def testFilterRequestedArtifactResults(self, registry):
"""Test that only artifacts requested by the user are sent to the server."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src],
requested_by_user=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 1)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
execute_response = collected_artifacts[0].action_results[0].value
self.assertGreater(execute_response.time_used, 0)
def testMultipleArtifacts(self, registry):
"""Test collecting multiple artifacts."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 2)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
self.assertEqual(collected_artifacts[1].name, "TestCmdArtifact")
execute_response_1 = collected_artifacts[0].action_results[0].value
execute_response_2 = collected_artifacts[1].action_results[0].value
self.assertGreater(execute_response_1.time_used, 0)
self.assertGreater(execute_response_2.time_used, 0)
def testWMIArtifact(self, registry):
"""Test collecting a WMI artifact."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("WMIActiveScriptEventConsumer")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
coll = artifact_collector.ArtifactCollector()
coll.knowledge_base = None
coll.ignore_interpolation_errors = True
expected = rdf_client_action.WMIRequest(
query="SELECT * FROM ActiveScriptEventConsumer",
base_object="winmgmts:\\root\\subscription")
for action, request in coll._ProcessWmiSource(ext_src):
self.assertEqual(request, expected)
self.assertEqual(action, self.windows.WmiQueryFromClient)
self.windows.WmiQueryFromClient.assert_called_with(request)
def GetRequest(self, source, artifact_name):
expanded_source = rdf_artifact.ExpandedSource(base_source=source)
expanded_artifact = rdf_artifact.ExpandedArtifact(
name=artifact_name, sources=[expanded_source])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], apply_parsers=False)
return request
def testRegistryValueArtifact(self):
"""Test the basic Registry Value collection."""
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="FakeRegistryValue", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
file_stat = list(collected_artifact.action_results)[0].value
self.assertTrue(isinstance(file_stat, rdf_client_fs.StatEntry))
urn = file_stat.pathspec.AFF4Path(self.SetupClient(0))
self.assertTrue(str(urn).endswith("BootExecute"))
def testGRRClientActionEnumerateUsers(self):
"""Test the GRR Client Action EnumerateUsers."""
def MockedOpen(requested_path, mode="rb"):
try:
fixture_path = os.path.join(self.base_path, "VFSFixture",
requested_path.lstrip("/"))
return __builtin__.open.old_target(fixture_path, mode)
except IOError:
return __builtin__.open.old_target(requested_path, mode)
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "EnumerateUsers"
with utils.MultiStubber((__builtin__, "open", MockedOpen),
(glob, "glob", lambda x: ["/var/log/wtmp"])):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
self.assertEqual(len(collected_artifact.action_results), 4)
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client.User)
if value.username not in ["user1", "user2", "user3", "utuser"]:
self.fail("Unexpected user found: %s" % result.username)
def InitializeRequest(self, initial_knowledge_base=None, provides=None):
"""Prepare ClientArtifactCollectorArgs."""
expanded_source = rdf_artifact.ExpandedSource()
expanded_artifact = rdf_artifact.ExpandedArtifact(
name="EmptyArtifact", sources=[expanded_source], provides=provides)
return rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[expanded_artifact], knowledge_base=initial_knowledge_base)
def testCmdArtifactAction(self):
"""Test the actual client action with parsers."""
client_test_lib.Command("/bin/echo", args=["1"])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "/bin/echo",
"args": ["1"]
})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(name="TestEchoCmdArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
self.assertTrue(len(result.collected_artifacts), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_client.SoftwarePackage)
self.assertEqual(res.description, "1\n")
def Expand(self, rdf_artifact, requested):
"""Expand artifact by extending its sources.
This method takes as input an rdf artifact object and returns a rdf expanded
artifact. It iterates through the list of sources processing them by type.
Each source of the original artifact can lead to one or more (in case of
artifact groups and files where the sub artifacts are expanded recursively)
sources in the expanded artifact. The list of sources of the expanded
artifact is extended at the end of each iteration.
The parameter `requested` is passed down at the recursive calls. So, if an
artifact group is requested by the user, every artifact/source belonging to
this group will be treated as requested by the user. The same applies to
artifact files.
Args:
rdf_artifact: artifact object to expand (obtained from the registry)
requested: Whether the artifact is requested by the user or scheduled for
collection as a KnowledgeBase dependency.
