def testEvaluatesRaisesWithUnsetField(self): r = rdf_foreman.ForemanIntegerClientRule( operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=123) client_id = self.SetupClient(0) with self.assertRaises(ValueError): r.Evaluate(aff4.FACTORY.Open(client_id, token=self.token))
def testEvaluatesRaisesWithUnsetField(self): r = rdf_foreman.ForemanIntegerClientRule( operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=123) client = self.SetupTestClientObject(0) info = data_store.REL_DB.ReadClientFullInfo(client.client_id) with self.assertRaises(ValueError): r.Evaluate(info)
def testRuleAdding(self): foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) # Make sure there are no rules yet in the foreman. self.assertEqual(len(rules), 0) client_rule_set = rdf_foreman.ForemanClientRuleSet(rules=[ rdf_foreman.ForemanClientRule( rule_type=rdf_foreman.ForemanClientRule.Type.REGEX, regex=rdf_foreman.ForemanRegexClientRule( field="CLIENT_NAME", attribute_regex="HUNT")), rdf_foreman.ForemanClientRule( rule_type=rdf_foreman.ForemanClientRule.Type.INTEGER, integer=rdf_foreman.ForemanIntegerClientRule( field="CLIENT_CLOCK", operator=rdf_foreman.ForemanIntegerClientRule.Operator. GREATER_THAN, value=1336650631137737)) ]) hunt = implementation.GRRHunt.StartHunt( hunt_name=standard.SampleHunt.__name__, client_rule_set=client_rule_set, client_rate=0, token=self.token) # Push the rules to the foreman. with hunt: hunt.GetRunner().Start() foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) # Make sure they were written correctly. self.assertEqual(len(rules), 1) rule = rules[0] self.assertEqual(rule.client_rule_set, client_rule_set) self.assertEqual(len(rule.actions), 1) self.assertEqual(rule.actions[0].hunt_name, "SampleHunt") # Running a second time should not change the rules any more. with hunt: hunt.GetRunner().Start() foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) # Still just one rule. self.assertEqual(len(rules), 1)
def testEvaluatesSizeLessThanEqualValueToFalse(self): now = rdfvalue.RDFDatetime().Now() client = self.SetupTestClientObject(0, last_boot_time=now) info = data_store.REL_DB.ReadClientFullInfo(client.client_id) r = rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN, value=now.AsSecondsFromEpoch()) # The values are the same, less than should not trigger. self.assertFalse(r.Evaluate(info))
def testEvaluatesToFalseWithNonIntAttribute(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="Host", operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=123) client_id = self.SetupClient(0) # Host is not a number self.assertFalse( r.Evaluate(aff4.FACTORY.Open(client_id, token=self.token)))
def testEvaluatesSizeLessThanZeroToFalse(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="size", operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN, value=0) client_id = self.SetupClient(0) # The size is not less than 0 self.assertFalse( r.Evaluate(aff4.FACTORY.Open(client_id, token=self.token)))
def testEvaluatesSizeLessThanEqualValueToFalse(self): now = rdfvalue.RDFDatetime().Now() client_id = self.SetupClient(0, last_boot_time=now) client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token) r = rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN, value=now.AsSecondsFromEpoch()) # The values are the same, less than should not trigger. self.assertFalse(r.Evaluate(client))
def testEvaluatesToFalseWithNonIntAttribute(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="Host", operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=123) client_id, = self.SetupClients(nr_clients=1) # Host is not a number self.assertFalse(r.Evaluate(CollectAff4Objects(r.GetPathsToCheck(), client_id, self.token), client_id))
def testEvaluatesSizeLessThanZeroToFalse(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="size", operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN, value=0) client_id, = self.SetupClients(nr_clients=1) # The size is not less than 0 self.assertFalse(r.Evaluate(CollectAff4Objects(r.GetPathsToCheck(), client_id, self.token), client_id))
def testEvaluatesSizeGreaterThanMinusOneToTrue(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="size", operator=rdf_foreman.ForemanIntegerClientRule.Operator. GREATER_THAN, value=-1) client_id = self.SetupClient(0) # size > -1 self.assertTrue( r.Evaluate(aff4.FACTORY.Open(client_id, token=self.token)))
