def testGetPresetsByOperatingSystem(self):
"""Tests the GetPresetsByOperatingSystem function."""
test_manager = presets.ParserPresetsManager()
test_path = self._GetTestFilePath(['presets.yaml'])
test_manager.ReadFromFile(test_path)
operating_system = artifacts.OperatingSystemArtifact(family='MacOS')
test_presets = test_manager.GetPresetsByOperatingSystem(
operating_system)
self.assertEqual(len(test_presets), 1)
self.assertEqual(test_presets[0].name, 'macos')
expected_parsers = [
'asl_log', 'bash_history', 'bencode', 'bsm_log', 'cups_ipp',
'czip/oxml', 'filestat', 'fseventsd', 'gdrive_synclog', 'java_idx',
'mac_appfirewall_log', 'mac_keychain', 'mac_securityd', 'macwifi',
'olecf', 'plist', 'sqlite/appusage', 'sqlite/google_drive',
'sqlite/imessage', 'sqlite/ls_quarantine',
'sqlite/mac_document_versions', 'sqlite/mackeeper_cache',
'sqlite/skype', 'syslog', 'utmpx', 'webhist',
'zsh_extended_history'
]
self.assertEqual(test_presets[0].parsers, expected_parsers)
operating_system = artifacts.OperatingSystemArtifact(family='bogus')
test_presets = test_manager.GetPresetsByOperatingSystem(
operating_system)
self.assertEqual(len(test_presets), 0)
def testVersionTuple(self):
"""Tests the version_tuplele property."""
attribute_container = artifacts.OperatingSystemArtifact(version="5.1")
self.assertEqual(attribute_container.version_tuple, (5, 1))
attribute_container = artifacts.OperatingSystemArtifact()
self.assertIsNone(attribute_container.version_tuple)
attribute_container = artifacts.OperatingSystemArtifact(version="5.a")
self.assertIsNone(attribute_container.version_tuple)
def testGetNameFromProduct(self):
"""Tests the _GetNameFromProduct function."""
attribute_container = artifacts.OperatingSystemArtifact(
product='Windows Server 2012 R2 Standard')
name = attribute_container._GetNameFromProduct()
self.assertEqual(name, 'Windows 2012 R2')
attribute_container = artifacts.OperatingSystemArtifact(
product='Microsoft Windows Server 2003')
name = attribute_container._GetNameFromProduct()
self.assertEqual(name, 'Windows 2003')
def testIsEquivalent(self):
"""Tests the IsEquivalent function."""
win2k12_container = artifacts.OperatingSystemArtifact(
product='Windows 2012')
winxp_container = artifacts.OperatingSystemArtifact(product='Windows XP')
self.assertFalse(win2k12_container.IsEquivalent(winxp_container))
self.assertFalse(winxp_container.IsEquivalent(win2k12_container))
winnt62_container = artifacts.OperatingSystemArtifact(
family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='6.2')
winnt51_container = artifacts.OperatingSystemArtifact(
family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='5.1')
self.assertFalse(winnt62_container.IsEquivalent(winnt51_container))
self.assertFalse(winnt51_container.IsEquivalent(winnt62_container))
win9x_container = artifacts.OperatingSystemArtifact(
family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_9x)
winnt_container = artifacts.OperatingSystemArtifact(
family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT)
self.assertFalse(win9x_container.IsEquivalent(winnt_container))
self.assertFalse(winnt_container.IsEquivalent(win9x_container))
winnt51_container = artifacts.OperatingSystemArtifact(
family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='5.1')
winxp_container = artifacts.OperatingSystemArtifact(product='Windows XP')
self.assertTrue(winnt51_container.IsEquivalent(winxp_container))
self.assertTrue(winxp_container.IsEquivalent(winnt51_container))
def _ReadOperatingSystemArtifactValues(self, operating_system_values):
"""Reads an operating system artifact from a dictionary.
