class SchemaCls(aff4.AFF4Object.SchemaCls): """Schema for GRRUser.""" PENDING_NOTIFICATIONS = aff4.Attribute( "aff4:notification/pending", rdf_flows.NotificationList, "The notifications pending for the user.", default=rdf_flows.NotificationList(), versioned=False) SHOWN_NOTIFICATIONS = aff4.Attribute( "aff4:notifications/shown", rdf_flows.NotificationList, "Notifications already shown to the user.", default=rdf_flows.NotificationList(), versioned=False) SHOWN_GLOBAL_NOTIFICATIONS = aff4.Attribute( "aff4:global_notification/timestamp_list", GlobalNotificationSet, "Global notifications shown to this user.", default=GlobalNotificationSet(), versioned=False) GUI_SETTINGS = aff4.Attribute("aff4:gui/settings", GUISettings, "GUI Settings", default=GUISettings()) PASSWORD = aff4.Attribute("aff4:user/password", CryptedPassword, "Encrypted Password for the user")
class SchemaCls(VFSFile.SchemaCls): """The schema for Blob Images.""" HASHES = aff4.Attribute("aff4:hashes", standard.HashList, "List of hashes of each chunk in this file.") FINALIZED = aff4.Attribute("aff4:finalized", rdfvalue.RDFBool, "Once a blobimage is finalized, further writes" " will raise exceptions.")
class SchemaCls(aff4.AFF4Volume.SchemaCls): """Attributes specific to VFSDirectory.""" STAT = aff4.Attribute("aff4:stat", rdf_client.StatEntry, "A StatEntry describing this file.", "stat") PATHSPEC = aff4.Attribute( "aff4:pathspec", rdf_paths.PathSpec, "The pathspec used to retrieve this object from the client.", "pathspec")
class SchemaCls(Approval.SchemaCls): """The Schema for the ClientAccessApproval class.""" LIFETIME = aff4.Attribute( "aff4:approval/lifetime", rdfvalue.RDFInteger, "The number of seconds an approval is valid for.", default=0) BREAK_GLASS = aff4.Attribute( "aff4:approval/breakglass", rdfvalue.RDFDatetime, "The date when this break glass approval will expire.")
class SchemaCls(aff4.AFF4Image.SchemaCls): """The schema for AFF4 files in the GRR VFS.""" STAT = standard.VFSDirectory.SchemaCls.STAT CONTENT_LOCK = aff4.Attribute( "aff4:content_lock", rdfvalue.RDFURN, "This lock contains a URN pointing to the flow that is currently " "updating this flow.") PATHSPEC = aff4.Attribute( "aff4:pathspec", rdf_paths.PathSpec, "The pathspec used to retrieve this object from the client.")
class SchemaCls(aff4.AFF4Object.SchemaCls): """SchemaCls.""" FILESTORE_FILETYPES = aff4.Attribute( "aff4:stats/filestore/filetypes", stats.Graph, "Number of files in the filestore by type") FILESTORE_FILETYPES_SIZE = aff4.Attribute( "aff4:stats/filestore/filetypes_size", stats.GraphFloat, "Total filesize in GB of files in the filestore by type") FILESTORE_FILESIZE_HISTOGRAM = aff4.Attribute( "aff4:stats/filestore/filesize", stats.Graph, "Filesize histogram of files in the filestore")
class SchemaCls(aff4.AFF4Object.SchemaCls): """Attributes specific to VFSDirectory.""" RULES = aff4.Attribute("aff4:rules", foreman_rules.ForemanRules, "The rules the foreman uses.", versioned=False, creates_new_object_version=False, default=foreman_rules.ForemanRules())
class SchemaCls(aff4.AFF4ImageBase.SchemaCls): """The schema class for AFF4SparseImage.""" PATHSPEC = VFSDirectory.SchemaCls.PATHSPEC STAT = VFSDirectory.SchemaCls.STAT _CHUNKSIZE = aff4.Attribute("aff4:chunksize", rdfvalue.RDFInteger, "Total size of each chunk.", default=512 * 1024) LAST_CHUNK = aff4.Attribute( "aff4:lastchunk", rdfvalue.RDFInteger, "The highest numbered chunk in this object.", default=-1)
