dissect.target.plugins.os.unix.log.auth

Module Contents

Classes

BaseService	Helper class that provides a standard way to create an ABC using
SudoService	Parsing of sudo service messages in the auth log.
SshdService	Class for parsing sshd messages in the auth log.
SystemdLogindService	Class for parsing systemd-logind messages in the auth log.
SuService	Class for parsing su messages in the auth log.
PkexecService	Class for parsing pkexec messages in the auth log.
PamUnixService	Helper class that provides a standard way to create an ABC using
AuthLogRecordBuilder	Class for dynamically creating auth log records.
AuthPlugin	Unix authentication log plugin.

Attributes

RE_USER

dissect.target.plugins.os.unix.log.auth.RE_USER

class dissect.target.plugins.os.unix.log.auth.BaseService

Bases: abc.ABC

Helper class that provides a standard way to create an ABC using inheritance.

classmethod parse(message: str) → dict[str, any]

Abstractmethod:

class dissect.target.plugins.os.unix.log.auth.SudoService

Bases: BaseService

Parsing of sudo service messages in the auth log.

RE_SUDO_COMMAND

classmethod parse(message: str) → dict[str, str]

Parse auth log message from sudo.

class dissect.target.plugins.os.unix.log.auth.SshdService

Bases: BaseService

Class for parsing sshd messages in the auth log.

RE_SSHD_PORTREGEX

RE_USER

classmethod parse(message: str) → dict[str, str | int]

Parse message from sshd.

class dissect.target.plugins.os.unix.log.auth.SystemdLogindService

Bases: BaseService

Class for parsing systemd-logind messages in the auth log.

References

• https://github.com/systemd/systemd/blob/main/src/login/logind-session.c

• https://github.com/systemd/systemd/blob/main/src/login/logind-session.h

• https://github.com/systemd/systemd/blob/main/src/login/logind-seat.c

RE_MSG_WATCHING

RE_MSG_SESSION_NEW

RE_MSG_SESSION_NEW_VARIANT

RE_MSG_SESSION_LOGGED_OUT

RE_MSG_SESSION_REMOVED

RE_MSG_SEAT

classmethod parse(message: str) → dict[str, str]

Parse auth log message from systemd-logind.

class dissect.target.plugins.os.unix.log.auth.SuService

Bases: BaseService

Class for parsing su messages in the auth log.

RE_SU_BY

RE_SU_ON

RE_SU_COMMAND

classmethod parse(message: str) → dict[str, str]

class dissect.target.plugins.os.unix.log.auth.PkexecService

Bases: BaseService

Class for parsing pkexec messages in the auth log.

RE_PKEXEC_COMMAND

classmethod parse(message: str) → dict[str, str]

Parse auth log message from pkexec.

class dissect.target.plugins.os.unix.log.auth.PamUnixService

Bases: BaseService

Helper class that provides a standard way to create an ABC using inheritance.

RE_PAM_UNIX

classmethod parse(message: str) → dict[str, str | int]

Parse auth log message from pluggable authentication modules (PAM).

class dissect.target.plugins.os.unix.log.auth.AuthLogRecordBuilder(target: dissect.target.target.Target)

Class for dynamically creating auth log records.

RECORD_NAME = 'linux/log/auth'

SERVICES: Final[dict[str, BaseService]]

target

build_record(ts: datetime.datetime, source: pathlib.Path, line: str) → dissect.target.helpers.record.TargetRecordDescriptor

Builds an AuthLog event record.

class dissect.target.plugins.os.unix.log.auth.AuthPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Unix authentication log plugin.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

authlog() → collections.abc.Iterator[Any]

Yield contents of /var/log/auth.log* and /var/log/secure* files.

Order of returned events is not guaranteed to be chronological because of year rollover detection efforts for log files without a year in the timestamp.

The following timestamp formats are recognised automatically. This plugin assumes that no custom date_format template is set in syslog-ng or systemd configuration (defaults to M d H:M:S).

ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.

CentOS format: Jan 12 13:37:00 hostname daemon: message
Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message
Ubuntu  24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message

References

• https://help.ubuntu.com/community/LinuxLogFiles