def Issue(self, state, results):
"""Collect anomalous findings into a CheckResult.
Comparisons with anomalous conditions collect anomalies into a single
CheckResult message. The contents of the result varies depending on whether
the method making the comparison is a Check, Method or Probe.
- Probes evaluate raw host data and generate Anomalies. These are condensed
into a new CheckResult.
- Checks and Methods evaluate the results of probes (i.e. CheckResults). If
there are multiple probe results, all probe anomalies are aggregated into
a single new CheckResult for the Check or Method.
Args:
state: A text description of what combination of results were anomalous
(e.g. some condition was missing or present.)
results: Anomalies or CheckResult messages.
Returns:
A CheckResult message.
"""
result = rdfvalue.CheckResult()
anomaly = rdfvalue.Anomaly(type="ANALYSIS_ANOMALY",
explanation=self.hint.Explanation(state))
# If there are CheckResults we're aggregating methods or probes.
# Merge all current results into one CheckResult.
# Otherwise, the results are raw host data.
# Generate a new CheckResult and add the specific findings.
if results and all(
isinstance(r, rdfvalue.CheckResult) for r in results):
result.ExtendAnomalies(results)
else:
anomaly.finding = self.hint.Render(results)
result.anomaly = anomaly
return result
def setUp(self):
super(ProcessHostDataTests, self).setUp()
registered = checks.CheckRegistry.checks.keys()
if "SW-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sw.yaml")])
if "SSHD-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sshd.yaml")])
self.netcat = rdfvalue.CheckResult(
check_id="SW-CHECK",
anomaly=[
anomaly_rdf.Anomaly(
finding=["netcat-traditional 1.10-40 is installed"],
explanation="Found: l337 software installed",
type="ANALYSIS_ANOMALY")
])
self.sshd = rdfvalue.CheckResult(
check_id="SSHD-CHECK",
anomaly=[
anomaly_rdf.Anomaly(
finding=["Configured protocols: 2,1"],
explanation="Found: Sshd allows protocol 1.",
type="ANALYSIS_ANOMALY")
])
self.windows = rdfvalue.CheckResult(
check_id="SW-CHECK",
anomaly=[
anomaly_rdf.Anomaly(
finding=["Java 6.0.240 is installed"],
explanation="Found: Old Java installation.",
type="ANALYSIS_ANOMALY"),
anomaly_rdf.Anomaly(finding=["Adware 2.1.1 is installed"],
explanation="Found: Malicious software.",
type="ANALYSIS_ANOMALY")
])
self.host_data = {
"WMIInstalledSoftware": WMI_SW,
"DebianPackagesStatus": DPKG_SW,
"SshdConfigFile": SSHD_CFG
}
def Detect(self, baseline, host_data):
"""Run host_data through detectors and return them if a detector triggers.
Args:
baseline: The base set of rdf values used to evaluate whether an issue
exists.
host_data: The rdf values passed back by the filters.
Returns:
A CheckResult message containing anomalies if any detectors identified an
issue, None otherwise.
"""
result = rdfvalue.CheckResult()
for detector in self.detectors:
for finding in detector(baseline, host_data):
if finding:
result.ExtendAnomalies(finding)
if result:
return result
def testNfsExportsCheck(self):
"""Ensure NFS export checks work as expected."""
self.LoadCheck("nfs.yaml")
# Create some host_data..
host_data = {}
self.SetKnowledgeBase("test.example.com", "Linux", host_data)
parser = config_file.NfsExportsParser()
with open(self.TestDataPath("exports")) as export_fd:
host_data["NfsExportsFile"] = list(parser.Parse(None, export_fd, None))
results = self.RunChecks(host_data)
anom = rdfvalue.Anomaly(
explanation="Found: Default r/w NFS exports are too permissive.",
finding=["/path/to/foo: defaults:rw,sync hosts:host1,host2 options:ro",
("/path/to/bar: defaults:rw "
"hosts:*.example.org,192.168.1.0/24 "
"options:all_squash,ro")],
type="ANALYSIS_ANOMALY")
expected = rdfvalue.CheckResult(check_id="CCE-4350-5", anomaly=anom)
self.assertResultEqual(expected, results["CCE-4350-5"])
