dissect.target.plugins.os.unix.log.auth
¶
Module Contents¶
Classes¶
Helper class that provides a standard way to create an ABC using |
|
Parsing of sudo service messages in the auth log. |
|
Class for parsing sshd messages in the auth log. |
|
Class for parsing systemd-logind messages in the auth log. |
|
Class for parsing su messages in the auth log. |
|
Class for parsing pkexec messages in the auth log. |
|
Helper class that provides a standard way to create an ABC using |
|
Class for dynamically creating auth log records. |
|
Unix authentication log plugin. |
Functions¶
Iterator reading the provided auth log file in ISO format. Mimics |
|
Determine if the provided auth log file uses new ISO format logging or not. |
Attributes¶
- dissect.target.plugins.os.unix.log.auth.log¶
- dissect.target.plugins.os.unix.log.auth.RE_TS¶
- dissect.target.plugins.os.unix.log.auth.RE_TS_ISO¶
- dissect.target.plugins.os.unix.log.auth.RE_LINE¶
- dissect.target.plugins.os.unix.log.auth.RE_IPV4_ADDRESS¶
- dissect.target.plugins.os.unix.log.auth.RE_USER¶
- class dissect.target.plugins.os.unix.log.auth.BaseService¶
Bases:
abc.ABC
Helper class that provides a standard way to create an ABC using inheritance.
- classmethod parse(message: str) dict[str, any] ¶
- Abstractmethod:
- class dissect.target.plugins.os.unix.log.auth.SudoService¶
Bases:
BaseService
Parsing of sudo service messages in the auth log.
- RE_SUDO_COMMAND¶
- classmethod parse(message: str) dict[str, str] ¶
Parse auth log message from sudo.
- class dissect.target.plugins.os.unix.log.auth.SshdService¶
Bases:
BaseService
Class for parsing sshd messages in the auth log.
- RE_SSHD_PORTREGEX¶
- RE_USER¶
- classmethod parse(message: str) dict[str, str | int] ¶
Parse message from sshd
- class dissect.target.plugins.os.unix.log.auth.SystemdLogindService¶
Bases:
BaseService
Class for parsing systemd-logind messages in the auth log.
- RE_SYSTEMD_LOGIND_WATCHING¶
- classmethod parse(message: str)¶
Parse auth log message from systemd-logind.
- class dissect.target.plugins.os.unix.log.auth.SuService¶
Bases:
BaseService
Class for parsing su messages in the auth log.
- RE_SU_BY¶
- RE_SU_ON¶
- RE_SU_COMMAND¶
- classmethod parse(message: str) dict[str, str] ¶
- class dissect.target.plugins.os.unix.log.auth.PkexecService¶
Bases:
BaseService
Class for parsing pkexec messages in the auth log.
- RE_PKEXEC_COMMAND¶
- classmethod parse(message: str) dict[str, str] ¶
Parse auth log message from pkexec
- class dissect.target.plugins.os.unix.log.auth.PamUnixService¶
Bases:
BaseService
Helper class that provides a standard way to create an ABC using inheritance.
- RE_PAM_UNIX¶
- classmethod parse(message)¶
Parse auth log message from pluggable authentication modules (PAM).
- class dissect.target.plugins.os.unix.log.auth.AuthLogRecordBuilder(target: dissect.target.Target)¶
Class for dynamically creating auth log records.
- RECORD_NAME = 'linux/log/auth'¶
- SERVICES: dict[str, BaseService]¶
- target¶
- build_record(ts: datetime.datetime, source: pathlib.Path, line: str) dissect.target.helpers.record.TargetRecordDescriptor ¶
Builds an
AuthLog
event record.
- class dissect.target.plugins.os.unix.log.auth.AuthPlugin(target: dissect.target.Target)¶
Bases:
dissect.target.plugin.Plugin
Unix authentication log plugin.
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- authlog() Iterator[Any] ¶
Yield contents of
/var/log/auth.log*
and/var/log/secure*
files.Order of returned events is not guaranteed to be chronological because of year rollover detection efforts for log files without a year in the timestamp.
The following timestamp formats are recognised automatically. This plugin assumes that no custom
date_format
template is set insyslog-ng
orsystemd
configuration (defaults toM d H:M:S
).ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.
CentOS format: Jan 12 13:37:00 hostname daemon: message Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message Ubuntu 24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message
- dissect.target.plugins.os.unix.log.auth.iso_readlines(file: pathlib.Path) Iterator[tuple[datetime.datetime, str]] ¶
Iterator reading the provided auth log file in ISO format. Mimics
year_rollover_helper
behaviour.
- dissect.target.plugins.os.unix.log.auth.is_iso_fmt(file: pathlib.Path) bool ¶
Determine if the provided auth log file uses new ISO format logging or not.