예제 #1
0
    def test_logging(self):
        logger = logging.getLogger('aws_ir')

        # ensure custom logger class is in place
        assert logger.__class__ == TimesketchLogger

        # ensure that null log handler is in place by default
        assert len(logger.handlers) == 1
        assert logger.handlers[0].__class__ == aws_ir.NullHandler

        # setup stream handler and ensure the object was created
        aws_ir.set_stream_logger(level=logging.INFO)
        assert len(logger.handlers) == 2
        assert logger.handlers[1].__class__ == logging.StreamHandler

        # setup file handler and ensure the object was created
        aws_ir.set_file_logger(CASE_NUMBER,
                               base_dir=BASE_DIR,
                               level=logging.INFO)
        assert len(logger.handlers) == 3
        assert logger.handlers[2].__class__ == logging.FileHandler

        # test log file is created
        aws_ir.wrap_log_file(CASE_NUMBER, base_dir=BASE_DIR)
        logger.info("test of file log")
        assert os.path.isfile(LOG_FILE) is True
        aws_ir.wrap_log_file(CASE_NUMBER, base_dir=BASE_DIR)

        # check file contents
        with open(LOG_FILE, 'r') as f:
            lines = f.readlines()
            assert "[" in lines[0]
            assert "test of file log" in lines[1]
            assert "]" in lines[-1]
예제 #2
0
파일: cli.py 프로젝트: andrewkrug/aws_ir
    def run(self):
        self.config = self.parse_args(sys.argv[1:])

        case_obj = case.Case(
            self.config.case_number,
            self.config.examiner_cidr_range,
            self.config.bucket_name
        )

        if self.config.verbose:
            log_level = logging.DEBUG;
        else:
            log_level = logging.INFO

        aws_ir.set_stream_logger(level=log_level)
        aws_ir.set_file_logger(case_obj.case_number, level=log_level)
        logger = logging.getLogger(__name__)

        aws_ir.wrap_log_file(case_obj.case_number)
        logger.info("Initialization successful proceeding to incident plan.")
        compromise_object = None
        if self.config.func == 'instance_compromise':
            hc = host.Compromise(
                user = self.config.user,
                ssh_key_file = self.config.ssh_key,
                compromised_host_ip = self.config.instance_ip,
                prog = self.prog,
                case = case_obj
            )
            compromise_object = hc
            try:
                hc.mitigate()
            except KeyboardInterrupt:
                pass
        elif self.config.func == 'key_compromise':
            kc = key.Compromise(
                self.config.examiner_cidr_range,
                self.config.access_key_id,
                case = case_obj
            )

            compromise_object = kc
            try:
                kc.mitigate()
            except KeyboardInterrupt:
                pass
예제 #3
0
파일: case.py 프로젝트: joelferrier/aws_ir
 def teardown(self, region, resource_id):
     """ Any final post mitigation steps universal to all plans. """
     try:
         aws_ir.wrap_log_file(self.case_number)
         self.__rename_log_file(self.case_number, resource_id)
         self.copy_logs_to_s3()
         processing_end_messaging = (
             """Processing complete for {case_number}\n"""
             """Artifacts stored in s3://{case_bucket}""").format(
                 case_number=self.case_number, case_bucket=self.case_bucket)
         print(processing_end_messaging)
         sys.exit(0)
     except Exception as e:
         logger.error(("Error uploading case logs for {case_number} to s3 "
                       "bucket {case_bucket}: {ex}".format(
                           case_number=self.case_number,
                           case_bucket=self.case_bucket,
                           ex=e)))
         sys.exit(1)
예제 #4
0
파일: case.py 프로젝트: andrewkrug/aws_ir
 def teardown(self, region, resource_id):
     """ Any final post mitigation steps universal to all plans. """
     try:
         aws_ir.wrap_log_file(self.case_number)
         self.__rename_log_file(self.case_number, resource_id)
         self.copy_logs_to_s3()
         processing_end_messaging = (
             """Processing complete for {case_number}\n"""
             """Artifacts stored in s3://{case_bucket}"""
         ).format(case_number=self.case_number,
                  case_bucket=self.case_bucket)
         print(processing_end_messaging)
         sys.exit(0)
     except Exception as e:
         logger.error(
             ("Error uploading case logs for {case_number} to s3 "
              "bucket {case_bucket}: {ex}".format(case_number=self.case_number,
                                                  case_bucket=self.case_bucket,
                                                  ex=e)))
         sys.exit(1)
예제 #5
0
    def run(self):
        self.config = self.parse_args(sys.argv[1:])