def testEvaluatesSizeGreaterThanSmallerValueToTrue(self): now = rdfvalue.RDFDatetime().Now() client = self.SetupTestClientObject(0, last_boot_time=now) info = data_store.REL_DB.ReadClientFullInfo(client.client_id) before_boot = now - 1 r = rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator.GREATER_THAN, value=before_boot.AsSecondsSinceEpoch()) self.assertTrue(r.Evaluate(info))
def testEvaluatesSizeGreaterThanMinusOneToTrue(self): # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( attribute_name="size", operator=rdf_foreman.ForemanIntegerClientRule.Operator.GREATER_THAN, value=-1) client_id, = self.SetupClients(nr_clients=1) # size > -1 self.assertTrue(r.Evaluate(CollectAff4Objects(r.GetPathsToCheck(), client_id, self.token), client_id))
def testEvaluatesSizeGreaterThanSmallerValueToTrue(self): now = rdfvalue.RDFDatetime().Now() client_id = self.SetupClient(0, last_boot_time=now) client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token) before_boot = now - 1 r = rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator.GREATER_THAN, value=before_boot.AsSecondsSinceEpoch()) self.assertTrue(r.Evaluate(client))
def testEvaluation(self): now = rdfvalue.RDFDatetime().Now() client = self.SetupTestClientObject(0, last_boot_time=now) info = data_store.REL_DB.ReadClientFullInfo(client.client_id) for f in rdf_foreman.ForemanIntegerClientRule.ForemanIntegerField.enum_dict: if f == "UNSET": continue r = rdf_foreman.ForemanIntegerClientRule( field=f, operator=rdf_foreman.ForemanIntegerClientRule.Operator.LESS_THAN, value=now.AsSecondsSinceEpoch()) r.Evaluate(info)
def testEvaluatesSizeGreaterThanSmallerValueToTrue(self): client_id = self.SetupClient(0) client = aff4.FACTORY.Open(client_id, mode="rw", token=self.token) now = rdfvalue.RDFDatetime().Now() client.Set(client.Schema.LAST_BOOT_TIME, now) before_boot = now - 1 # Instantiate an integer rule r = rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator. GREATER_THAN, value=before_boot.AsSecondsFromEpoch()) self.assertTrue(r.Evaluate(client))
def testStopping(self): """Tests if we can stop a hunt.""" foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) # Make sure there are no rules yet. self.assertEqual(len(rules), 0) now = rdfvalue.RDFDatetime.Now() expires = rdfvalue.Duration("1h").Expiry() # Add some rules. rules = [ rdf_foreman.ForemanRule( created=now, expires=expires, description="Test rule1"), rdf_foreman.ForemanRule( created=now, expires=expires, description="Test rule2") ] self.AddForemanRules(rules) client_rule_set = rdf_foreman.ForemanClientRuleSet(rules=[ rdf_foreman.ForemanClientRule( rule_type=rdf_foreman.ForemanClientRule.Type.REGEX, regex=rdf_foreman.ForemanRegexClientRule( attribute_name="GRR client", attribute_regex="HUNT")), rdf_foreman.ForemanClientRule( rule_type=rdf_foreman.ForemanClientRule.Type.INTEGER, integer=rdf_foreman.ForemanIntegerClientRule( attribute_name="Clock", operator=rdf_foreman.ForemanIntegerClientRule.Operator. GREATER_THAN, value=1336650631137737)) ]) hunt = implementation.GRRHunt.StartHunt( hunt_name=standard.SampleHunt.__name__, client_rule_set=client_rule_set, client_rate=0, token=self.token) with hunt: runner = hunt.GetRunner() runner.Start() # Add some more rules. rules = [ rdf_foreman.ForemanRule( created=now, expires=expires, description="Test rule3"), rdf_foreman.ForemanRule( created=now, expires=expires, description="Test rule4") ] self.AddForemanRules(rules) foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) self.assertEqual(len(rules), 5) # It should be running. self.assertTrue(runner.IsHuntStarted()) # Now we stop the hunt. hunt.Stop() foreman = aff4.FACTORY.Open("aff4:/foreman", mode="rw", token=self.token) rules = foreman.Get(foreman.Schema.RULES) # The rule for this hunt should be deleted but the rest should be there. self.assertEqual(len(rules), 4) # And the hunt should report no outstanding requests any more. with hunt: self.assertFalse(hunt.GetRunner().IsHuntStarted())
def GenerateSample(self, number=0): # Sample rule matches clients with the attribute size equal to number return rdf_foreman.ForemanIntegerClientRule( field="LAST_BOOT_TIME", operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=number)
def GenerateSample(self, number=0): # Sample rule matches clients with the attribute size equal to number return rdf_foreman.ForemanIntegerClientRule( attribute_name="size", operator=rdf_foreman.ForemanIntegerClientRule.Operator.EQUAL, value=number)