def test_logging(self):
logger = logging.getLogger('aws_ir')
# ensure custom logger class is in place
assert logger.__class__ == TimesketchLogger
# ensure that null log handler is in place by default
assert len(logger.handlers) == 1
assert logger.handlers[0].__class__ == aws_ir.NullHandler
# setup stream handler and ensure the object was created
aws_ir.set_stream_logger(level=logging.INFO)
assert len(logger.handlers) == 2
assert logger.handlers[1].__class__ == logging.StreamHandler
# setup file handler and ensure the object was created
aws_ir.set_file_logger(CASE_NUMBER,
base_dir=BASE_DIR,
level=logging.INFO)
assert len(logger.handlers) == 3
assert logger.handlers[2].__class__ == logging.FileHandler
# test log file is created
aws_ir.wrap_log_file(CASE_NUMBER, base_dir=BASE_DIR)
logger.info("test of file log")
assert os.path.isfile(LOG_FILE) is True
aws_ir.wrap_log_file(CASE_NUMBER, base_dir=BASE_DIR)
# check file contents
with open(LOG_FILE, 'r') as f:
lines = f.readlines()
assert "[" in lines[0]
assert "test of file log" in lines[1]
assert "]" in lines[-1]
def run(self):
self.config = self.parse_args(sys.argv[1:])
case_obj = case.Case(
self.config.case_number,
self.config.examiner_cidr_range,
self.config.bucket_name
)
if self.config.verbose:
log_level = logging.DEBUG;
else:
log_level = logging.INFO
aws_ir.set_stream_logger(level=log_level)
aws_ir.set_file_logger(case_obj.case_number, level=log_level)
logger = logging.getLogger(__name__)
aws_ir.wrap_log_file(case_obj.case_number)
logger.info("Initialization successful proceeding to incident plan.")
compromise_object = None
if self.config.func == 'instance_compromise':
hc = host.Compromise(
user = self.config.user,
ssh_key_file = self.config.ssh_key,
compromised_host_ip = self.config.instance_ip,
prog = self.prog,
case = case_obj
)
compromise_object = hc
try:
hc.mitigate()
except KeyboardInterrupt:
pass
elif self.config.func == 'key_compromise':
kc = key.Compromise(
self.config.examiner_cidr_range,
self.config.access_key_id,
case = case_obj
)
compromise_object = kc
try:
kc.mitigate()
except KeyboardInterrupt:
pass
def teardown(self, region, resource_id):
""" Any final post mitigation steps universal to all plans. """
try:
aws_ir.wrap_log_file(self.case_number)
self.__rename_log_file(self.case_number, resource_id)
self.copy_logs_to_s3()
processing_end_messaging = (
"""Processing complete for {case_number}\n"""
"""Artifacts stored in s3://{case_bucket}""").format(
case_number=self.case_number, case_bucket=self.case_bucket)
print(processing_end_messaging)
sys.exit(0)
except Exception as e:
logger.error(("Error uploading case logs for {case_number} to s3 "
"bucket {case_bucket}: {ex}".format(
case_number=self.case_number,
case_bucket=self.case_bucket,
ex=e)))
sys.exit(1)
def teardown(self, region, resource_id):
""" Any final post mitigation steps universal to all plans. """
try:
aws_ir.wrap_log_file(self.case_number)
self.__rename_log_file(self.case_number, resource_id)
self.copy_logs_to_s3()
processing_end_messaging = (
"""Processing complete for {case_number}\n"""
"""Artifacts stored in s3://{case_bucket}"""
).format(case_number=self.case_number,
case_bucket=self.case_bucket)
print(processing_end_messaging)
sys.exit(0)
except Exception as e:
logger.error(
("Error uploading case logs for {case_number} to s3 "
"bucket {case_bucket}: {ex}".format(case_number=self.case_number,
case_bucket=self.case_bucket,
ex=e)))
sys.exit(1)
def run(self):
self.config = self.parse_args(sys.argv[1:])
case_obj = case.Case(self.config.case_number,
self.config.examiner_cidr_range,
self.config.bucket_name)
if self.config.verbose:
log_level = logging.DEBUG
else:
log_level = logging.INFO
aws_ir.set_stream_logger(level=log_level)
aws_ir.set_file_logger(case_obj.case_number, level=log_level)
logger = logging.getLogger(__name__)
aws_ir.wrap_log_file(case_obj.case_number)
logger.info("Initialization successful proceeding to incident plan.")
compromise_object = None
if self.config.func == 'instance_compromise':
hc = host.Compromise(user=self.config.user,
ssh_key_file=self.config.ssh_key,
compromised_host_ip=self.config.instance_ip,
prog=self.prog,
case=case_obj)
compromise_object = hc
try:
hc.mitigate()
except KeyboardInterrupt:
pass
elif self.config.func == 'key_compromise':
kc = key.Compromise(self.config.examiner_cidr_range,
self.config.access_key_id,
case=case_obj)
compromise_object = kc
try:
kc.mitigate()
except KeyboardInterrupt:
pass
def run(self):
self.config = self.parse_args(sys.argv[1:])
case_obj = case.Case(self.config.case_number,
self.config.examiner_cidr_range,
self.config.bucket_name, self.config.profile)
if self.config.verbose:
log_level = logging.DEBUG
else:
log_level = logging.INFO
aws_ir.set_stream_logger(level=log_level)
aws_ir.set_file_logger(case_obj.case_number, level=log_level)
logger = logging.getLogger(__name__)
aws_ir.wrap_log_file(case_obj.case_number)
logger.info("Initialization successful proceeding to incident plan.")
if self.config.func == 'instance_compromise':
if self.config.target:
case_obj.prep_aws_connections()
hc = host.Compromise(user=self.config.user,
ssh_key_file=self.config.ssh_key,
target=self.config.target,
prog=self.prog,
case=case_obj,
steps=self.config.plugins)
try:
hc.mitigate()
except KeyboardInterrupt:
pass
if self.config.targets:
logger.info(
'Alert : multi-host mode engaged targets in file will attempt processing.'
)
batch_file = os.path.abspath(self.config.targets)
with open(batch_file) as f:
targets = f.read().split('\n')
for target in targets:
if target is not '':
hc = host.Compromise(user=self.config.user,
ssh_key_file=self.config.ssh_key,
target=target,
prog=self.prog,
case=case_obj,
steps=self.config.plugins)
try:
logger.info(
"Attempting processing instance {i}".format(
i=target))
hc.mitigate()
except KeyboardInterrupt:
pass
elif self.config.func == 'key_compromise':
kc = key.Compromise(
examiner_cidr_range=self.config.examiner_cidr_range,
compromised_access_key_id=self.config.access_key_id,
region='us-west-2',
case=case_obj,
steps=self.config.plugins)
try:
kc.mitigate()
except KeyboardInterrupt:
pass