class SchemaCls(aff4.AFF4Stream.SchemaCls): FILE_ID = aff4.Attribute("aff4:file_id", rdfvalue.RDFString, "This string uniquely identifies a " "file stored in the file store. Passing " "this id to the file store grants read " "access to the corresponding data.") STAT = standard.VFSDirectory.SchemaCls.STAT
class SchemaCls(aff4.AFF4Object.SchemaCls): """Schema for StatsStoreProcessData.""" METRICS_METADATA = aff4.Attribute( "aff4:stats_store_process_data/metrics_metadata", stats_values.StatsStoreMetricsMetadata, creates_new_object_version=False, versioned=False)
class SchemaCls(aff4.AFF4Object.SchemaCls): """Schema for GlobalNotificationsManager.""" NOTIFICATIONS = aff4.Attribute( "aff4:global_notification_storage/notifications", GlobalNotificationSet, "List of currently active notifications", versioned=False)
class SchemaCls(aff4.AFF4Object.SchemaCls): """The Schema for the Approval class.""" REQUESTOR = aff4.Attribute("aff4:approval/requestor", rdfvalue.RDFString, "Requestor of the approval.") APPROVER = aff4.Attribute("aff4:approval/approver", rdfvalue.RDFString, "An approver for the request.", "approver") SUBJECT = aff4.Attribute( "aff4:approval/subject", rdfvalue.RDFURN, "Subject of the approval. I.e. the resource that " "requires approved access.") REASON = aff4.Attribute("aff4:approval/reason", rdfvalue.RDFString, "The reason for requesting access to this client.") EMAIL_MSG_ID = aff4.Attribute( "aff4:approval/email_msg_id", rdfvalue.RDFString, "The email thread message ID for this" "approval. Storing this allows for " "conversation threading.") EMAIL_CC = aff4.Attribute( "aff4:approval/email_cc", rdfvalue.RDFString, "Comma separated list of email addresses to " "CC on approval emails.") NOTIFIED_USERS = aff4.Attribute( "aff4:approval/notified_users", rdfvalue.RDFString, "Comma-separated list of GRR users " "notified about this approval.")
class SchemaCls(aff4.AFF4Object.SchemaCls): """Schema for ClientFleetStats object.""" GRRVERSION_HISTOGRAM = aff4.Attribute( "aff4:stats/grrversion", stats.GraphSeries, "GRR version statistics for active " "clients.") OS_HISTOGRAM = aff4.Attribute( "aff4:stats/os_type", stats.GraphSeries, "Operating System statistics for active clients.") RELEASE_HISTOGRAM = aff4.Attribute( "aff4:stats/release", stats.GraphSeries, "Release statistics for active clients.") LAST_CONTACTED_HISTOGRAM = aff4.Attribute("aff4:stats/last_contacted", stats.Graph, "Last contacted time")
class SchemaCls(FileStoreImage.SchemaCls): """Schema class for NSRLFile.""" # We do not need child indexes since the NSRL database is quite big. ADD_CHILD_INDEX = False # Make the default SIZE argument as unversioned. SIZE = aff4.Attribute( "aff4:size", rdfvalue.RDFInteger, "The total size of available data for this stream.", "size", default=0, versioned=False) TYPE = aff4.Attribute( "aff4:type", rdfvalue.RDFString, "The name of the AFF4Object derived class.", "type", versioned=False) NSRL = aff4.Attribute( "aff4:nsrl", rdf_nsrl.NSRLInformation, versioned=False)
