def testKnowledgeBaseRetrievalLinuxPasswd(self):
"""Check we can retrieve a Linux kb."""
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "LinuxPasswdHomedirs", "LinuxReleaseInfo"],
"Artifacts.knowledge_base_additions": [],
"Artifacts.knowledge_base_skip": []
}):
with test_lib.SuppressLogs():
kb = self._RunKBI()
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp.
self.assertCountEqual([x.username for x in kb.users],
["user1", "user2", "user3"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552099)
self.assertEqual(user.homedir, "/home/user1")
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552102)
self.assertEqual(user.homedir, "/home/user2")
self.assertFalse(kb.GetUser(username="******"))
def testKnowledgeBaseRetrievalLinux(self):
"""Check we can retrieve a Linux kb."""
self.ClearKB()
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration",
"LinuxPasswdHomedirs", "LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": ["^login$"],
"Artifacts.netgroup_user_blacklist": ["isaac"]
}):
with vfs_test_lib.FakeTestDataVFSOverrider():
for _ in flow_test_lib.TestFlowHelper(
artifact.KnowledgeBaseInitializationFlow.__name__,
self.client_mock,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp. yagharek from netgroup.
self.assertItemsEqual([x.username for x in kb.users],
["user1", "user2", "user3", "yagharek"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(),
1296552099)
self.assertEqual(user.homedir, "/home/user1")
def testKnowledgeBaseRetrievalLinuxNoUsers(self):
"""Cause a users.username dependency failure."""
self.ClearKB()
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs",
"LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": ["^doesntexist$"]
}):
with vfs_test_lib.FakeTestDataVFSOverrider():
for _ in flow_test_lib.TestFlowHelper(
artifact.KnowledgeBaseInitializationFlow.__name__,
self.client_mock,
require_complete=False,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
self.assertItemsEqual([x.username for x in kb.users], [])
def testFilesArtifact(self):
"""Check GetFiles artifacts."""
with vfs_test_lib.FakeTestDataVFSOverrider():
self.RunCollectorAndGetCollection(
["TestFilesArtifact"], client_mock=self.client_mock)
urn = self.client_id.Add("fs/os/").Add("var/log/auth.log")
aff4.FACTORY.Open(urn, aff4_type=aff4_grr.VFSBlobImage, token=self.token)
def testKnowledgeBaseRetrievalLinuxPasswd(self):
"""Check we can retrieve a Linux kb."""
self.ClearKB()
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "LinuxPasswdHomedirs", "LinuxRelease"
],
"Artifacts.knowledge_base_additions": [],
"Artifacts.knowledge_base_skip": []
}):
for _ in flow_test_lib.TestFlowHelper(
artifact.KnowledgeBaseInitializationFlow.__name__,
self.client_mock,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp.
self.assertItemsEqual([x.username for x in kb.users],
["user1", "user2", "user3"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099)
self.assertEqual(user.homedir, "/home/user1")
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552102)
self.assertEqual(user.homedir, "/home/user2")
self.assertFalse(kb.GetUser(username="******"))
def RunFlow(self, client_id):
with vfs_test_lib.FakeTestDataVFSOverrider():
session_id = flow_test_lib.TestFlowHelper(
flow_checks.CheckRunner.__name__,
client_mock=self.client_mock,
client_id=client_id,
token=self.token)
results = flow_test_lib.GetFlowResults(client_id, session_id)
return session_id, {r.check_id: r for r in results}
def testFilesArtifact(self):
"""Check GetFiles artifacts."""
client_id = test_lib.TEST_CLIENT_ID
with vfs_test_lib.FakeTestDataVFSOverrider():
self.RunCollectorAndGetResults(["TestFilesArtifact"],
client_mock=self.client_mock,
client_id=client_id)
cp = db.ClientPath.OS(client_id, ("var", "log", "auth.log"))
fd = file_store.OpenFile(cp)
self.assertNotEmpty(fd.read())
def RunFlow(self):
with test_lib.Instrument(flow.GRRFlow, "SendReply") as send_reply:
with vfs_test_lib.FakeTestDataVFSOverrider():
session_id = flow_test_lib.TestFlowHelper(
flow_checks.CheckRunner.__name__,
client_mock=self.client_mock,
client_id=self.client_id,
token=self.token)
session = aff4.FACTORY.Open(session_id, token=self.token)
results = {
r.check_id: r
for _, r in send_reply.args if isinstance(r, checks.CheckResult)
}
return session, results
def testFilesArtifact(self):
"""Check GetFiles artifacts."""
client_id = test_lib.TEST_CLIENT_ID
with vfs_test_lib.FakeTestDataVFSOverrider():
self.RunCollectorAndGetCollection(["TestFilesArtifact"],
client_mock=self.client_mock,
client_id=client_id)
if data_store.RelationalDBEnabled():
cp = db.ClientPath.OS(client_id.Basename(), ("var", "log", "auth.log"))
fd = file_store.OpenFile(cp)
self.assertNotEmpty(fd.read())
else:
urn = client_id.Add("fs/os/").Add("var/log/auth.log")
aff4.FACTORY.Open(
urn, aff4_type=aff4_grr.VFSBlobImage, token=self.token)
def testKnowledgeBaseRetrievalLinuxNoUsers(self):
"""Cause a users.username dependency failure."""
