dissect.target.plugins.os.unix.log.audit

Module Contents

Classes

AuditPlugin

Unix audit log plugin.

Attributes

AuditRecord
AUDIT_REGEX

dissect.target.plugins.os.unix.log.audit.AuditRecord

dissect.target.plugins.os.unix.log.audit.AUDIT_REGEX

class dissect.target.plugins.os.unix.log.audit.AuditPlugin(target)

Bases: dissect.target.plugin.Plugin

Unix audit log plugin.

log_paths = []

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_paths() → list[pathlib.Path]

audit() → Iterator[AuditRecord]

Return CentOS and RedHat audit information stored in /var/log/audit*.

The audit log file on a Linux machine stores security-relevant information. Based on pre-configured rules. Log messages consist of space delimited key=value pairs.

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

• https://linux-audit.com/linux-audit-log-files-in-var-log-audit/

• https://man7.org/linux/man-pages/man8/auditd.8.html

• https://man7.org/linux/man-pages/man8/ausearch.8.html

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files