def testRegistryDefaultValueArtifact(self):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock(standard.GetFileStat)
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE/SOFTWARE/ListingTest"),
"value":
""
}]
})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
session_id = flow_test_lib.TestFlowHelper(
collectors.ArtifactCollectorFlow.__name__,
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id)
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
self.assertEqual(fd[0].registry_data.GetValue(), "DefaultValue")
def testSupportedOS(self):
"""Test supported_os inside the collector object."""
with utils.Stubber(psutil, "process_iter", ProcessIter):
# Run with false condition.
client_mock = action_mocks.ActionMock(standard.ListProcesses)
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
attributes={"client_action": standard.ListProcesses.__name__},
supported_os=["Windows"])
self.fakeartifact.sources.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__,
sequential_collection.GeneralIndexedCollection)
self.assertEqual(len(fd), 0)
# Now run with matching or condition.
coll1.conditions = []
coll1.supported_os = ["Linux", "Windows"]
self.fakeartifact.sources = []
self.fakeartifact.sources.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__,
sequential_collection.GeneralIndexedCollection)
self.assertNotEqual(len(fd), 0)
# Now run with impossible or condition.
coll1.conditions = ["os == 'Linux' or os == 'Windows'"]
coll1.supported_os = ["NotTrue"]
self.fakeartifact.sources = []
self.fakeartifact.sources.append(coll1)
fd = self._RunClientActionArtifact(client_mock, ["FakeArtifact"])
self.assertEqual(fd.__class__,
sequential_collection.GeneralIndexedCollection)
self.assertEqual(len(fd), 0)
def testRegistryValueArtifact(self):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock(standard.GetFileStat)
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
session_id = flow_test_lib.TestFlowHelper(
collectors.ArtifactCollectorFlow.__name__,
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id)
# Test the statentry got stored.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
urn = fd[0].pathspec.AFF4Path(self.client_id)
self.assertTrue(str(urn).endswith("BootExecute"))
def testRunGrrClientActionArtifactSplit(self):
"""Test that artifacts get split into separate collections."""
with utils.Stubber(psutil, "process_iter", ProcessIter):
client_mock = action_mocks.ActionMock(standard.ListProcesses)
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
attributes={"client_action": standard.ListProcesses.__name__})
self.fakeartifact.sources.append(coll1)
self.fakeartifact2.sources.append(coll1)
artifact_list = ["FakeArtifact", "FakeArtifact2"]
session_id = flow_test_lib.TestFlowHelper(
collectors.ArtifactCollectorFlow.__name__,
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
split_output_by_artifact=True)
# Check that we got two separate collections based on artifact name
fd = collectors.ArtifactCollectorFlow.ResultCollectionForArtifact(
session_id, "FakeArtifact")
self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
self.assertEqual(len(fd), 1)
fd = collectors.ArtifactCollectorFlow.ResultCollectionForArtifact(
session_id, "FakeArtifact2")
self.assertEqual(len(fd), 1)
self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
def testRunGrrClientActionArtifact(self):
"""Test we can get a GRR client artifact."""
with utils.Stubber(psutil, "process_iter", ProcessIter):
client_mock = action_mocks.ActionMock(standard.ListProcesses)
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
attributes={"client_action": standard.ListProcesses.__name__})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
session_id = flow_test_lib.TestFlowHelper(
collectors.ArtifactCollectorFlow.__name__,
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id)
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertTrue(isinstance(list(fd)[0], rdf_client.Process))
self.assertTrue(len(fd) == 1)
def testGetArtifact1(self):
"""Test we can get a basic artifact."""
