def testGetPresetsByOperatingSystem(self): """Tests the GetPresetsByOperatingSystem function.""" test_manager = presets.ParserPresetsManager() test_path = self._GetTestFilePath(['presets.yaml']) test_manager.ReadFromFile(test_path) operating_system = artifacts.OperatingSystemArtifact(family='MacOS') test_presets = test_manager.GetPresetsByOperatingSystem( operating_system) self.assertEqual(len(test_presets), 1) self.assertEqual(test_presets[0].name, 'macos') expected_parsers = [ 'asl_log', 'bash_history', 'bencode', 'bsm_log', 'cups_ipp', 'czip/oxml', 'filestat', 'fseventsd', 'gdrive_synclog', 'java_idx', 'mac_appfirewall_log', 'mac_keychain', 'mac_securityd', 'macwifi', 'olecf', 'plist', 'sqlite/appusage', 'sqlite/google_drive', 'sqlite/imessage', 'sqlite/ls_quarantine', 'sqlite/mac_document_versions', 'sqlite/mackeeper_cache', 'sqlite/skype', 'syslog', 'utmpx', 'webhist', 'zsh_extended_history' ] self.assertEqual(test_presets[0].parsers, expected_parsers) operating_system = artifacts.OperatingSystemArtifact(family='bogus') test_presets = test_manager.GetPresetsByOperatingSystem( operating_system) self.assertEqual(len(test_presets), 0)
def testVersionTuple(self): """Tests the version_tuplele property.""" attribute_container = artifacts.OperatingSystemArtifact(version="5.1") self.assertEqual(attribute_container.version_tuple, (5, 1)) attribute_container = artifacts.OperatingSystemArtifact() self.assertIsNone(attribute_container.version_tuple) attribute_container = artifacts.OperatingSystemArtifact(version="5.a") self.assertIsNone(attribute_container.version_tuple)
def testGetNameFromProduct(self): """Tests the _GetNameFromProduct function.""" attribute_container = artifacts.OperatingSystemArtifact( product='Windows Server 2012 R2 Standard') name = attribute_container._GetNameFromProduct() self.assertEqual(name, 'Windows 2012 R2') attribute_container = artifacts.OperatingSystemArtifact( product='Microsoft Windows Server 2003') name = attribute_container._GetNameFromProduct() self.assertEqual(name, 'Windows 2003')
def testIsEquivalent(self): """Tests the IsEquivalent function.""" win2k12_container = artifacts.OperatingSystemArtifact( product='Windows 2012') winxp_container = artifacts.OperatingSystemArtifact(product='Windows XP') self.assertFalse(win2k12_container.IsEquivalent(winxp_container)) self.assertFalse(winxp_container.IsEquivalent(win2k12_container)) winnt62_container = artifacts.OperatingSystemArtifact( family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='6.2') winnt51_container = artifacts.OperatingSystemArtifact( family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='5.1') self.assertFalse(winnt62_container.IsEquivalent(winnt51_container)) self.assertFalse(winnt51_container.IsEquivalent(winnt62_container)) win9x_container = artifacts.OperatingSystemArtifact( family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_9x) winnt_container = artifacts.OperatingSystemArtifact( family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT) self.assertFalse(win9x_container.IsEquivalent(winnt_container)) self.assertFalse(winnt_container.IsEquivalent(win9x_container)) winnt51_container = artifacts.OperatingSystemArtifact( family=definitions.OPERATING_SYSTEM_FAMILY_WINDOWS_NT, version='5.1') winxp_container = artifacts.OperatingSystemArtifact(product='Windows XP') self.assertTrue(winnt51_container.IsEquivalent(winxp_container)) self.assertTrue(winxp_container.IsEquivalent(winnt51_container))
def _ReadOperatingSystemArtifactValues(self, operating_system_values): """Reads an operating system artifact from a dictionary. Args: operating_system_values (dict[str, object]): operating system values. Returns: OperatingSystemArtifact: an operating system artifact attribute container. Raises: MalformedPresetError: if the format of the operating system values are not set or incorrect. """ if not operating_system_values: raise errors.MalformedPresetError( 'Missing operating system values.') family = operating_system_values.get('family', None) product = operating_system_values.get('product', None) version = operating_system_values.get('version', None) if not family and not product: raise errors.MalformedPresetError( 'Invalid operating system missing family and product.') return artifacts.OperatingSystemArtifact(family=family, product=product, version=version)
def _GetExpandedParserFilterExpression(self, knowledge_base): """Determines the expanded parser filter expression. Args: knowledge_base (KnowledgeBase): contains information from the source data needed for parsing. Returns: str: expanded parser filter expression. Raises: BadConfigOption: if presets in the parser filter expression could not be expanded or if an invalid parser or plugin name is specified. """ parser_filter_expression = self._parser_filter_expression if not parser_filter_expression: operating_system_family = knowledge_base.GetValue('operating_system') operating_system_product = knowledge_base.GetValue( 'operating_system_product') operating_system_version = knowledge_base.GetValue( 'operating_system_version') operating_system_artifact = artifacts.OperatingSystemArtifact( family=operating_system_family, product=operating_system_product, version=operating_system_version) preset_definitions = self._presets_manager.GetPresetsByOperatingSystem( operating_system_artifact) if preset_definitions: self._parser_filter_expression = ','.join([ preset_definition.name for preset_definition in preset_definitions]) logger.debug('Parser filter expression set to preset: {0:s}'.format( self._parser_filter_expression)) parser_filter_helper = parser_filter.ParserFilterExpressionHelper() try: parser_filter_expression = parser_filter_helper.ExpandPresets( self._presets_manager, self._parser_filter_expression) logger.debug('Parser filter expression set to: {0:s}'.format( parser_filter_expression or 'N/A')) except RuntimeError as exception: raise errors.BadConfigOption(( 'Unable to expand presets in parser filter expression with ' 'error: {0!s}').format(exception)) parser_elements, invalid_parser_elements = ( parsers_manager.ParsersManager.CheckFilterExpression( parser_filter_expression)) if invalid_parser_elements: invalid_parser_names_string = ','.join(invalid_parser_elements) raise errors.BadConfigOption( 'Unknown parser or plugin names in element(s): "{0:s}" of ' 'parser filter expression: {1:s}'.format( invalid_parser_names_string, parser_filter_expression)) return ','.join(sorted(parser_elements))
