def testModificationTimeCondition(self):
with utils.Stubber(os, "lstat", MyStat):
test_dir = self._PrepareTimestampedFiles()
# We have one "old" file, auth.log, and two "new" ones, dpkg*.
paths = [test_dir + "/{dpkg.log,dpkg_false.log,auth.log}"]
change_time = rdfvalue.RDFDatetime.FromHumanReadable("2020-01-01")
modification_time_condition = rdf_file_finder.FileFinderCondition(
condition_type="MODIFICATION_TIME",
modification_time=rdf_file_finder.FileFinderModificationTimeCondition(
max_last_modified_time=change_time))
self.RunAndCheck(
paths,
conditions=[modification_time_condition],
expected=["dpkg.log", "dpkg_false.log"],
unexpected=["auth.log"],
base_path=test_dir)
# Now just the file from 2022.
modification_time_condition = rdf_file_finder.FileFinderCondition(
condition_type="MODIFICATION_TIME",
modification_time=rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=change_time))
self.RunAndCheck(
paths,
conditions=[modification_time_condition],
expected=["auth.log"],
unexpected=["dpkg.log", "dpkg_false.log"],
base_path=test_dir)
def testFindsKeyWithLiteralAndModificationTimeConditions(self):
client_id = test_lib.TEST_CLIENT_ID
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 + 1))
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe")
session_id = self.RunFlow(
[self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time),
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
],
client_id=client_id)
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(
results[0].stat_entry.AFF4Path(client_id),
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(0),
max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(1))
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
self.AssertNoResults(session_id)
def testModificationTimeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440)
modification_time_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.
MODIFICATION_TIME,
modification_time=rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=change_time))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[modification_time_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testFindsKeysIfModificationTimeConditionMatches(self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 + 1))
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 2)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
basenames = [os.path.basename(r.stat_entry.pathspec.path) for r in results]
self.assertItemsEqual(basenames, ["Sidebar", "MctAdmin"])
