def Process(self, args) -> Iterator[rdf_osquery.OsqueryResult]: if not config.CONFIG["Osquery.path"]: raise RuntimeError( "The `Osquery` action invoked on a client without " "osquery path specified.") if not os.path.exists(config.CONFIG["Osquery.path"]): raise RuntimeError( "The `Osquery` action invoked on a client where " "osquery executable is not available.") if not args.query: raise ValueError("The `Osquery` was invoked with an empty query.") output = Query(args) # For syntax errors, osquery does not fail (exits with 0) but prints stuff # to the standard error. if output.stderr and not args.ignore_stderr_errors: raise QueryError(output.stderr) json_decoder = json.Decoder(object_pairs_hook=collections.OrderedDict) table = ParseTable(json_decoder.decode(output.stdout)) table.query = args.query for chunk in ChunkTable(table, config.CONFIG["Osquery.max_chunk_size"]): yield rdf_osquery.OsqueryResult(table=chunk, stderr=output.stderr)
def testGetTableColumns(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="C")) result = rdf_osquery.OsqueryResult() result.table = table cols = list(result.GetTableColumns()) self.assertEqual(["A", "B", "C"], cols)
def testGetTableRows(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.rows.append(rdf_osquery.OsqueryRow(values=["cell1"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell2"])) table.rows.append(rdf_osquery.OsqueryRow(values=["cell3"])) result = rdf_osquery.OsqueryResult() result.table = table rows = list(result.GetTableRows()) self.assertEqual([["cell1"], ["cell2"], ["cell3"]], rows)
def testTextWithCommasToCsvBytes(self): table = rdf_osquery.OsqueryTable() table.header.columns.append( rdf_osquery.OsqueryColumn(name="c,o,l,u,m,n")) table.rows.append(rdf_osquery.OsqueryRow(values=["c,e,l,l"])) result = rdf_osquery.OsqueryResult() result.table = table output_bytes = api_osquery._ParseToCsvBytes([result]) output_text = list(map(lambda b: b.decode("utf-8"), output_bytes)) self.assertListEqual(["\"c,o,l,u,m,n\"\r\n", "\"c,e,l,l\"\r\n"], output_text)
def testSomeTextToCsvBytes(self): table = rdf_osquery.OsqueryTable() table.header.columns.append(rdf_osquery.OsqueryColumn(name="A")) table.header.columns.append(rdf_osquery.OsqueryColumn(name="B")) table.rows.append(rdf_osquery.OsqueryRow(values=["1-A", "1-B"])) table.rows.append(rdf_osquery.OsqueryRow(values=["2-A", "2-B"])) result = rdf_osquery.OsqueryResult() result.table = table output_bytes = api_osquery._ParseToCsvBytes([result]) output_text = list(map(lambda b: b.decode("utf-8"), output_bytes)) self.assertListEqual(["A,B\r\n", "1-A,1-B\r\n", "2-A,2-B\r\n"], output_text)
def Process(self, args) -> Iterator[rdf_osquery.OsqueryResult]: if not config.CONFIG["Osquery.path"]: raise RuntimeError("The `Osquery` action invoked on a client without " "osquery path specified.") if not os.path.exists(config.CONFIG["Osquery.path"]): raise RuntimeError("The `Osquery` action invoked on a client where " "osquery executable is not available.") if not args.query: raise ValueError("The `Osquery` was invoked with an empty query.") output = Query(args) json_decoder = json.Decoder(object_pairs_hook=collections.OrderedDict) table = ParseTable(json_decoder.decode(output)) table.query = args.query for chunk in ChunkTable(table, config.CONFIG["Osquery.max_chunk_size"]): yield rdf_osquery.OsqueryResult(table=chunk)