Giters

google / grr

GRR Rapid Response: remote live forensics for incident response

Home Page:https://grr-doc.readthedocs.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

BigQuery exporter does not export ProgramArguments in Plist results

anttitikkanen opened this issue · comments

commented

When using the BigQuery exporter to export hunt results that contain MacOs plist entries, the "ProgramArguments" field will be missing (

grr/grr/proto/grr_response_proto/sysinfo.proto

Line 768 in 8ad8a4d

repeated string ProgramArguments = 7;
).

I suppose this is due to not having a special converter for Plists, so the default converted ignores repeated fields? (

grr/grr/server/grr_response_server/export.py

Line 320 in 3adbc6b

NOTE: DataAgnosticExportConverter discards complex types: repeated
)

commented

Correct, an exporter for LaunchdPlist type has to be implemented. To do that, one would need to do the following:

  • Define an ExportedLaunchdPlist protobuf and a corresponding Python class. The proto must contain the field metadata of type ExportedMetadata and shouldn't contain repeated fields (it can contain nested fields, though).
  • Implement the exporter that would convert LaunchdPlist values into ExportedLaunchdPlist.