class SchemaCls(aff4.AFF4Volume.SchemaCls): """Attributes specific to GRRFlow.""" FLOW_STATE_DICT = aff4.Attribute("aff4:flow_state_dict", rdf_protodict.AttributedDict, "The current state of this flow.", "FlowStateDict", versioned=False, creates_new_object_version=False) FLOW_ARGS = aff4.Attribute("aff4:flow_args", rdf_protodict.EmbeddedRDFValue, "The arguments for this flow.", "FlowArgs", versioned=False, creates_new_object_version=False) FLOW_CONTEXT = aff4.Attribute("aff4:flow_context", rdf_flows.FlowContext, "The metadata for this flow.", "FlowContext", versioned=False, creates_new_object_version=False) FLOW_RUNNER_ARGS = aff4.Attribute( "aff4:flow_runner_args", rdf_flows.FlowRunnerArgs, "The runner arguments used for this flow.", "FlowRunnerArgs", versioned=False, creates_new_object_version=False) NOTIFICATION = aff4.Attribute("aff4:notification", rdf_flows.Notification, "Notifications for the flow.") CLIENT_CRASH = aff4.Attribute( "aff4:client_crash", rdf_client.ClientCrash, "Client crash details in case of a crash.", default=None, creates_new_object_version=False) PENDING_TERMINATION = aff4.Attribute( "aff4:pending_termination", PendingFlowTermination, "If true, this flow will be " "terminated as soon as any of its " "states are called.", creates_new_object_version=False)
class SchemaCls(aff4.AFF4Volume.SchemaCls): """Schema for CronJob AFF4 object.""" CRON_ARGS = aff4.Attribute("aff4:cron/args", rdf_cronjobs.CreateCronJobFlowArgs, "This cron jobs' arguments.") DISABLED = aff4.Attribute( "aff4:cron/disabled", rdfvalue.RDFBool, "If True, don't run this job.", versioned=False) CURRENT_FLOW_URN = aff4.Attribute( "aff4:cron/current_flow_urn", rdfvalue.RDFURN, "URN of the currently running flow corresponding to this cron job.", versioned=False, lock_protected=True) LAST_RUN_TIME = aff4.Attribute( "aff4:cron/last_run", rdfvalue.RDFDatetime, "The last time this cron job ran.", "last_run", versioned=False, lock_protected=True) LAST_RUN_STATUS = aff4.Attribute( "aff4:cron/last_run_status", rdf_cronjobs.CronJobRunStatus, "Result of the last flow", lock_protected=True, creates_new_object_version=False) STATE_DICT = aff4.Attribute( "aff4:cron/state_dict", rdf_protodict.AttributedDict, "Cron flow state that is kept between iterations", lock_protected=True, versioned=False)
class SchemaCls(aff4.AFF4Volume.SchemaCls): ACTIVE = aff4.Attribute( "aff4:filestore_active", rdfvalue.RDFBool, "If true this filestore is active.", default=True)
class SchemaCls(standard.VFSDirectory.SchemaCls): STATS = aff4.Attribute("aff4:stats", rdf_client.ClientStats, "Client Stats.", "Client stats", creates_new_object_version=False)
class SchemaCls(standard.VFSDirectory.SchemaCls): """The schema for the client.""" client_index = rdfvalue.RDFURN("aff4:/index/client") FLEETSPEAK_ENABLED = aff4.Attribute( "metadata:IsFleetspeak", rdfvalue.RDFBool, "Whether this client uses Fleetspeak for comms.") CERT = aff4.Attribute("metadata:cert", rdf_crypto.RDFX509Cert, "The PEM encoded cert of the client.") FILESYSTEM = aff4.Attribute("aff4:filesystem", rdf_client.Filesystems, "Filesystems on the client.") CLIENT_INFO = aff4.Attribute("metadata:ClientInfo", rdf_client.ClientInformation, "GRR client information", "GRR client", default=rdf_client.ClientInformation()) LAST_BOOT_TIME = aff4.Attribute("metadata:LastBootTime", rdfvalue.RDFDatetime, "When the machine was last booted", "BootTime") FIRST_SEEN = aff4.Attribute( "metadata:FirstSeen", rdfvalue.RDFDatetime, "First time the client registered with us", "FirstSeen") # Information about the host. HOSTNAME = aff4.Attribute("metadata:hostname", rdfvalue.RDFString, "Hostname of the host.", "Host", index=client_index) FQDN = aff4.Attribute("metadata:fqdn", rdfvalue.RDFString, "Fully qualified hostname of the host.", "FQDN", index=client_index) SYSTEM = aff4.Attribute("metadata:system", rdfvalue.RDFString, "Operating System class.", "System") UNAME = aff4.Attribute("metadata:uname", rdfvalue.RDFString, "Uname string.", "Uname") OS_RELEASE = aff4.Attribute("metadata:os_release", rdfvalue.RDFString, "OS Major release number.", "Release") OS_VERSION = aff4.Attribute("metadata:os_version", rdf_client.VersionString, "OS Version number.", "Version") # ARCH values come from platform.uname machine value, e.g. x86_64, AMD64. ARCH = aff4.Attribute("metadata:architecture", rdfvalue.RDFString, "Architecture.", "Architecture") INSTALL_DATE = aff4.Attribute("metadata:install_date", rdfvalue.RDFDatetime, "Install Date.", "Install") # The knowledge base is used for storing data about the host and users. # This is currently a slightly odd object as we only use some of the fields. # The proto itself is used in Artifact handling outside of GRR (e.g. Plaso). # Over time we will migrate fields into this proto, but for now it is a mix. KNOWLEDGE_BASE = aff4.Attribute("metadata:knowledge_base", rdf_client.KnowledgeBase, "Artifact Knowledge Base", "KnowledgeBase") GRR_CONFIGURATION = aff4.Attribute( "aff4:client_configuration", rdf_protodict.Dict, "Running configuration for the GRR client.", "Config") LIBRARY_VERSIONS = aff4.Attribute( "aff4:library_versions", rdf_protodict.Dict, "Running library versions for the client.", "Libraries") USERNAMES = aff4.Attribute("aff4:user_names", SpaceSeparatedStringArray, "A space separated list of system users.", "Usernames", index=client_index) # This information is duplicated from the INTERFACES attribute but is done # to allow for fast searching by mac address. MAC_ADDRESS = aff4.Attribute("aff4:mac_addresses", rdfvalue.RDFString, "A hex encoded MAC address.", "MAC", index=client_index) KERNEL = aff4.Attribute("aff4:kernel_version", rdfvalue.RDFString, "Kernel version string.", "KernelVersion") # Same for IP addresses. HOST_IPS = aff4.Attribute("aff4:host_ips", rdfvalue.RDFString, "An IP address.", "Host_ip", index=client_index) PING = aff4.Attribute( "metadata:ping", rdfvalue.RDFDatetime, "The last time the server heard from this client.", "LastCheckin", versioned=False, default=0) CLOCK = aff4.Attribute("metadata:clock", rdfvalue.RDFDatetime, "The last clock read on the client " "(Can be used to estimate client clock skew).", "Clock", versioned=False) CLIENT_IP = aff4.Attribute( "metadata:client_ip", rdfvalue.RDFString, "The ip address this client connected from.", "Client_ip", versioned=False) # This is the last foreman rule that applied to us LAST_FOREMAN_TIME = aff4.Attribute( "aff4:last_foreman_time", rdfvalue.RDFDatetime, "The last time the foreman checked us.", versioned=False) LAST_CRASH = aff4.Attribute("aff4:last_crash", rdf_client.ClientCrash, "Last client crash.", creates_new_object_version=False, versioned=False) VOLUMES = aff4.Attribute("aff4:volumes", rdf_client.Volumes, "Client disk volumes.") INTERFACES = aff4.Attribute("aff4:interfaces", rdf_client.Interfaces, "Network interfaces.", "Interfaces") HARDWARE_INFO = aff4.Attribute("aff4:hardware_info", rdf_client.HardwareInfo, "Various hardware information.", default=rdf_client.HardwareInfo()) MEMORY_SIZE = aff4.Attribute( "aff4:memory_size", rdfvalue.ByteSize, "Amount of memory this client's machine has.") # Cloud VM information. CLOUD_INSTANCE = aff4.Attribute("metadata:cloud_instance", cloud.CloudInstance, "Information about cloud machines.")
