dissect.target.plugins.os.unix.log.audit#

Module Contents#

Classes#

AuditPlugin

Base class for plugins.

Attributes#

dissect.target.plugins.os.unix.log.audit.AuditRecord#
dissect.target.plugins.os.unix.log.audit.AUDIT_REGEX#
class dissect.target.plugins.os.unix.log.audit.AuditPlugin(target)#

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_paths() list[pathlib.Path]#
audit() Iterator[AuditRecord]#

Return CentOS and RedHat audit information stored in /var/log/audit*.

The audit log file on a Linux machine stores security-relevant information. Based on pre-configured rules. Log messages consist of space delimited key=value pairs.

References