Yields:
rdf value representation of expanded artifact containing the name of the
artifact and the expanded sources
"""
source_type = rdf_artifacts.ArtifactSource.SourceType
expanded_artifact = rdf_artifacts.ExpandedArtifact(
name=rdf_artifact.name,
provides=rdf_artifact.provides,
requested_by_user=requested)
for source in rdf_artifact.sources:
if MeetsConditions(self._knowledge_base, source):
type_name = source.type
if type_name == source_type.ARTIFACT_GROUP:
for subartifact in self._ExpandArtifactGroupSource(source, requested):
yield subartifact
continue
elif type_name == source_type.ARTIFACT_FILES:
expanded_sources = self._ExpandArtifactFilesSource(source, requested)
else:
expanded_sources = self._ExpandBasicSource(source)
expanded_artifact.sources.Extend(expanded_sources)
self.processed_artifacts.add(rdf_artifact.name)
if expanded_artifact.sources:
yield expanded_artifact
def testGRRClientActionOSXEnumerateRunningServices(self):
"""Test the GRR Client Action OSXEnumerateRunningServices."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "OSXEnumerateRunningServices"
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionGetHostname(self):
"""Test the GRR Client Action GetHostname."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "GetHostname"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertTrue(value.string)
def testGRRClientActionListNetworkConnections(self):
"""Test the GRR Client Action ListNetworkConnections."""
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListNetworkConnections"
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
for action_result in collected_artifact.action_results:
value = action_result.value
self.assertIsInstance(value, rdf_client_network.NetworkConnection)
def Expand(self, rdf_artifact):
"""Expand artifact by extending its sources.
This method takes as input an rdf artifact object and returns a rdf expanded
artifact. It iterates through the list of sources processing them by type.
Each source of the original artifact can lead to one or more (in case of
artifact groups and files where the sub artifacts are expanded recursively)
sources in the expanded artifact. The list of sources of the expanded
artifact is extended at the end of each iteration.
Args:
rdf_artifact: artifact object to expand (obtained from the registry)
Returns:
rdf value representation of expanded artifact containing the name of the
artifact and the expanded sources
"""
source_type = rdf_artifacts.ArtifactSource.SourceType
expanded_artifact = rdf_artifacts.ExpandedArtifact()
expanded_artifact.name = rdf_artifact.name
for source in rdf_artifact.sources:
if MeetsConditions(self._knowledge_base, source):
type_name = source.type
if type_name == source_type.ARTIFACT_GROUP:
expanded_sources = self._ExpandArtifactGroupSource(source)
# if the source artifacts have already been processed continue with
# the next artifact
if not expanded_sources:
continue
elif type_name == source_type.ARTIFACT_FILES:
expanded_sources = self._ExpandArtifactFilesSource(source)
else:
expanded_sources = self._ExpandBasicSource(source)
expanded_artifact.sources.Extend(expanded_sources)
self.processed_artifacts.add(rdf_artifact.name)
return expanded_artifact
def testUnsupportedSourceType(self, registry):
"""Test that an unsupported source type raises an Error."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestAggregationArtifact")
ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
# The type ARTIFACT_GROUP will raise an error because the group should have
# been expanded on the server.
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListProcesses(self):
"""Test the GRR Client Action ListProcesses."""
def ProcessIter():
return iter([client_test_lib.MockWindowsProcess()])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION)
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="TestClientActionArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
source.attributes["client_action"] = "ListProcesses"
with utils.Stubber(psutil, "process_iter", ProcessIter):
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = result.collected_artifacts[0]
value = collected_artifact.action_results[0].value
self.assertIsInstance(value, rdf_client.Process)
self.assertEqual(value.pid, 10)
def testTSKRaiseValueError(self, registry):
"""Test Raise Error if path type is not OS."""
registry.AddFileSource(self.test_artifacts_file)
ext_src = rdf_artifact.ExpandedSource(
path_type=rdf_paths.PathSpec.PathType.TSK)
ext_art = rdf_artifact.ExpandedArtifact(name="TestArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
artifact = registry.GetArtifact("FakeFileArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
artifact = registry.GetArtifact("BadPathspecArtifact")
ext_src.base_source = artifact.sources[0]
with self.assertRaises(ValueError):
self.RunAction(artifact_collector.ArtifactCollector, request)
def testCommandArtifact(self, registry):
"""Test the basic ExecuteCommand action."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExpandedSource(
base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name,
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art],
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
execute_response = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestCmdArtifact")
self.assertTrue(execute_response.time_used > 0)
def testFakeFileArtifactActionProcessTogether(self):
"""Test collecting a file artifact and parsing the responses together."""
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
ext_src = rdf_artifact.ExpandedSource(base_source=source)
ext_art = rdf_artifact.ExpandedArtifact(
name="FakeFileArtifact2", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertEqual(len(result.collected_artifacts[0].action_results), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_protodict.AttributedDict)
self.assertEqual(len(res.users), 1000)
self.assertEqual(res.filename, file_path)