class SchemaCls(VFSFile.SchemaCls): DELEGATE = aff4.Attribute("aff4:delegate", rdfvalue.RDFURN, "The URN of the delegate of this object.")
def CreateClientObject(self, vfs_fixture): """Make a new client object.""" # First remove the old fixture just in case its still there. aff4.FACTORY.Delete(self.client_id, token=self.token) # Create the fixture at a fixed time. with test_lib.FakeTime(self.age): for path, (aff4_type, attributes) in vfs_fixture: path %= self.args aff4_object = aff4.FACTORY.Create( self.client_id.Add(path), aff4_type, mode="rw", token=self.token) for attribute_name, value in attributes.items(): attribute = aff4.Attribute.PREDICATES[attribute_name] if isinstance(value, (str, unicode)): # Interpolate the value value %= self.args # Is this supposed to be an RDFValue array? if aff4.issubclass(attribute.attribute_type, rdf_protodict.RDFValueArray): rdfvalue_object = attribute() for item in value: new_object = rdfvalue_object.rdf_type.FromTextFormat( utils.SmartStr(item)) rdfvalue_object.Append(new_object) # It is a text serialized protobuf. elif aff4.issubclass(attribute.attribute_type, rdf_structs.RDFProtoStruct): # Use the alternate constructor - we always write protobufs in # textual form: rdfvalue_object = attribute.attribute_type.FromTextFormat( utils.SmartStr(value)) elif aff4.issubclass(attribute.attribute_type, rdfvalue.RDFInteger): rdfvalue_object = attribute(int(value)) else: rdfvalue_object = attribute(value) # If we don't already have a pathspec, try and get one from the stat. if aff4_object.Get(aff4_object.Schema.PATHSPEC) is None: # If the attribute was a stat, it has a pathspec nested in it. # We should add that pathspec as an attribute. if attribute.attribute_type == rdf_client.StatEntry: stat_object = attribute.attribute_type.FromTextFormat( utils.SmartStr(value)) if stat_object.pathspec: pathspec_attribute = aff4.Attribute( "aff4:pathspec", rdf_paths.PathSpec, "The pathspec used to retrieve " "this object from the client.", "pathspec") aff4_object.AddAttribute(pathspec_attribute, stat_object.pathspec) if attribute in ["aff4:content", "aff4:content"]: # For AFF4MemoryStreams we need to call Write() instead of # directly setting the contents.. aff4_object.Write(rdfvalue_object) else: aff4_object.AddAttribute(attribute, rdfvalue_object) # Populate the KB from the client attributes. if aff4_type == aff4_grr.VFSGRRClient: kb = rdf_client.KnowledgeBase() artifact.SetCoreGRRKnowledgeBaseValues(kb, aff4_object) aff4_object.Set(aff4_object.Schema.KNOWLEDGE_BASE, kb) # Make sure we do not actually close the object here - we only want to # sync back its attributes, not run any finalization code. aff4_object.Flush() if aff4_type == aff4_grr.VFSGRRClient: index = client_index.CreateClientIndex(token=self.token) index.AddClient(aff4_object)
def CreateClientObject(self, vfs_fixture): """Make a new client object.""" # First remove the old fixture just in case its still there. aff4.FACTORY.Delete(self.client_id, token=self.token) # Create the fixture at a fixed time. with test_lib.FakeTime(self.age): for path, (aff4_type, attributes) in vfs_fixture: path %= self.args aff4_object = aff4.FACTORY.Create(self.client_id.Add(path), aff4_type, mode="rw", token=self.token) if data_store.RelationalDBWriteEnabled(): data_store.REL_DB.WriteClientMetadata( self.client_id.Basename(), fleetspeak_enabled=False) components = [ component