dissect.target.plugins.os.unix.log.auth¶
Module Contents¶
Classes¶
Helper class that provides a standard way to create an ABC using |
|
Parsing of sudo service messages in the auth log. |
|
Class for parsing sshd messages in the auth log. |
|
Class for parsing systemd-logind messages in the auth log. |
|
Class for parsing su messages in the auth log. |
|
Class for parsing pkexec messages in the auth log. |
|
Helper class that provides a standard way to create an ABC using |
|
Class for dynamically creating auth log records. |
|
Unix authentication log plugin. |
Attributes¶
- dissect.target.plugins.os.unix.log.auth.log¶
- dissect.target.plugins.os.unix.log.auth.RE_IPV4_ADDRESS¶
- dissect.target.plugins.os.unix.log.auth.RE_USER¶
- class dissect.target.plugins.os.unix.log.auth.BaseService¶
Bases:
abc.ABCHelper class that provides a standard way to create an ABC using inheritance.
- classmethod parse(message: str) dict[str, any]¶
- Abstractmethod:
- class dissect.target.plugins.os.unix.log.auth.SudoService¶
Bases:
BaseServiceParsing of sudo service messages in the auth log.
- RE_SUDO_COMMAND¶
- classmethod parse(message: str) dict[str, str]¶
Parse auth log message from sudo.
- class dissect.target.plugins.os.unix.log.auth.SshdService¶
Bases:
BaseServiceClass for parsing sshd messages in the auth log.
- RE_SSHD_PORTREGEX¶
- RE_USER¶
- classmethod parse(message: str) dict[str, str | int]¶
Parse message from sshd
- class dissect.target.plugins.os.unix.log.auth.SystemdLogindService¶
Bases:
BaseServiceClass for parsing systemd-logind messages in the auth log.
- RE_SYSTEMD_LOGIND_WATCHING¶
- classmethod parse(message: str)¶
Parse auth log message from systemd-logind.
- class dissect.target.plugins.os.unix.log.auth.SuService¶
Bases:
BaseServiceClass for parsing su messages in the auth log.
- RE_SU_BY¶
- RE_SU_ON¶
- RE_SU_COMMAND¶
- classmethod parse(message: str) dict[str, str]¶
- class dissect.target.plugins.os.unix.log.auth.PkexecService¶
Bases:
BaseServiceClass for parsing pkexec messages in the auth log.
- RE_PKEXEC_COMMAND¶
- classmethod parse(message: str) dict[str, str]¶
Parse auth log message from pkexec
- class dissect.target.plugins.os.unix.log.auth.PamUnixService¶
Bases:
BaseServiceHelper class that provides a standard way to create an ABC using inheritance.
- RE_PAM_UNIX¶
- classmethod parse(message)¶
Parse auth log message from pluggable authentication modules (PAM).
- class dissect.target.plugins.os.unix.log.auth.AuthLogRecordBuilder(target: dissect.target.Target)¶
Class for dynamically creating auth log records.
- RECORD_NAME = 'linux/log/auth'¶
- SERVICES: dict[str, BaseService]¶
- target¶
- build_record(ts: datetime.datetime, source: pathlib.Path, line: str) dissect.target.helpers.record.TargetRecordDescriptor¶
Builds an
AuthLogevent record.
- class dissect.target.plugins.os.unix.log.auth.AuthPlugin(target: dissect.target.Target)¶
Bases:
dissect.target.plugin.PluginUnix authentication log plugin.
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- authlog() Iterator[Any]¶
Yield contents of
/var/log/auth.log*and/var/log/secure*files.Order of returned events is not guaranteed to be chronological because of year rollover detection efforts for log files without a year in the timestamp.
The following timestamp formats are recognised automatically. This plugin assumes that no custom
date_formattemplate is set insyslog-ngorsystemdconfiguration (defaults toM d H:M:S).ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.
CentOS format: Jan 12 13:37:00 hostname daemon: message Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message Ubuntu 24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message