def testStartVm(self):
"""End to end test on Azure.
Test creating an analysis VM and attaching a copied disk to it.
"""
disk_copy = forensics.CreateDiskCopy(
self.resource_group_name,
disk_name=self.disk_to_copy)
self._StoreDiskForCleanup(disk_copy)
# Create and start the analysis VM and attach the disk
self.analysis_vm, _ = forensics.StartAnalysisVm(
self.resource_group_name,
self.analysis_vm_name,
50,
self.ssh_public_key,
attach_disks=[disk_copy.name]
)
# The forensic instance should be live in the analysis Azure account and
# the disk should be attached
instance = self.az.compute.compute_client.virtual_machines.get(
self.resource_group_name, self.analysis_vm.name)
self.assertEqual(instance.name, self.analysis_vm.name)
self.assertIn(disk_copy.name, self.analysis_vm.ListDisks())
self._StoreDiskForCleanup(self.analysis_vm.GetBootDisk())
def setUpClass(cls):
try:
project_info = utils.ReadProjectInfo(
['resource_group_name', 'instance_name', 'ssh_public_key'])
except (OSError, RuntimeError, ValueError) as exception:
raise unittest.SkipTest(str(exception))
cls.resource_group_name = project_info['resource_group_name']
cls.instance_to_analyse = project_info['instance_name']
cls.ssh_public_key = project_info['ssh_public_key']
cls.disk_to_copy = project_info.get('disk_name')
cls.dst_region = project_info.get('dst_region')
cls.az = account.AZAccount(cls.resource_group_name)
cls.analysis_vm_name = 'new-vm-for-analysis'
cls.analysis_vm, _ = forensics.StartAnalysisVm(cls.resource_group_name,
cls.analysis_vm_name,
50, cls.ssh_public_key)
cls.disks = [] # List of AZDisks for test cleanup
def StartAnalysisVm(args: 'argparse.Namespace') -> None:
"""Start forensic analysis VM.
Args:
args (argparse.Namespace): Arguments from ArgumentParser.
"""
attach_disks = []
if args.attach_disks:
attach_disks = args.attach_disks.split(',')
# Check if attach_disks parameter exists and if there
# are any empty entries.
if not (attach_disks and all(elements for elements in attach_disks)):
logger.error('error: parameter --attach_disks: {0:s}'.format(
args.attach_disks))
return
ssh_public_key = args.ssh_public_key
if not ssh_public_key:
# According to https://docs.microsoft.com/cs-cz/samples/azure-samples/
# resource-manager-python-template-deployment/resource-manager-python-
# template-deployment/ there's no API to generate a new SSH key pair in
# Azure, so we do this manually...
ssh_public_key = _GenerateSSHKeyPair(args.instance_name)
logger.info('Starting analysis VM...')
vm = forensics.StartAnalysisVm(args.default_resource_group_name,
args.instance_name,
int(args.disk_size),
ssh_public_key,
cpu_cores=int(args.cpu_cores),
memory_in_mb=int(args.memory_in_mb),
region=args.region,
attach_disks=attach_disks,
dst_profile=args.dst_profile)
logger.info('Analysis VM started.')
logger.info('Name: {0:s}, Started: {1:s}'.format(vm[0].name, str(vm[1])))
def SetUp(self,
remote_profile_name,
analysis_resource_group_name,
incident_id,
ssh_public_key,
remote_instance_name=None,
disk_names=None,
all_disks=False,
analysis_profile_name=None,
analysis_region=None,
boot_disk_size=50,
cpu_cores=4,
memory_in_mb=8192):
"""Sets up a Microsoft Azure collector.
This method creates and starts an analysis VM in the analysis account and
selects disks to copy from the remote account.
If disk_names is specified, it will copy the corresponding disks from the
account, ignoring disks belonging to any specific instances.
If remote_instance_name is specified, two behaviors are possible:
* If no other parameters are specified, it will select the instance's boot
disk
* if all_disks is set to True, it will select all disks in the account
that are attached to the instance
disk_names takes precedence over instance_names
Args:
remote_profile_name (str): The Azure account in which the disk(s)
exist(s). This is the profile name that is defined in your credentials
file.
analysis_resource_group_name (str): The Azure resource group name in
which to create the VM.
incident_id (str): Incident identifier used to name the analysis VM.
ssh_public_key (str): The public SSH key to attach to the instance.
remote_instance_name (str): Instance ID that needs forensicating.
disk_names (str): Comma-separated list of disk names to copy.
all_disks (bool): True if all disk attached to the source
instance should be copied.
analysis_profile_name (str): The Azure account in which to create the
analysis VM. This is the profile name that is defined in your
credentials file.
analysis_region (str): The Azure region in which to create the VM.
boot_disk_size (int): Optional. The size (in GB) of the boot disk
for the analysis VM. Default is 50 GB.
cpu_cores (int): Optional. The number of CPU cores to use for the
analysis VM. Default is 4.
memory_in_mb (int): Optional. The amount of memory in mb to use for the
analysis VM. Default is 8Gb.
"""
if not (remote_instance_name or disk_names):
self.ModuleError(
'You need to specify at least an instance name or disks to copy',
critical=True)
return
if not ssh_public_key:
self.ModuleError(
'You need to specify a SSH public key to add to the '
'VM.',
critical=True)
return
if not (remote_profile_name and analysis_resource_group_name):
self.ModuleError(
'You must specify "remote_profile_name" and '
'"analysis_resource_group_name" parameters',
critical=True)
return
self.remote_profile_name = remote_profile_name
self.analysis_resource_group_name = analysis_resource_group_name
self.analysis_profile_name = analysis_profile_name
self.source_account = account.AZAccount(
self.analysis_resource_group_name,
profile_name=self.remote_profile_name)
self.incident_id = incident_id
self.remote_instance_name = remote_instance_name
self.disk_names = disk_names.split(',') if disk_names else []
self.all_disks = all_disks
self.analysis_region = analysis_region
self.analysis_profile_name = analysis_profile_name or remote_profile_name
analysis_vm_name = 'azure-forensics-vm-{0:s}'.format(self.incident_id)
print('Your analysis VM will be: {0:s}'.format(analysis_vm_name))
self.state.StoreContainer(
containers.TicketAttribute(
name=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_NAME,
type_=self._ANALYSIS_VM_CONTAINER_ATTRIBUTE_TYPE,
value=analysis_vm_name))
self.analysis_vm, _ = az_forensics.StartAnalysisVm(
self.analysis_resource_group_name,
analysis_vm_name,
boot_disk_size,
ssh_public_key=ssh_public_key,
cpu_cores=cpu_cores,
memory_in_mb=memory_in_mb,
region=self.analysis_region,
dst_profile=self.analysis_profile_name,
)