dissect.target.plugins.os.unix.log.utmp

Module Contents

Classes

UTMPRecord
UtmpFile	utmp maintains a full accounting of the current status of the system
UtmpPlugin	Unix utmp log plugin.

Attributes

UTMP_FIELDS
BtmpRecord
WtmpRecord
utmp_def
c_utmp

dissect.target.plugins.os.unix.log.utmp.UTMP_FIELDS = [('datetime', 'ts'), ('string', 'ut_type'), ('string', 'ut_user'), ('varint', 'ut_pid'),...

dissect.target.plugins.os.unix.log.utmp.BtmpRecord

dissect.target.plugins.os.unix.log.utmp.WtmpRecord

dissect.target.plugins.os.unix.log.utmp.utmp_def = Multiline-String

Show Value

"""
#define UT_LINESIZE     32
#define UT_NAMESIZE     32
#define UT_HOSTSIZE     256

typedef uint32 pid_t;

enum Type : uint8_t {
    EMPTY           = 0x0,
    RUN_LVL         = 0x1,
    BOOT_TIME       = 0x2,
    NEW_TIME        = 0x3,
    OLD_TIME        = 0x4,
    INIT_PROCESS    = 0x5,
    LOGIN_PROCESS   = 0x6,
    USER_PROCESS    = 0x7,
    DEAD_PROCESS    = 0x8,
    ACCOUNTING      = 0x9,
};

struct exit_status {
    uint16 e_termination;
    uint16 e_exit;
};

struct {
    uint32 tv_sec;
    uint32 tv_usec;
} timeval;

struct entry {
    uint32  ut_type;
    pid_t   ut_pid;
    char    ut_line[UT_LINESIZE];
    char    ut_id[4];
    char    ut_user[UT_NAMESIZE];
    char    ut_host[UT_HOSTSIZE];
    struct  exit_status ut_exit;
    long    ut_session;
    struct  timeval ut_tv;
    int32_t ut_addr_v6[4];         // Internet address of remote host; IPv4 address uses just ut_addr_v6[0]
    char    __unused[20];
};
"""

dissect.target.plugins.os.unix.log.utmp.c_utmp

class dissect.target.plugins.os.unix.log.utmp.UTMPRecord

Bases: tuple

ts

ut_type

ut_user

ut_pid

ut_line

ut_id

ut_host

ut_addr

class dissect.target.plugins.os.unix.log.utmp.UtmpFile(path: dissect.target.helpers.fsutil.TargetPath)

utmp maintains a full accounting of the current status of the system

fh

__iter__()

class dissect.target.plugins.os.unix.log.utmp.UtmpPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Unix utmp log plugin.

btmp_paths

wtmp_paths

utmp_paths

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

btmp() → Iterator[BtmpRecord]

Return failed login attempts stored in the btmp file.

On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.

References

• https://en.wikipedia.org/wiki/Utmp

• https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/

wtmp() → Iterator[WtmpRecord]

Yield contents of wtmp log files.

The wtmp file contains the historical data of the utmp file. The utmp file contains information about users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.

References

• https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/