Args:
operating_system_values (dict[str, object]): operating system values.
Returns:
OperatingSystemArtifact: an operating system artifact attribute container.
Raises:
MalformedPresetError: if the format of the operating system values are
not set or incorrect.
"""
if not operating_system_values:
raise errors.MalformedPresetError(
'Missing operating system values.')
family = operating_system_values.get('family', None)
product = operating_system_values.get('product', None)
version = operating_system_values.get('version', None)
if not family and not product:
raise errors.MalformedPresetError(
'Invalid operating system missing family and product.')
return artifacts.OperatingSystemArtifact(family=family,
product=product,
version=version)
def _GetExpandedParserFilterExpression(self, knowledge_base):
"""Determines the expanded parser filter expression.
Args:
knowledge_base (KnowledgeBase): contains information from the source
data needed for parsing.
Returns:
str: expanded parser filter expression.
Raises:
BadConfigOption: if presets in the parser filter expression could not
be expanded or if an invalid parser or plugin name is specified.
"""
parser_filter_expression = self._parser_filter_expression
if not parser_filter_expression:
operating_system_family = knowledge_base.GetValue('operating_system')
operating_system_product = knowledge_base.GetValue(
'operating_system_product')
operating_system_version = knowledge_base.GetValue(
'operating_system_version')
operating_system_artifact = artifacts.OperatingSystemArtifact(
family=operating_system_family, product=operating_system_product,
version=operating_system_version)
preset_definitions = self._presets_manager.GetPresetsByOperatingSystem(
operating_system_artifact)
if preset_definitions:
self._parser_filter_expression = ','.join([
preset_definition.name
for preset_definition in preset_definitions])
logger.debug('Parser filter expression set to preset: {0:s}'.format(
self._parser_filter_expression))
parser_filter_helper = parser_filter.ParserFilterExpressionHelper()
try:
parser_filter_expression = parser_filter_helper.ExpandPresets(
self._presets_manager, self._parser_filter_expression)
logger.debug('Parser filter expression set to: {0:s}'.format(
parser_filter_expression or 'N/A'))
except RuntimeError as exception:
raise errors.BadConfigOption((
'Unable to expand presets in parser filter expression with '
'error: {0!s}').format(exception))
parser_elements, invalid_parser_elements = (
parsers_manager.ParsersManager.CheckFilterExpression(
parser_filter_expression))
if invalid_parser_elements:
invalid_parser_names_string = ','.join(invalid_parser_elements)
raise errors.BadConfigOption(
'Unknown parser or plugin names in element(s): "{0:s}" of '
'parser filter expression: {1:s}'.format(
invalid_parser_names_string, parser_filter_expression))
return ','.join(sorted(parser_elements))
def testGetAttributeNames(self):
"""Tests the GetAttributeNames function."""
attribute_container = artifacts.OperatingSystemArtifact()
expected_attribute_names = ['family', 'name', 'product', 'version']
attribute_names = sorted(attribute_container.GetAttributeNames())
self.assertEqual(attribute_names, expected_attribute_names)
def testGetPresetsByOperatingSystem(self):
"""Tests the GetPresetsByOperatingSystem function."""
test_file_path = self._GetTestFilePath(['presets.yaml'])
self._SkipIfPathNotExists(test_file_path)
test_manager = presets.ParserPresetsManager()
test_manager.ReadFromFile(test_file_path)
operating_system = artifacts.OperatingSystemArtifact(family='MacOS')
test_presets = test_manager.GetPresetsByOperatingSystem(operating_system)
self.assertEqual(len(test_presets), 1)
self.assertEqual(test_presets[0].name, 'macos')
self.assertEqual(test_presets[0].parsers, self._MACOS_PARSERS)
operating_system = artifacts.OperatingSystemArtifact(family='bogus')
test_presets = test_manager.GetPresetsByOperatingSystem(operating_system)
self.assertEqual(len(test_presets), 0)
def GetPresetsForOperatingSystem(
cls, operating_system, operating_system_product,
operating_system_version):
"""Determines the presets for a specific operating system.