for component in path.split("/") if component ] if components[0:2] == ["fs", "os"]: path_info = rdf_objects.PathInfo() path_info.path_type = rdf_objects.PathInfo.PathType.OS path_info.components = components[2:] if aff4_type in [ aff4_grr.VFSFile, aff4_grr.VFSMemoryFile ]: path_info.directory = False elif aff4_type == aff4_standard.VFSDirectory: path_info.directory = True else: raise ValueError("Incorrect AFF4 type: %s" % aff4_type) data_store.REL_DB.WritePathInfos( client_id=self.client_id.Basename(), path_infos=[path_info]) for attribute_name, value in attributes.items(): attribute = aff4.Attribute.PREDICATES[attribute_name] if isinstance(value, (str, unicode)): # Interpolate the value value %= self.args # Is this supposed to be an RDFValue array? if aff4.issubclass(attribute.attribute_type, rdf_protodict.RDFValueArray): rdfvalue_object = attribute() for item in value: new_object = rdfvalue_object.rdf_type.FromTextFormat( utils.SmartStr(item)) rdfvalue_object.Append(new_object) # It is a text serialized protobuf. elif aff4.issubclass(attribute.attribute_type, rdf_structs.RDFProtoStruct): # Use the alternate constructor - we always write protobufs in # textual form: rdfvalue_object = attribute.attribute_type.FromTextFormat( utils.SmartStr(value)) elif aff4.issubclass(attribute.attribute_type, rdfvalue.RDFInteger): rdfvalue_object = attribute(int(value)) else: rdfvalue_object = attribute(value) # If we don't already have a pathspec, try and get one from the stat. if aff4_object.Get(aff4_object.Schema.PATHSPEC) is None: # If the attribute was a stat, it has a pathspec nested in it. # We should add that pathspec as an attribute. if attribute.attribute_type == rdf_client.StatEntry: stat_object = attribute.attribute_type.FromTextFormat( utils.SmartStr(value)) if stat_object.pathspec: pathspec_attribute = aff4.Attribute( "aff4:pathspec", rdf_paths.PathSpec, "The pathspec used to retrieve " "this object from the client.", "pathspec") aff4_object.AddAttribute( pathspec_attribute, stat_object.pathspec) if attribute in ["aff4:content", "aff4:content"]: # For AFF4MemoryStreams we need to call Write() instead of # directly setting the contents.. aff4_object.Write(rdfvalue_object) else: aff4_object.AddAttribute(attribute, rdfvalue_object) if (isinstance(rdfvalue_object, rdf_client.StatEntry) and rdfvalue_object.pathspec.pathtype != "UNSET"): if data_store.RelationalDBWriteEnabled(): client_id = self.client_id.Basename() path_info = rdf_objects.PathInfo.FromStatEntry( rdfvalue_object) data_store.REL_DB.WritePathInfos( client_id, [path_info]) # Populate the KB from the client attributes. if aff4_type == aff4_grr.VFSGRRClient: kb = rdf_client.KnowledgeBase() artifact.SetCoreGRRKnowledgeBaseValues(kb, aff4_object) aff4_object.Set(aff4_object.Schema.KNOWLEDGE_BASE, kb) # Make sure we do not actually close the object here - we only want to # sync back its attributes, not run any finalization code. aff4_object.Flush() if aff4_type == aff4_grr.VFSGRRClient: index = client_index.CreateClientIndex(token=self.token) index.AddClient(aff4_object)
class SchemaCls(standard.VFSDirectory.SchemaCls): KNOWLEDGE_BASE = aff4.Attribute("metadata:temp_knowledge_base", rdf_client.KnowledgeBase, "Artifact Knowledge Base", "KnowledgeBase")
class SchemaCls(aff4.AFF4Object.SchemaCls): PROFILE = aff4.Attribute("aff4:profile", rdf_rekall_types.RekallProfile, "A Rekall profile.")