dissect.target.plugins.os.unix.log.auth

Module Contents

Classes

BaseService

Helper class that provides a standard way to create an ABC using

SudoService

Parsing of sudo service messages in the auth log.

SshdService

Class for parsing sshd messages in the auth log.

SystemdLogindService

Class for parsing systemd-logind messages in the auth log.

SuService

Class for parsing su messages in the auth log.

PkexecService

Class for parsing pkexec messages in the auth log.

PamUnixService

Helper class that provides a standard way to create an ABC using

AuthLogRecordBuilder

Class for dynamically creating auth log records.

AuthPlugin

Unix authentication log plugin.

Functions

iso_readlines

Iterator reading the provided auth log file in ISO format. Mimics year_rollover_helper behaviour.

is_iso_fmt

Determine if the provided auth log file uses new ISO format logging or not.

Attributes

dissect.target.plugins.os.unix.log.auth.log
dissect.target.plugins.os.unix.log.auth.RE_TS
dissect.target.plugins.os.unix.log.auth.RE_TS_ISO
dissect.target.plugins.os.unix.log.auth.RE_LINE
dissect.target.plugins.os.unix.log.auth.RE_IPV4_ADDRESS
dissect.target.plugins.os.unix.log.auth.RE_USER
class dissect.target.plugins.os.unix.log.auth.BaseService

Bases: abc.ABC

Helper class that provides a standard way to create an ABC using inheritance.

classmethod parse(message: str) dict[str, any]
Abstractmethod:

class dissect.target.plugins.os.unix.log.auth.SudoService

Bases: BaseService

Parsing of sudo service messages in the auth log.

RE_SUDO_COMMAND
classmethod parse(message: str) dict[str, str]

Parse auth log message from sudo.

class dissect.target.plugins.os.unix.log.auth.SshdService

Bases: BaseService

Class for parsing sshd messages in the auth log.

RE_SSHD_PORTREGEX
RE_USER
classmethod parse(message: str) dict[str, str | int]

Parse message from sshd

class dissect.target.plugins.os.unix.log.auth.SystemdLogindService

Bases: BaseService

Class for parsing systemd-logind messages in the auth log.

RE_SYSTEMD_LOGIND_WATCHING
classmethod parse(message: str)

Parse auth log message from systemd-logind.

class dissect.target.plugins.os.unix.log.auth.SuService

Bases: BaseService

Class for parsing su messages in the auth log.

RE_SU_BY
RE_SU_ON
RE_SU_COMMAND
classmethod parse(message: str) dict[str, str]
class dissect.target.plugins.os.unix.log.auth.PkexecService

Bases: BaseService

Class for parsing pkexec messages in the auth log.

RE_PKEXEC_COMMAND
classmethod parse(message: str) dict[str, str]

Parse auth log message from pkexec

class dissect.target.plugins.os.unix.log.auth.PamUnixService

Bases: BaseService

Helper class that provides a standard way to create an ABC using inheritance.

RE_PAM_UNIX
classmethod parse(message)

Parse auth log message from pluggable authentication modules (PAM).

class dissect.target.plugins.os.unix.log.auth.AuthLogRecordBuilder(target: dissect.target.Target)

Class for dynamically creating auth log records.

RECORD_NAME = 'linux/log/auth'
SERVICES: dict[str, BaseService]
target
build_record(ts: datetime.datetime, source: pathlib.Path, line: str) dissect.target.helpers.record.TargetRecordDescriptor

Builds an AuthLog event record.

class dissect.target.plugins.os.unix.log.auth.AuthPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Unix authentication log plugin.

check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

authlog() Iterator[Any]

Yield contents of /var/log/auth.log* and /var/log/secure* files.

Order of returned events is not guaranteed to be chronological because of year rollover detection efforts for log files without a year in the timestamp.

The following timestamp formats are recognised automatically. This plugin assumes that no custom date_format template is set in syslog-ng or systemd configuration (defaults to M d H:M:S).

ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.

CentOS format: Jan 12 13:37:00 hostname daemon: message
Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message
Ubuntu  24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message
Resources:
dissect.target.plugins.os.unix.log.auth.iso_readlines(file: pathlib.Path) Iterator[tuple[datetime.datetime, str]]

Iterator reading the provided auth log file in ISO format. Mimics year_rollover_helper behaviour.

dissect.target.plugins.os.unix.log.auth.is_iso_fmt(file: pathlib.Path) bool

Determine if the provided auth log file uses new ISO format logging or not.