        case_obj = case.Case(self.config.case_number,
                             self.config.examiner_cidr_range,
                             self.config.bucket_name)

        if self.config.verbose:
            log_level = logging.DEBUG
        else:
            log_level = logging.INFO

        aws_ir.set_stream_logger(level=log_level)
        aws_ir.set_file_logger(case_obj.case_number, level=log_level)
        logger = logging.getLogger(__name__)

        aws_ir.wrap_log_file(case_obj.case_number)
        logger.info("Initialization successful proceeding to incident plan.")
        compromise_object = None
        if self.config.func == 'instance_compromise':
            hc = host.Compromise(user=self.config.user,
                                 ssh_key_file=self.config.ssh_key,
                                 compromised_host_ip=self.config.instance_ip,
                                 prog=self.prog,
                                 case=case_obj)
            compromise_object = hc
            try:
                hc.mitigate()
            except KeyboardInterrupt:
                pass
        elif self.config.func == 'key_compromise':
            kc = key.Compromise(self.config.examiner_cidr_range,
                                self.config.access_key_id,
                                case=case_obj)

            compromise_object = kc
            try:
                kc.mitigate()
            except KeyboardInterrupt:
                pass
예제 #6
0
파일: cli.py 프로젝트: wxdublin/aws_ir
    def run(self):
        self.config = self.parse_args(sys.argv[1:])
        case_obj = case.Case(self.config.case_number,
                             self.config.examiner_cidr_range,
                             self.config.bucket_name, self.config.profile)

        if self.config.verbose:
            log_level = logging.DEBUG
        else:
            log_level = logging.INFO

        aws_ir.set_stream_logger(level=log_level)
        aws_ir.set_file_logger(case_obj.case_number, level=log_level)
        logger = logging.getLogger(__name__)

        aws_ir.wrap_log_file(case_obj.case_number)
        logger.info("Initialization successful proceeding to incident plan.")
        if self.config.func == 'instance_compromise':
            if self.config.target:
                case_obj.prep_aws_connections()
                hc = host.Compromise(user=self.config.user,
                                     ssh_key_file=self.config.ssh_key,
                                     target=self.config.target,
                                     prog=self.prog,
                                     case=case_obj,
                                     steps=self.config.plugins)
                try:
                    hc.mitigate()
                except KeyboardInterrupt:
                    pass
            if self.config.targets:
                logger.info(
                    'Alert : multi-host mode engaged targets in file will attempt processing.'
                )
                batch_file = os.path.abspath(self.config.targets)

                with open(batch_file) as f:
                    targets = f.read().split('\n')

                for target in targets:
                    if target is not '':
                        hc = host.Compromise(user=self.config.user,
                                             ssh_key_file=self.config.ssh_key,
                                             target=target,
                                             prog=self.prog,
                                             case=case_obj,
                                             steps=self.config.plugins)
                        try:
                            logger.info(
                                "Attempting processing instance {i}".format(
                                    i=target))
                            hc.mitigate()
                        except KeyboardInterrupt:
                            pass
        elif self.config.func == 'key_compromise':
            kc = key.Compromise(
                examiner_cidr_range=self.config.examiner_cidr_range,
                compromised_access_key_id=self.config.access_key_id,
                region='us-west-2',
                case=case_obj,
                steps=self.config.plugins)

            try:
                kc.mitigate()
            except KeyboardInterrupt:
                pass