def testGetAttributeNames(self): """Tests the GetAttributeNames function.""" attribute_container = artifacts.OperatingSystemArtifact() expected_attribute_names = ['family', 'name', 'product', 'version'] attribute_names = sorted(attribute_container.GetAttributeNames()) self.assertEqual(attribute_names, expected_attribute_names)
def testGetPresetsByOperatingSystem(self): """Tests the GetPresetsByOperatingSystem function.""" test_file_path = self._GetTestFilePath(['presets.yaml']) self._SkipIfPathNotExists(test_file_path) test_manager = presets.ParserPresetsManager() test_manager.ReadFromFile(test_file_path) operating_system = artifacts.OperatingSystemArtifact(family='MacOS') test_presets = test_manager.GetPresetsByOperatingSystem(operating_system) self.assertEqual(len(test_presets), 1) self.assertEqual(test_presets[0].name, 'macos') self.assertEqual(test_presets[0].parsers, self._MACOS_PARSERS) operating_system = artifacts.OperatingSystemArtifact(family='bogus') test_presets = test_manager.GetPresetsByOperatingSystem(operating_system) self.assertEqual(len(test_presets), 0)
def GetPresetsForOperatingSystem( cls, operating_system, operating_system_product, operating_system_version): """Determines the presets for a specific operating system. Args: operating_system (str): operating system for example "Windows". This should be one of the values in definitions.OPERATING_SYSTEM_FAMILIES. operating_system_product (str): operating system product for example "Windows XP" as determined by preprocessing. operating_system_version (str): operating system version for example "5.1" as determined by preprocessing. Returns: list[PresetDefinition]: preset definitions, where an empty list represents all parsers and parser plugins (no preset). """ operating_system = artifacts.OperatingSystemArtifact( family=operating_system, product=operating_system_product, version=operating_system_version) return cls._presets.GetPresetsByOperatingSystem(operating_system)
def _CreateProcessingConfiguration(self, knowledge_base): """Creates a processing configuration. Args: knowledge_base (KnowledgeBase): contains information from the source data needed for parsing. Returns: ProcessingConfiguration: processing configuration. Raises: BadConfigOption: if presets in the parser filter expression could not be expanded or if an invalid parser or plugin name is specified. """ parser_filter_expression = self._parser_filter_expression if not parser_filter_expression: operating_system_family = knowledge_base.GetValue('operating_system') operating_system_product = knowledge_base.GetValue( 'operating_system_product') operating_system_version = knowledge_base.GetValue( 'operating_system_version') operating_system_artifact = artifacts.OperatingSystemArtifact( family=operating_system_family, product=operating_system_product, version=operating_system_version) preset_definitions = self._presets_manager.GetPresetsByOperatingSystem( operating_system_artifact) if preset_definitions: preset_names = [ preset_definition.name for preset_definition in preset_definitions] filter_expression = ','.join(preset_names) logger.info('Parser filter expression set to: {0:s}'.format( filter_expression)) parser_filter_expression = filter_expression parser_filter_helper = parser_filter.ParserFilterExpressionHelper() try: parser_filter_expression = parser_filter_helper.ExpandPresets( self._presets_manager, parser_filter_expression) except RuntimeError as exception: raise errors.BadConfigOption(( 'Unable to expand presets in parser filter expression with ' 'error: {0!s}').format(exception)) _, invalid_parser_elements = ( parsers_manager.ParsersManager.CheckFilterExpression( parser_filter_expression)) if invalid_parser_elements: invalid_parser_names_string = ','.join(invalid_parser_elements) raise errors.BadConfigOption( 'Unknown parser or plugin names in element(s): "{0:s}" of ' 'parser filter expression: {1:s}'.format( invalid_parser_names_string, parser_filter_expression)) # TODO: pass preferred_encoding. configuration = configurations.ProcessingConfiguration() configuration.artifact_filters = self._artifact_filters configuration.credentials = self._credential_configurations configuration.debug_output = self._debug_mode configuration.event_extraction.text_prepend = self._text_prepend configuration.extraction.hasher_file_size_limit = ( self._hasher_file_size_limit) configuration.extraction.hasher_names_string = self._hasher_names_string configuration.extraction.process_archives = self._process_archives configuration.extraction.process_compressed_streams = ( self._process_compressed_streams) configuration.extraction.yara_rules_string = self._yara_rules_string configuration.filter_file = self._filter_file configuration.input_source.mount_path = self._mount_path configuration.log_filename = self._log_file configuration.parser_filter_expression = parser_filter_expression configuration.preferred_year = self._preferred_year configuration.profiling.directory = self._profiling_directory configuration.profiling.sample_rate = self._profiling_sample_rate configuration.profiling.profilers = self._profilers configuration.task_storage_format = self._task_storage_format configuration.temporary_directory = self._temporary_directory return configuration