client_mock = action_mocks.FileFinderClientMock()
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Linux"))
client.Flush()
# Dynamically add an ArtifactSource specifying the base path.
file_path = os.path.join(self.base_path, "test_img.dd")
coll1 = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
flow_test_lib.TestFlowHelper(collectors.ArtifactCollectorFlow.__name__,
client_mock,
artifact_list=artifact_list,
use_tsk=False,
token=self.token,
client_id=self.client_id)
# Test the AFF4 file that was created.
fd1 = aff4.FACTORY.Open("%s/fs/os/%s" % (self.client_id, file_path),
token=self.token)
fd2 = open(file_path, "rb")
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
def testGrep(self):
class MockCallFlow(object):
def CallFlow(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
mock_call_flow = MockCallFlow()
with utils.Stubber(collectors.ArtifactCollectorFlow, "CallFlow",
mock_call_flow.CallFlow):
collect_flow = collectors.ArtifactCollectorFlow(None,
token=self.token)
collect_flow.args = mock.Mock()
collect_flow.args.ignore_interpolation_errors = False
kb = rdf_client.KnowledgeBase()
kb.MergeOrAddUser(rdf_client.User(username="******"))
kb.MergeOrAddUser(rdf_client.User(username="******"))
collect_flow.state["knowledge_base"] = kb
collect_flow.current_artifact_name = "blah"
collector = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GREP,
attributes={
"paths": ["/etc/passwd"],
"content_regex_list": [r"^a%%users.username%%b$"]
})
collect_flow.Grep(collector, rdf_paths.PathSpec.PathType.TSK)
conditions = mock_call_flow.kwargs["conditions"]
self.assertEqual(len(conditions), 1)
regexes = conditions[0].contents_regex_match.regex.SerializeToString()
self.assertItemsEqual(regexes.split("|"),
["(^atest1b$)", "(^atest2b$)"])
self.assertEqual(mock_call_flow.kwargs["paths"], ["/etc/passwd"])
def testValidateRegistrykey(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.REGISTRY_KEY,
attributes={
"keys": [r"Foo\Bar\Baz"],
})
source.Validate()
def testValidateDirectory(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.DIRECTORY,
attributes={
"paths": ["/home", "/usr"],
})
source.Validate()
def testValidateCommand(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "quux",
"args": ["-foo", "-bar"],
})
source.Validate()
def testValidatePathsIsAList(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.FILE,
attributes={
"paths": "/bin",
})
with self.assertRaisesRegexp(artifacts.ArtifactSourceSyntaxError,
"not a list"):
source.Validate()
def testValidateMissingRequiredAttributes(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GREP,
attributes={
"paths": ["/etc", "/dev", "/opt"],
})
expected = "missing required attributes: 'content_regex_list'"
with self.assertRaisesRegexp(artifacts.ArtifactSourceSyntaxError,
expected):
source.Validate()
def testValidatePathIsAString(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.ARTIFACT_GROUP,
attributes={
"names": ["Foo", "Bar"],
"path": ["/tmp", "/var"],
})
with self.assertRaisesRegexp(artifacts.ArtifactSourceSyntaxError,
"not a string"):
source.Validate()
def testValidateCommandWithSingleArgumentContainingSpace(self):
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "quux",
"args": ["-foo -bar"],
})
with self.assertRaisesRegexp(artifacts.ArtifactSourceSyntaxError,
"'-foo -bar'"):
source.Validate()
def testSourceMeetsConditions(self):
"""Test we can get a GRR client artifact with conditions."""
artifact_collector = collectors.ClientArtifactCollector(None)
artifact_collector.args = artifact_utils.ArtifactCollectorFlowArgs()
kb = rdf_client.KnowledgeBase()
kb.os = "Windows"
artifact_collector.args.knowledge_base = kb
# Run with false condition.
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
attributes={"client_action": standard.ListProcesses.__name__},
conditions=["os == 'Linux'"])
self.assertFalse(artifact_collector._MeetsConditions(source))
# Run with matching or condition.
source = artifacts.ArtifactSource(
type=artifacts.ArtifactSource.SourceType.GRR_CLIENT_ACTION,
attributes={"client_action": standard.ListProcesses.__name__},
conditions=["os == 'Linux' or os == 'Windows'"])
self.assertTrue(artifact_collector._MeetsConditions(source))