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs",
"LinuxReleaseInfo"
],
"Artifacts.netgroup_filter_regexes": ["^doesntexist$"]
}):
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.SuppressLogs():
kb = self._RunKBI(require_complete=False)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
self.assertCountEqual([x.username for x in kb.users], [])
def testLinuxPasswdHomedirsArtifact(self):
"""Check LinuxPasswdHomedirs artifacts."""
with vfs_test_lib.FakeTestDataVFSOverrider():
fd = self.RunCollectorAndGetCollection(
["LinuxPasswdHomedirs"], client_mock=self.client_mock)
self.assertEqual(len(fd), 3)
self.assertItemsEqual([x.username for x in fd],
[u"exomemory", u"gevulot", u"gogol"])
for user in fd:
if user.username == u"exomemory":
self.assertEqual(user.full_name, u"Never Forget (admin)")
self.assertEqual(user.gid, 47)
self.assertEqual(user.homedir, u"/var/lib/exomemory")
self.assertEqual(user.shell, u"/bin/sh")
self.assertEqual(user.uid, 46)
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
self.client_id = self.SetupClient(0,
system="Linux",
os_version="12.04")
data_store.REL_DB.WriteClientMetadata(self.client_id.Basename(),
fleetspeak_enabled=False)
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckBasicInfo("test_node.test", "Linux", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease("Ubuntu", "14.4")
# users 1,2,3 from wtmp
# users yagharek, isaac from netgroup
self._CheckUsers(
["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabels()
self._CheckLabelIndex()
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries()
self._CheckMemory()
def testLinuxPasswdHomedirsArtifact(self):
"""Check LinuxPasswdHomedirs artifacts."""
with vfs_test_lib.FakeTestDataVFSOverrider():
fd = self.RunCollectorAndGetResults(["LinuxPasswdHomedirs"],
client_mock=self.client_mock,
client_id=test_lib.TEST_CLIENT_ID)
self.assertLen(fd, 5)
self.assertCountEqual(
[x.username for x in fd],
[u"exomemory", u"gevulot", u"gogol", u"user1", u"user2"])
for user in fd:
if user.username == u"exomemory":
self.assertEqual(user.full_name, u"Never Forget (admin)")
self.assertEqual(user.gid, 47)
self.assertEqual(user.homedir, u"/var/lib/exomemory")
self.assertEqual(user.shell, u"/bin/sh")
self.assertEqual(user.uid, 46)
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self):
with vfs_test_lib.FakeTestDataVFSOverrider():
with vfs_test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.MEMORY,
vfs_test_lib.FakeTestDataVFSHandler):
paths = ["/var/log/auth.log", "/etc/ssh/sshd_config"]
cmlc = rdf_file_finder.FileFinderContentsLiteralMatchCondition
literal_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=cmlc(
mode="ALL_HITS",
bytes_before=10,
bytes_after=10,
literal="session opened for user dearjohn"))
# Check this condition with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in self.CONDITION_TESTS_ACTIONS:
for s in flow_test_lib.TestFlowHelper(
file_finder.FileFinder.__name__,
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdf_paths.PathSpec.PathType.MEMORY,
conditions=[literal_condition],
action=rdf_file_finder.FileFinderAction(
action_type=action),
token=self.token):
session_id = s
self.CheckFilesInCollection(["auth.log"],
session_id=session_id)
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
client_id = self._SetupMinimalClient()
with vfs_test_lib.FakeTestDataVFSOverrider():
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration", "LinuxReleaseInfo"
],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(version="14.4", release="Ubuntu")
with test_lib.SuppressLogs():
flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=client_id)
client = self._OpenClient(client_id)
self._CheckBasicInfo(client, "test_node.test", "Linux", 100 * 1000000)
self._CheckClientInfo(client)
self._CheckGRRConfig(client)
self._CheckNotificationsCreated(self.token.username, client_id)
self._CheckClientSummary(
client_id,
client.GetSummary(),
"Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease(client, "Ubuntu", "14.4")
# users 1,2,3 from wtmp, users yagharek, isaac from netgroup
self._CheckUsers(client, ["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo(client)
# No VFS test when running on the relational db.
self._CheckLabels(client_id)
self._CheckLabelIndex(client_id)
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries(client)
self._CheckMemory(client)
def testKnowledgeBaseRetrievalLinux(self):
"""Check we can retrieve a Linux kb."""
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration",
"LinuxPasswdHomedirs", "LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": ["^login$"],
"Artifacts.netgroup_user_blacklist": ["isaac"]
}):
with vfs_test_lib.FakeTestDataVFSOverrider():
kb = self._RunKBI()
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp. yagharek from netgroup.
self.assertItemsEqual([x.username for x in kb.users],
["user1", "user2", "user3", "yagharek"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsSinceEpoch(), 1296552099)
self.assertEqual(user.homedir, "/home/user1")
