dissect.target.plugins.apps.container.docker#
Module Contents#
Classes#
Parse Docker Daemon artefacts. |
Functions#
Returns the configured Docker daemon data-root path. |
|
Attempt to find additional configured and existing Docker daemon data-root folders. |
|
Docker sometimes uses (unpadded) 9 digit nanosecond precision |
|
Depending on the state of the container (turned on or off) we |
|
Convert the hash to an abbrevated docker image id. |
|
Remove ANSI escape sequences from a given input string. |
Attributes#
- dissect.target.plugins.apps.container.docker.log#
- dissect.target.plugins.apps.container.docker.DockerContainerRecord#
- dissect.target.plugins.apps.container.docker.DockerImageRecord#
- dissect.target.plugins.apps.container.docker.DockerLogRecord#
- dissect.target.plugins.apps.container.docker.local_def = Multiline-String#
Show Value
""" struct entry { uint32 header; // source uint8 s_type; // 0x0a varint s_len; // 0x06 char source[s_len]; // stdout or stderr // timestamp uint8 t_type; // 0x10 varint ts; // timestamp in ums // message uint8 m_type; // 0x1a varint m_len; // message length char message[m_len]; // partial_log_metadata not implemented uint32 footer; }; """
- dissect.target.plugins.apps.container.docker.c_local#
- dissect.target.plugins.apps.container.docker.RE_DOCKER_NS#
- dissect.target.plugins.apps.container.docker.RE_ANSI_ESCAPE#
- dissect.target.plugins.apps.container.docker.ASCII_MAP#
- class dissect.target.plugins.apps.container.docker.DockerPlugin(target: dissect.target.target.Target)#
Bases:
dissect.target.plugin.PluginParse Docker Daemon artefacts.
References
https://didactic-security.com/resources/docker-forensics.pdf
https://didactic-security.com/resources/docker-forensics-cheatsheet.pdf
- __namespace__ = 'docker'#
- check_compatible() None#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- images() Iterator[DockerImageRecord]#
Returns any pulled docker images on the target system.
- containers() Iterator[DockerContainerRecord]#
Returns any docker containers present on the target system.
- logs(raw_messages: bool = False, remove_backspaces: bool = False) Iterator[DockerLogRecord]#
Returns log files (stdout/stderr) from Docker containers.
The default Docker Daemon log driver is
json-file, which performs no log rotation. Another log driver islocaland performs log rotation and compresses log files more efficiently.Eventually
localwill likely replacejson-fileas the default log driver.
- dissect.target.plugins.apps.container.docker.get_data_path(path: pathlib.Path) str | None#
Returns the configured Docker daemon data-root path.
- dissect.target.plugins.apps.container.docker.find_installs(target: dissect.target.target.Target) Iterator[pathlib.Path]#
Attempt to find additional configured and existing Docker daemon data-root folders.
References
- dissect.target.plugins.apps.container.docker.convert_timestamp(timestamp: str) str#
Docker sometimes uses (unpadded) 9 digit nanosecond precision in their timestamp logs, eg. “2022-12-19T13:37:00.123456789Z”.
Python has no native %n nanosecond strptime directive, so we strip the last three digits from the timestamp to force compatbility with the 6 digit %f microsecond directive.
- dissect.target.plugins.apps.container.docker.convert_ports(ports: dict[str, list | dict]) dict#
Depending on the state of the container (turned on or off) we can salvage forwarded ports for the container in different parts of the config.v2.json file.
This function attempts to be agnostic and deals with “Ports” lists and “ExposedPorts” dicts.
NOTE: This function makes a couple of assumptions and ignores ipv6 assignments. Feel free to improve this helper function.
- dissect.target.plugins.apps.container.docker.hash_to_image_id(hash: str) str#
Convert the hash to an abbrevated docker image id.