def Render(self, args, token=None): audit_description = ",".join([ token.username + u"." + utils.SmartUnicode(name) for name in args.labels ]) audit_events = [] try: index = aff4.FACTORY.Create(client_index.MAIN_INDEX, aff4_type="ClientIndex", mode="rw", token=token) client_objs = aff4.FACTORY.MultiOpen(args.client_ids, aff4_type="VFSGRRClient", mode="rw", token=token) for client_obj in client_objs: client_obj.AddLabels(*args.labels) index.AddClient(client_obj) client_obj.Close() audit_events.append( rdfvalue.AuditEvent( user=token.username, action="CLIENT_ADD_LABEL", flow_name="renderer.ApiClientsAddLabelsRenderer", client=client_obj.urn, description=audit_description)) return dict(status="OK") finally: flow.Events.PublishMultipleEvents({"Audit": audit_events}, token=token)
def StartHunt(cls, args=None, runner_args=None, **kwargs): """This class method creates new hunts.""" # Build the runner args from the keywords. if runner_args is None: runner_args = HuntRunnerArgs() cls.FilterArgsFromSemanticProtobuf(runner_args, kwargs) # Is the required flow a known flow? if (runner_args.hunt_name not in cls.classes and not aff4.issubclass( cls.classes[runner_args.hunt_name], GRRHunt)): raise RuntimeError("Unable to locate hunt %s" % runner_args.hunt_name) # Make a new hunt object and initialize its runner. hunt_obj = aff4.FACTORY.Create(None, runner_args.hunt_name, mode="w", token=runner_args.token) # Hunt is called using keyword args. We construct an args proto from the # kwargs.. if hunt_obj.args_type and args is None: args = hunt_obj.args_type() cls.FilterArgsFromSemanticProtobuf(args, kwargs) if hunt_obj.args_type and not isinstance(args, hunt_obj.args_type): raise RuntimeError("Hunt args must be instance of %s" % hunt_obj.args_type) if kwargs: raise type_info.UnknownArg("Unknown parameters to StartHunt: %s" % kwargs) # Store the hunt args in the state. hunt_obj.state.Register("args", args) # Hunts are always created in the paused state. The runner method Start # should be called to start them. hunt_obj.Set(hunt_obj.Schema.STATE("PAUSED")) runner = hunt_obj.CreateRunner(runner_args=runner_args) # Allow the hunt to do its own initialization. runner.RunStateMethod("Start") hunt_obj.Flush() try: flow_name = args.flow_runner_args.flow_name except AttributeError: flow_name = "" event = rdfvalue.AuditEvent(user=runner_args.token.username, action="HUNT_CREATED", urn=hunt_obj.urn, flow_name=flow_name, description=runner_args.description) flow.Events.PublishEvent("Audit", event, token=runner_args.token) return hunt_obj
def Start(self): """Find a hunt, perform a permissions check and modify it.""" with aff4.FACTORY.Open( self.args.hunt_urn, aff4_type="GRRHunt", mode="rw", token=self.token) as hunt: runner = hunt.GetRunner() data_store.DB.security_manager.CheckHuntAccess( self.token.RealUID(), hunt.urn) # Make sure the hunt is not running: if runner.IsHuntStarted(): raise RuntimeError("Unable to modify a running hunt. Pause it first.") # Record changes in the audit event changes = [] if runner.context.expires != self.args.expiry_time: changes.append("Expires: Old=%s, New=%s" % (runner.context.expires, self.args.expiry_time)) if runner.args.client_limit != self.args.client_limit: changes.append("Client Limit: Old=%s, New=%s" % ( runner.args.client_limit, self.args.client_limit)) description = ", ".join(changes) event = rdfvalue.AuditEvent(user=self.token.username, action="HUNT_MODIFIED", urn=self.args.hunt_urn, description=description) flow.Events.PublishEvent("Audit", event, token=self.token) # Just go ahead and change the hunt now. runner.context.expires = self.args.expiry_time runner.args.client_limit = self.args.client_limit
def Render(self, args, token=None): audit_description = ",".join([ token.username + u"." + utils.SmartUnicode(name) for name in args.labels ]) audit_events = [] try: index = aff4.FACTORY.Create(client_index.MAIN_INDEX, aff4_type="ClientIndex", mode="rw", token=token) client_objs = aff4.FACTORY.MultiOpen(args.client_ids, aff4_type="VFSGRRClient", mode="rw", token=token) for client_obj in client_objs: self.RemoveClientLabels(client_obj, args.labels) # TODO(user): AddClient doesn't remove labels. Make sure removed labels # are actually removed from the index. index.AddClient(client_obj) client_obj.Close() audit_events.append( rdfvalue.AuditEvent( user=token.username, action="CLIENT_REMOVE_LABEL", flow_name="renderer.ApiClientsRemoveLabelsRenderer", client=client_obj.urn, description=audit_description)) finally: flow.Events.PublishMultipleEvents({"Audit": audit_events}, token=token) return dict(status="OK")
def SimulateUserActivity(username, client_id, timestamp, num=10): for flow_name in flows[:num]: event = rdfvalue.AuditEvent(user=username, action="RUN_FLOW", flow=flow_name, client=client_id, age=timestamp) flow.Events.PublishEvent("Audit", event, token=token)
def Start(self): audit_description = ",".join([ self.token.username + u"." + utils.SmartUnicode(name) for name in self.args.labels ]) audit_events = [] try: index = aff4.FACTORY.Create(client_index.MAIN_INDEX, aff4_type="ClientIndex", mode="rw", token=self.token) client_objs = aff4.FACTORY.MultiOpen(self.args.clients, aff4_type="VFSGRRClient", mode="rw", token=self.token) for client_obj in client_objs: client_obj.AddLabels(*self.args.labels) index.AddClient(client_obj) client_obj.Close() audit_events.append( rdfvalue.AuditEvent(user=self.token.username, action="CLIENT_ADD_LABEL", flow_name="ApplyLabelsToClientsFlow", client=client_obj.urn, description=audit_description)) finally: flow.Events.PublishMultipleEvents({"Audit": audit_events}, token=self.token)
def BuildApprovalUrn(self): """Builds approval object urn.""" event = rdfvalue.AuditEvent(user=self.token.username, action="CLIENT_APPROVAL_REQUEST", client=self.client_id, description=self.args.reason) flow.Events.PublishEvent("Audit", event, token=self.token) return self.ApprovalUrnBuilder(self.client_id.Path(), self.token.username, self.args.reason)
def _CreateAuditEvent(self, event_action): try: flow_name = self.flow_obj.args.flow_runner_args.flow_name except AttributeError: flow_name = "" event = rdfvalue.AuditEvent(user=self.flow_obj.token.username, action=event_action, urn=self.flow_obj.urn, flow_name=flow_name, description=self.args.description) flow.Events.PublishEvent("Audit", event, token=self.flow_obj.token)
def BuildApprovalUrn(self): """Builds approval object URN.""" # In this case subject_urn is hunt's URN. flow.Events.PublishEvent("Audit", rdfvalue.AuditEvent( user=self.token.username, action="CRON_APPROVAL_GRANT", urn=self.args.subject_urn, description=self.args.reason), token=self.token) return self.ApprovalUrnBuilder(self.args.subject_urn.Path(), self.args.delegate, self.args.reason)