def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine, enrollment=None) self.assertCountEqual( ["decorators", "schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual( [INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual( file_paths.keys(), [self.query_1_filepath_hash, self.query_2_filepath_hash]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses) # mbu has all the queries mbu_machine = MockMetaMachine([1], [], None, "SERVER") config = build_osquery_conf(mbu_machine, enrollment=None) self.assertCountEqual( ["decorators", "schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key, self.query_mbu_key ], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual(file_paths.keys(), [ self.query_1_filepath_hash, self.query_2_filepath_hash, self.query_mbu_filepath_hash ]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath), (self.query_mbu_filepath_hash, self.query_mbu_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses)
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) self.assertCountEqual(["schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual(file_paths.keys(), [self.query_1_filepath_hash, self.query_2_filepath_hash]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses) # mbu has all the queries mbu_machine = MockMetaMachine([1], [], None, "SERVER") config = build_osquery_conf(mbu_machine) self.assertCountEqual(["schedule", "file_accesses", "file_paths"], config.keys()) # no packs schedule = config["schedule"] self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_1_key, self.query_2_key, self.query_mbu_key], schedule.keys()) file_paths = config["file_paths"] self.assertCountEqual(file_paths.keys(), [self.query_1_filepath_hash, self.query_2_filepath_hash, self.query_mbu_filepath_hash]) for key, file_path in ((self.query_1_filepath_hash, self.query_1_filepath), (self.query_2_filepath_hash, self.query_2_filepath), (self.query_mbu_filepath_hash, self.query_mbu_filepath)): self.assertEqual(file_paths.get(key), [file_path]) file_accesses = config["file_accesses"] self.assertEqual([self.query_2_filepath_hash], file_accesses)
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) self.assertCountEqual(["schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key], schedule.keys()) # tag has all the queries tag_machine = MockMetaMachine([], [1], None, "SERVER") config = build_osquery_conf(tag_machine) self.assertCountEqual(["schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key, self.query_tag_key], schedule.keys())
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual( [DEFAULT_ZENTRAL_INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key], pack_queries.keys()) # windows has all the queries windows = MockMetaMachine([1], [1], "WINDOWS", None) config = build_osquery_conf(windows) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual( [DEFAULT_ZENTRAL_INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 and query windows packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key, self.query_windows_key], pack_queries.keys())
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key], pack_queries.keys()) # windows has all the queries windows = MockMetaMachine([1], [1], "WINDOWS", None) config = build_osquery_conf(windows) # schedule with query 1 schedule = config["schedule"] self.assertIsInstance(schedule, dict) self.assertCountEqual([INVENTORY_QUERY_NAME, self.query_1_key], schedule.keys()) # 1 pack with query 2 and query windows packs = config["packs"] self.assertIsInstance(packs, dict) self.assertCountEqual([self.query_pack_key], packs.keys()) pack = packs[self.query_pack_key] self.assertIsInstance(pack, dict) self.assertCountEqual(["discovery", "queries"], pack.keys()) self.assertCountEqual(pack["discovery"], self.query_pack_discovery) pack_queries = pack["queries"] self.assertCountEqual([self.query_2_key, self.query_windows_key], pack_queries.keys())
def test_osquery_conf(self): # default machine has a subset of the queries default_machine = MockMetaMachine([], [], None, None) config = build_osquery_conf(default_machine) self.assertCountEqual( ["decorators", "schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key ], schedule.keys()) # tag has all the queries tag_machine = MockMetaMachine([], [1], None, "SERVER") config = build_osquery_conf(tag_machine) self.assertCountEqual( ["decorators", "schedule"], config.keys()) # no file_paths, file_accesses or packs schedule = config["schedule"] self.assertCountEqual([ INVENTORY_QUERY_NAME, self.query_pfu_key, self.query_pfg_key, self.query_fc_key, self.query_tag_key ], schedule.keys())
def do_node_post(self, data): # TODO: The machine serial number is included in the string used to authenticate the requests # This is done in the osx pkg builder. The machine serial number should always be present here. # Maybe we could code a fallback to the available mbu probes if the serial number is not present. return build_osquery_conf(MetaMachine(self.machine_serial_number))
def do_node_post(self, data): return build_osquery_conf(MetaMachine(self.machine_serial_number), self.enrollment)
def do_node_post(self): return build_osquery_conf(self.machine, self.enrollment)