofile = u"c:\\documents and settings\\All Users"
return kb
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
# TODO(hanuszczak): Flow arguments also appear to have some knowledgebase.
# Do we use it in any way?
if not self.state.knowledge_base:
self.state.knowledge_base = _ReadClientKnowledgeBase(
self.client_id, allow_uninitialized=True)
request = GetArtifactCollectorArgs(self.args, self.state.knowledge_base)
self.CollectArtifacts(request)
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
with aff4.FACTORY.Open(self.client_id, token=self.token) as client:
# If we are processing the knowledge base, it still won't exist yet.
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
client, allow_uninitialized=True)
request = GetArtifactCollectorArgs(
self.state.knowledge_base, self.args.artifact_list,
self.args.apply_parsers, self.args.ignore_interpolation_errors,
self.args.use_tsk, self.args.max_file_size)
self.CollectArtifacts(request)
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
self.state.knowledge_base = _ReadClientKnowledgeBase(
self.client_id, allow_uninitialized=True)
for artifact_name in self.args.artifact_list:
artifact_obj = self._GetArtifactFromName(artifact_name)
# Ensure artifact has been written sanely. Note that this could be
# removed if it turns out to be expensive. Artifact tests should catch
# these.
artifact_registry.Validate(artifact_obj)
self.Collect(artifact_obj)
def StartCollection(self, responses):
"""Start collecting."""
if not responses.success:
raise artifact_utils.KnowledgeBaseUninitializedError(
"Attempt to initialize Knowledge Base failed.")
if not self.state.knowledge_base:
self.client = aff4.FACTORY.Open(self.client_id, token=self.token)
# If we are processing the knowledge base, it still won't exist yet.
self.state.knowledge_base = artifact.GetArtifactKnowledgeBase(
self.client, allow_uninitialized=True)
for artifact_name in self.args.artifact_list:
artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name)
# Ensure artifact has been written sanely. Note that this could be
# removed if it turns out to be expensive. Artifact tests should catch
# these.
artifact_registry.Validate(artifact_obj)
self.Collect(artifact_obj)