Args:
operating_system (str): operating system for example "Windows". This
should be one of the values in definitions.OPERATING_SYSTEM_FAMILIES.
operating_system_product (str): operating system product for
example "Windows XP" as determined by preprocessing.
operating_system_version (str): operating system version for
example "5.1" as determined by preprocessing.
Returns:
list[PresetDefinition]: preset definitions, where an empty list
represents all parsers and parser plugins (no preset).
"""
operating_system = artifacts.OperatingSystemArtifact(
family=operating_system, product=operating_system_product,
version=operating_system_version)
return cls._presets.GetPresetsByOperatingSystem(operating_system)
def _CreateProcessingConfiguration(self, knowledge_base):
"""Creates a processing configuration.
Args:
knowledge_base (KnowledgeBase): contains information from the source
data needed for parsing.
Returns:
ProcessingConfiguration: processing configuration.
Raises:
BadConfigOption: if presets in the parser filter expression could not
be expanded or if an invalid parser or plugin name is specified.
"""
parser_filter_expression = self._parser_filter_expression
if not parser_filter_expression:
operating_system_family = knowledge_base.GetValue('operating_system')
operating_system_product = knowledge_base.GetValue(
'operating_system_product')
operating_system_version = knowledge_base.GetValue(
'operating_system_version')
operating_system_artifact = artifacts.OperatingSystemArtifact(
family=operating_system_family, product=operating_system_product,
version=operating_system_version)
preset_definitions = self._presets_manager.GetPresetsByOperatingSystem(
operating_system_artifact)
if preset_definitions:
preset_names = [
preset_definition.name for preset_definition in preset_definitions]
filter_expression = ','.join(preset_names)
logger.info('Parser filter expression set to: {0:s}'.format(
filter_expression))
parser_filter_expression = filter_expression
parser_filter_helper = parser_filter.ParserFilterExpressionHelper()
try:
parser_filter_expression = parser_filter_helper.ExpandPresets(
self._presets_manager, parser_filter_expression)
except RuntimeError as exception:
raise errors.BadConfigOption((
'Unable to expand presets in parser filter expression with '
'error: {0!s}').format(exception))
_, invalid_parser_elements = (
parsers_manager.ParsersManager.CheckFilterExpression(
parser_filter_expression))
if invalid_parser_elements:
invalid_parser_names_string = ','.join(invalid_parser_elements)
raise errors.BadConfigOption(
'Unknown parser or plugin names in element(s): "{0:s}" of '
'parser filter expression: {1:s}'.format(
invalid_parser_names_string, parser_filter_expression))
# TODO: pass preferred_encoding.
configuration = configurations.ProcessingConfiguration()
configuration.artifact_filters = self._artifact_filters
configuration.credentials = self._credential_configurations
configuration.debug_output = self._debug_mode
configuration.event_extraction.text_prepend = self._text_prepend
configuration.extraction.hasher_file_size_limit = (
self._hasher_file_size_limit)
configuration.extraction.hasher_names_string = self._hasher_names_string
configuration.extraction.process_archives = self._process_archives
configuration.extraction.process_compressed_streams = (
self._process_compressed_streams)
configuration.extraction.yara_rules_string = self._yara_rules_string
configuration.filter_file = self._filter_file
configuration.input_source.mount_path = self._mount_path
configuration.log_filename = self._log_file
configuration.parser_filter_expression = parser_filter_expression
configuration.preferred_year = self._preferred_year
configuration.profiling.directory = self._profiling_directory
configuration.profiling.sample_rate = self._profiling_sample_rate
configuration.profiling.profilers = self._profilers
configuration.task_storage_format = self._task_storage_format
configuration.temporary_directory = self._temporary_directory
return configuration
