def testDebianPackagesStatusParserBadInput(self): """If the status file is broken, fail nicely.""" parser = linux_software_parser.DebianPackagesStatusParser(deb822) path = os.path.join(self.base_path, "numbers.txt") with open(path, "rb") as data: out = list(parser.Parse(None, data, None)) for result in out: self.assertIsInstance(result, rdf_anomaly.Anomaly)
def testDebianPackagesStatusParser(self): """Test parsing of a status file.""" parser = linux_software_parser.DebianPackagesStatusParser() path = os.path.join(self.base_path, "dpkg_status") with open(path, "rb") as data: out = list(parser.Parse(None, data, None)) self.assertEqual(len(out), 2) self.assertEqual(("t1", "v1"), (out[0].name, out[0].version)) self.assertEqual(("t2", "v2"), (out[1].name, out[1].version))
def testDebianPackagesStatusParser(self): """Test parsing of a status file.""" parser = linux_software_parser.DebianPackagesStatusParser(deb822) path = os.path.join(self.base_path, "dpkg_status") with open(path, "rb") as data: out = list(parser.ParseFile(None, None, data)) self.assertLen(out, 1) package_list = out[0] self.assertLen(package_list.packages, 2) package0 = package_list.packages[0] self.assertEqual(("t1", "v1"), (package0.name, package0.version)) package1 = package_list.packages[1] self.assertEqual(("t2", "v2"), (package1.name, package1.version))
def Register(): """Adds all known parsers to the registry.""" # pyformat: disable # Command parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Dpkg", linux_cmd_parser.DpkgCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Dmidecode", linux_cmd_parser.DmidecodeCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Mount", config_file.MountCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "OsxSpHardware", osx_file_parser.OSXSPHardwareDataTypeParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Ps", linux_cmd_parser.PsCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Rpm", linux_cmd_parser.RpmCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "SshdConfig", config_file.SshdConfigCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Sysctl", linux_sysctl_parser.SysctlCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "YumList", linux_cmd_parser.YumListCmdParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "YumRepolist", linux_cmd_parser.YumRepolistCmdParser) # Grep parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Passwd", linux_file_parser.PasswdBufferParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "Netgroup", linux_file_parser.NetgroupBufferParser) # WMI query parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiEventConsumer", wmi_parser.WMIEventConsumerParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiInstalledSoftware", wmi_parser.WMIInstalledSoftwareParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiHotfixesSoftware", wmi_parser.WMIHotfixesSoftwareParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiUser", wmi_parser.WMIUserParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiLogicalDisks", wmi_parser.WMILogicalDisksParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiCsp", wmi_parser.WMIComputerSystemProductParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WmiInterfaces", wmi_parser.WMIInterfacesParser) # Registry value parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinCcs", windows_registry_parser.CurrentControlSetKBParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinCodepage", windows_registry_parser.CodepageParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinEnvironment", windows_registry_parser.WinEnvironmentParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinServices", windows_registry_parser.WinServicesParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinSystemDrive", windows_registry_parser.WinSystemDriveParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinSystemRoot", windows_registry_parser.WinSystemRootParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinTimezone", windows_registry_parser.WinTimezoneParser) # Registry parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinAllUsersProfileEnvVar", windows_registry_parser.AllUsersProfileEnvironmentVariable) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinProfileDirEnvVar", windows_registry_parser.ProfilesDirectoryEnvironmentVariable) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WinUserSids", windows_registry_parser.WinUserSids) # Artifact file parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "DarwinPersistenceMechanism", osx_launchd.DarwinPersistenceMechanismsParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "WindowsPersistenceMechanism", windows_persistence.WindowsPersistenceMechanismsParser) # Rekall parsers. parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "RekallPsList", rekall_artifact_parser.RekallPsListParser) parsers.SINGLE_RESPONSE_PARSER_FACTORY.Register( "RekallVad", rekall_artifact_parser.RekallVADParser) # Registry multi-parsers. parsers.MULTI_RESPONSE_PARSER_FACTORY.Register( "WinUserSpecialDirs", windows_registry_parser.WinUserSpecialDirs) # Artifact file multi-parsers. parsers.MULTI_RESPONSE_PARSER_FACTORY.Register( "OsxUsers", osx_file_parser.OSXUsersParser) # File parsers. parsers.SINGLE_FILE_PARSER_FACTORY.Register( "ChromeHistory", chrome_history.ChromeHistoryParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "CronAtAllAllowDeny", config_file.CronAtAllowDenyParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "CronTab", cron_file_parser.CronTabParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "FirefoxHistory", firefox3_history.FirefoxHistoryParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "IeHistory", ie_history.IEHistoryParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "LinuxWtmp", linux_file_parser.LinuxWtmpParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Mtab", config_file.MtabParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Netgroup", linux_file_parser.NetgroupParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "NfsExports", config_file.NfsExportsParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Ntpd", config_file.NtpdParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "PackageSource", config_file.PackageSourceParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Passwd", linux_file_parser.PasswdParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Path", linux_file_parser.PathParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "SshdConfigFile", config_file.SshdConfigParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "Sudoers", config_file.SudoersParser) parsers.SINGLE_FILE_PARSER_FACTORY.Register( "OsxLaunchdPlist", osx_file_parser.OSXLaunchdPlistParser) try: from debian import deb822 # pylint: disable=g-import-not-at-top parsers.SINGLE_FILE_PARSER_FACTORY.Register( "DpkgStatusParser", lambda: linux_software_parser.DebianPackagesStatusParser(deb822)) except ImportError: pass # File multi-parsers. parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxBaseShadow", linux_file_parser.LinuxBaseShadowParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxLsbInit", linux_service_parser.LinuxLSBInitParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxXinetd", linux_service_parser.LinuxXinetdParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxSysvInit", linux_service_parser.LinuxSysVInitParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxPam", linux_pam_parser.PAMParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "LinuxRelease", linux_release_parser.LinuxReleaseParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "PciDevicesInfo", linux_file_parser.PCIDevicesInfoParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "ProcSys", linux_sysctl_parser.ProcSysParser) parsers.MULTI_FILE_PARSER_FACTORY.Register( "Rsyslog", config_file.RsyslogParser)