def testProcessHostData(self):
"""Checks detect issues and return anomalies as check results."""
netcat = {
"check_id":
u"SW-CHECK",
"anomaly": [{
"finding": [u"netcat-traditional 1.10-40 is installed"],
"explanation": u"Found: l337 software installed",
"type": "ANALYSIS_ANOMALY"
}]
}
sshd = {
"check_id":
u"SSHD-CHECK",
"anomaly": [{
"finding": [u"Configured protocols: [2, 1]"],
"explanation": u"Found: Sshd allows protocol 1.",
"type": "ANALYSIS_ANOMALY"
}]
}
windows = {
"check_id":
u"SW-CHECK",
"anomaly": [{
"finding": [u"Adware 2.1.1 is installed"],
"explanation": u"Found: Malicious software.",
"type": "ANALYSIS_ANOMALY"
}, {
"finding": [u"Java 6.0.240 is installed"],
"explanation": u"Found: Old Java installation.",
"type": "ANALYSIS_ANOMALY"
}]
}
self.kb.os = "Linux"
results = [r for r in checks.CheckHost(self.host_data)]
results = {r.check_id: r.ToPrimitiveDict() for r in results}
self.assertItemsEqual(["SW-CHECK", "SSHD-CHECK"], results.keys())
self.assertEqual(netcat, results["SW-CHECK"])
self.assertEqual(sshd, results["SSHD-CHECK"])
# Windows checks return multiple anomalies, ensure that all are correct.
# Need to specify individual entries to accommodate variable dictionary
# ordering effects.
self.kb.os = "Windows"
results = [r for r in checks.CheckHost(self.host_data)]
results = {r.check_id: r.ToPrimitiveDict() for r in results}
self.assertItemsEqual(["SW-CHECK"], results.keys())
result = results["SW-CHECK"]
anomalies = result["anomaly"]
expected_anomalies = windows["anomaly"]
self.assertEqual(2, len(anomalies))
for expected in expected_anomalies:
self.assertTrue(expected in anomalies)
self.kb.os = "OSX"
results = [r for r in checks.CheckHost(self.host_data)]
results = {r.check_id: r.ToPrimitiveDict() for r in results}
self.assertItemsEqual(["SSHD-CHECK"], results.keys())
self.assertDictEqual(sshd, results["SSHD-CHECK"])
def RunChecks(self, responses):
if not responses.success:
raise RuntimeError("Checks did not run successfully.")
# Hand host data across to checks. Do this after all data has been collected
# in case some checks require multiple artifacts/results.
for finding in checks.CheckHost(self.state.host_data,
os_name=self.state.knowledge_base.os):
self.state.checks_run.append(finding.check_id)
if finding.anomaly:
self.state.checks_with_findings.append(finding.check_id)
self.SendReply(finding)
def RunChecks(self, host_data, labels=None, restrict_checks=None):
"""Runs the registered checks against the provided host data.
Args:
host_data: A dictionary of artifact_names and results. Results are, in
turn, a dictionary of {'ANOMALY': [], 'PARSED': [], 'RAW': []} items.
labels: Additional labels attached to the host.
restrict_checks: A list specifying a subset of check_ids to run.
Returns:
An iterator of check results.
"""
return {r.check_id: r
for r in checks.CheckHost(
host_data, labels=labels, restrict_checks=restrict_checks)}
def RunChecks(self, host_data):
return {r.check_id: r for r in checks.CheckHost(host_data)}
def RunChecks(self, host_data, labels=None):
return {
r.check_id: r
for r in checks.CheckHost(host_data, labels=labels)
}