dissect.target.plugins.os.unix.log.utmp
#
Module Contents#
Classes#
utmp maintains a full accounting of the current status of the system |
|
Base class for plugins. |
Attributes#
- dissect.target.plugins.os.unix.log.utmp.UTMP_FIELDS = [('datetime', 'ts'), ('string', 'ut_type'), ('string', 'ut_user'), ('varint', 'ut_pid'),...#
- dissect.target.plugins.os.unix.log.utmp.BtmpRecord#
- dissect.target.plugins.os.unix.log.utmp.WtmpRecord#
- dissect.target.plugins.os.unix.log.utmp.c_utmp = Multiline-String#
Show Value
""" #define UT_LINESIZE 32 #define UT_NAMESIZE 32 #define UT_HOSTSIZE 256 typedef uint32 pid_t; enum Type : char { EMPTY = 0x0, RUN_LVL = 0x1, BOOT_TIME = 0x2, NEW_TIME = 0x3, OLD_TIME = 0x4, INIT_PROCESS = 0x5, LOGIN_PROCESS = 0x6, USER_PROCESS = 0x7, DEAD_PROCESS = 0x8, ACCOUNTING = 0x9, }; struct exit_status { uint16 e_termination; uint16 e_exit; }; struct { uint32 tv_sec; uint32 tv_usec; } timeval; struct entry { uint32 ut_type; pid_t ut_pid; char ut_line[UT_LINESIZE]; char ut_id[4]; char ut_user[UT_NAMESIZE]; char ut_host[UT_HOSTSIZE]; struct exit_status ut_exit; long ut_session; struct timeval ut_tv; int32_t ut_addr_v6[4]; // Internet address of remote host; IPv4 address uses just ut_addr_v6[0] char __unused[20]; }; """
- dissect.target.plugins.os.unix.log.utmp.utmp#
- dissect.target.plugins.os.unix.log.utmp.UTMP_ENTRY#
- class dissect.target.plugins.os.unix.log.utmp.UtmpFile(target: dissect.target.target.Target, path: dissect.target.helpers.fsutil.TargetPath)#
utmp maintains a full accounting of the current status of the system
- __iter__()#
- class dissect.target.plugins.os.unix.log.utmp.UtmpPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Base class for plugins.
Plugins can optionally be namespaced by specifying the
__namespace__
class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specifiedtest
as namespace and a function calledexample
, you must call your plugin withtest.example
:A
Plugin
class has the following private class attributes:__namespace__
__record_descriptors__
With the following three being assigned in
register()
:__plugin__
__functions__
__exports__
Additionally, the methods and attributes of
Plugin
receive more private attributes by using decorators.The
export()
decorator adds the following private attributes__exported__
__output__
: Set with theexport()
decorator.__record__
: Set with theexport()
decorator.
The
internal()
decorator andInternalPlugin
set the__internal__
attribute. Finally.args()
decorator sets the__args__
attribute.- Parameters:
target – The
Target
object to load the plugin for.
- WTMP_GLOB = '/var/log/wtmp*'#
- BTMP_GLOB = '/var/log/btmp*'#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- btmp() Iterator[BtmpRecord] #
Return failed login attempts stored in the btmp file.
On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.
References
- wtmp() Iterator[WtmpRecord] #
Return the content of the wtmp log files.
The wtmp file contains the historical data of the utmp file. The utmp file contains information about users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
References