def testInterrogateWindows(self):
"""Test the Interrogate flow."""
test_lib.ClientFixture(self.client_id, token=self.token)
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient(
"TransferBuffer", "StatFile", "Find", "HashBuffer",
"ListDirectory", "FingerprintFile", "GetLibraryVersions")
self.SetWindowsClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
# Run the flow in the simulated way
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Windows", 100 * 1000000)
self._CheckClientInfo()
self._CheckClientIndex(".*Host.*")
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Windows",
"6.1.7600",
kernel="6.1.7601")
# users Bert and Ernie added by the fixture should not be present (USERS
# overriden by kb)
# jim parsed from registry profile keys
self._CheckUsers(["jim", "kovacs"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckWindowsDiskInfo()
self._CheckRegistryPathspec()
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Linux", os_version="12.04")
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.interrogate_store_in_aff4": [],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient(
"TransferBuffer", "StatFile", "Find", "HashBuffer",
"ListDirectory", "FingerprintFile", "GetLibraryVersions",
"GetMemorySize", "HashFile")
client_mock.InitializeClient()
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Linux", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease("Ubuntu", "14.4")
# users 1,2,3 from wtmp
# users yagharek, isaac from netgroup
self._CheckUsers(
["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckClientLibraries()
self._CheckMemory()
def testInterrogateLinuxWithWtmp(self):
"""Test the Interrogate flow."""
test_lib.ClientFixture(self.client_id, token=self.token)
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler
config_lib.CONFIG.Set(
"Artifacts.knowledge_base",
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"])
config_lib.CONFIG.Set("Artifacts.netgroup_filter_regexes",
[r"^login$"])
self.SetLinuxClient()
client_mock = action_mocks.InterrogatedClient("TransferBuffer",
"StatFile", "Find",
"HashBuffer",
"ListDirectory",
"FingerprintFile")
client_mock.InitializeClient()
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Linux", 100 * 1000000)
self._CheckClientInfo()
self._CheckClientIndex(".*test.*")
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Linux",
"14.4",
release="Ubuntu",
kernel="3.13.0-39-generic")
self._CheckRelease("Ubuntu", "14.4")
# users 1,2,3 from wtmp
# users yagharek, isaac from netgroup
self._CheckUsers(["yagharek", "isaac", "user1", "user2", "user3"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckClientKwIndex(["Linux"], 1)
self._CheckClientKwIndex(["Label2"], 1)
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
fixture_test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64")
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
# Run the flow in the simulated way
for _ in flow_test_lib.TestFlowHelper(
discovery.Interrogate.__name__,
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Windows", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsers(["jim", "kovacs"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckWindowsDiskInfo()
self._CheckRegistryPathspec()
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckMemory()
def testInterrogateCloudMetadataWindows(self):
"""Check google cloud metadata on windows."""
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64")
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(
system="Windows", version="6.1.7600", kernel="6.1.7601")
with mock.patch.object(platform, "system", return_value="Windows"):
for _ in test_lib.TestFlowHelper(
"Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckCloudMetadata()
def testInterrogateCloudMetadataLinux(self):
"""Check google cloud metadata on linux."""
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Linux", os_version="12.04")
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base":
["LinuxWtmp", "NetgroupConfiguration", "LinuxRelease"],
"Artifacts.interrogate_store_in_aff4": [],
"Artifacts.netgroup_filter_regexes": [r"^login$"]
}):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckCloudMetadata()
def testStatsHunt(self):
interval = rdfvalue.Duration(
config_lib.CONFIG["StatsHunt.CollectionInterval"])
batch_size = 3
config_lib.CONFIG.Set("StatsHunt.ClientBatchSize", batch_size)
# Make one of the clients windows
with aff4.FACTORY.Open(self.client_ids[3], mode="rw",
token=self.token) as win_client:
win_client.Set(win_client.Schema.SYSTEM("Windows"))
with test_lib.FakeTime(0, increment=0.01):
with hunts.GRRHunt.StartHunt(
hunt_name="StatsHunt",
client_rate=0,
token=self.token,
output_plugins=[
output_plugin.OutputPluginDescriptor(
plugin_name="DummyHuntOutputPlugin")
]) as hunt:
hunt.Run()
hunt_urn = hunt.urn
# Run the hunt.
self.AssignTasksToClients()
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient()
test_lib.TestHuntHelper(client_mock, self.client_ids, False,
self.token)
# At this time the clients should not receive any messages since messages
# are posted in the future.
self.assertEqual(client_mock.response_count, 0)
# Lets advance the time and re-run the hunt. The clients should now receive
# their messages.
with test_lib.FakeTime(10 + interval.seconds, increment=0.01):
test_lib.TestHuntHelper(client_mock, self.client_ids, False,
self.token)
self.assertEqual(client_mock.response_count, len(self.client_ids))
# Make sure the last message was of LOW_PRIORITY (all messages should be
# LOW_PRIORITY but we only check the last one).
self.assertEqual(client_mock.recorded_messages[-1].priority,
"LOW_PRIORITY")
# Check fastpoll was false for all messages
self.assertFalse(
any([
x.require_fastpoll for x in client_mock.recorded_messages
]))
# Pause the hunt
with aff4.FACTORY.OpenWithLock(hunt.urn, token=self.token) as hunt:
hunt.GetRunner().Pause()
# Advance time and re-run. We get the results back from last time, but don't
# schedule any new ones because the hunt is now paused.
with test_lib.FakeTime(20 + (interval.seconds * 2), increment=0.01):
test_lib.TestHuntHelper(client_mock, self.client_ids, False,
self.token)
self.assertEqual(client_mock.response_count,
len(self.client_ids) * 2)
# Advance time and re-run. We should have the same number of responses
# still.
with test_lib.FakeTime(30 + (interval.seconds * 3), increment=0.01):
test_lib.TestHuntHelper(client_mock, self.client_ids, False,
self.token)
# All clients were called.
self.assertEqual(client_mock.response_count,
len(self.client_ids) * 2)
# Check the results got written to the collection
result_collection = aff4.FACTORY.Open(hunt_urn.Add("Results"),
token=self.token)
# The +1 is here because we write 2 responses for the single windows machine
# (dnsconfig and interface)
self.assertEqual(len(result_collection),
(len(self.client_ids) + 1) * 2)
