Add ModuleExecution and related data models#228
Conversation
fd6f050 to
a091880
Compare
| KINDS = %w[run check import direct_write].freeze | ||
|
|
||
| # Module types as exposed by Framework. | ||
| MODULE_TYPES = %w[exploit auxiliary post payload encoder evasion nop external].freeze |
There was a problem hiding this comment.
I don't think "external" is a module type in the same sense as the others. You can have for example an external exploit or auxiliary module that's implemented in Python. I would suggest removing it or tracking it as a flag so you can note something is an external-exploit, external-auxiliary, etc.
| # Terminal lifecycle states. `running` is the only non-terminal value | ||
| # and is permitted while {#ended_at} is `NULL`. | ||
| TERMINAL_STATUSES = %w[running success neutral expected_failure unhandled_exception].freeze |
There was a problem hiding this comment.
If unhandled_exception is the inverse of expected_failure, it might be more intuitive to track it as unexpected_failure.
There was a problem hiding this comment.
Let me give more details about these status:
expected_failure: the module explicitly declared failure viafail_with. It is an error the module author has anticipated with a properfailure_reason.unhandled_exception: a Ruby exception that escaped the module's rescue chain (NoMethodError,Rex::ConnectionErroroutside a rescue, etc.). The author did not anticipate this; there's anexception_classand backtrace.
So, unhandled_exception and expected_failure aren't strict inverses. For example, unhandled_exception will help answer question like "which modules are buggy?"
| MODULE_TYPES = %w[exploit auxiliary post payload encoder evasion nop external].freeze | ||
|
|
||
| # User interface or programmatic surface that initiated this execution. | ||
| ORIGINATING_UIS = %w[console rpc json_rpc mcp external import plugin autocheck].freeze |
There was a problem hiding this comment.
| ORIGINATING_UIS = %w[console rpc json_rpc mcp external import plugin autocheck].freeze | |
| ORIGINATORS = %w[console rpc json_rpc mcp external import plugin autocheck module].freeze |
I'd suggest adding 'module' as an originator to account for modules running other modules. Additionally since some of these aren't exactly user-interfaces, it may be better to use a slightly more generic name like ORIGINATORS vs ORIGINATING_UIS.
There was a problem hiding this comment.
You're right it's not accurate. I would prefer using ORIGINATING_INTERFACES, which is more programmatic. ORIGINATORS sounds like a user, which seems slighly wrong with things like autocheck. I'm also fine if you disagree, I'll change it to ORIGINATORS, no problem.
| # @!attribute [rw] updated_at | ||
| # Last time this event row was updated. | ||
| # | ||
| # @return [DateTime] |
There was a problem hiding this comment.
Events should be immutable, so let's remove the updated_at column so once it's created, it stays the same.
| # @!attribute [rw] updated_at | |
| # Last time this event row was updated. | |
| # | |
| # @return [DateTime] |
| # @!attribute [rw] updated_at | ||
| # Last time this error row was updated. | ||
| # | ||
| # @return [DateTime] | ||
|
|
There was a problem hiding this comment.
This should also be immutable.
| # @!attribute [rw] updated_at | |
| # Last time this error row was updated. | |
| # | |
| # @return [DateTime] |
There was a problem hiding this comment.
Yes, this makes no sense for Error and Events. I removed these fields. Thanks!
This adds ModuleExecution, ModuleExecutionError and ModuleExecutionEvent data models as part of the reporting refactor in Metasploit Framework.
(I'll update this description once the related PR in Framework is ready)