dissect.target 3.15.dev29__py3-none-any.whl → 3.15.dev31__py3-none-any.whl

dissect/target/plugin.py

@@ -495,7 +495,7 @@ def register(plugincls: Type[Plugin]) -> None:
     root["exports"] = plugincls.__exports__
     root["namespace"] = plugincls.__namespace__
     root["fullname"] = ".".join((plugincls.__module__, plugincls.__qualname__))
-    root["cls"] = plugincls
+    root["is_osplugin"] = issubclass(plugincls, OSPlugin)
 
 
 def internal(*args, **kwargs) -> Callable:
@@ -1117,7 +1117,7 @@ def plugin_function_index(target: Optional[Target]) -> tuple[dict[str, PluginDes
             available["exports"].remove("get_all_records")
 
         for exported in available["exports"]:
-            if issubclass(available["cls"], OSPlugin) and os_type == general.default.DefaultPlugin:
+            if available["is_osplugin"] and os_type == general.default.DefaultPlugin:
                 # This makes the os plugin exports listed under the special
                 # "OS plugins" header by the 'plugins' plugin.
                 available["module"] = ""

dissect/target/plugins/os/unix/bsd/citrix/_os.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import re
 from typing import Iterator, Optional
 
-from dissect.target.filesystem import Filesystem, VirtualFilesystem
+from dissect.target.filesystem import Filesystem
 from dissect.target.helpers.record import UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.bsd._os import BsdPlugin
@@ -18,12 +18,12 @@ RE_CONFIG_USER = re.compile(r"bind system user (?P<user>[^ ]+) ")
 RE_LOADER_CONFIG_KERNEL_VERSION = re.compile(r'kernel="/(?P<version>.*)"')
 
 
-class CitrixBsdPlugin(BsdPlugin):
+class CitrixPlugin(BsdPlugin):
     def __init__(self, target: Target):
         super().__init__(target)
         self._ips = []
         self._hostname = None
-        self.config_usernames = []
+        self._config_usernames = []
         self._parse_netscaler_configs()
 
     def _parse_netscaler_configs(self) -> None:
@@ -49,26 +49,46 @@ class CitrixBsdPlugin(BsdPlugin):
 
     @classmethod
     def detect(cls, target: Target) -> Optional[Filesystem]:
-        newfilesystem = VirtualFilesystem()
-        is_citrix = False
+        ramdisk = None
+        for fs in target.filesystems:
+            # /netscaler can be present on both the ramdisk and the harddisk. Therefore we also check for the /log
+            # folder, which is not present on the ramdisk. We regard the harddisk as the system volume, as it is
+            # possible to only have a disk image of a Netscaler. However, in the case where we only have the ramdisk,
+            # we want to fall back on that as the system volume. Thus we store that filesystem in a fallback variable.
+            if fs.exists("/netscaler"):
+                if fs.exists("/log"):
+                    return fs
+                ramdisk = fs
+
+        # At this point, we could not find the filesystem for '/var'. Thus, we fall back to the ramdisk variable, which
+        # is either 'None' (in which case this isn't a Citrix netscaler), or points to the filesystem of the ramdisk.
+        return ramdisk
+
+    @classmethod
+    def create(cls, target: Target, sysvol: Filesystem) -> CitrixPlugin:
+        # A disk image of a Citrix Netscaler contains two partitions, that after boot are mounted to /var and /flash.
+        # The rest of the filesystem is recreated at runtime into a 'ramdisk'. Currently, this plugin does not
+        # yet support recreating the ramdisk from a 'clean' state. This might be possible in a future iteration but
+        # requires further research.
+
+        # When the ramdisk is present within the target's filesystems, mount it accordingly,
         for fs in target.filesystems:
             if fs.exists("/bin/freebsd-version"):
-                newfilesystem.map_fs("/", fs)
-                break
+                # If available, mount the ramdisk first.
+                target.fs.mount("/", fs)
+        # The 'disk' filesystem is mounted at '/var'.
+        target.fs.mount("/var", sysvol)
+
+        # Enumerate filesystems for flash partition
         for fs in target.filesystems:
             if fs.exists("/nsconfig") and fs.exists("/boot"):
-                newfilesystem.map_fs("/flash", fs)
-                is_citrix = True
-            elif fs.exists("/netscaler"):
-                newfilesystem.map_fs("/var", fs)
-                is_citrix = True
-        if is_citrix:
-            return newfilesystem
-        return None
+                target.fs.mount("/flash", fs)
+
+        return cls(target)
 
     @export(property=True)
     def hostname(self) -> Optional[str]:
-        return self._hostname
+        return self._hostname or super().hostname
 
     @export(property=True)
     def version(self) -> Optional[str]:
@@ -96,16 +116,21 @@ class CitrixBsdPlugin(BsdPlugin):
     @export(record=UnixUserRecord)
     def users(self) -> Iterator[UnixUserRecord]:
         nstmp_users = set()
-        nstmp_path = "/var/nstmp/"
-
-        nstmp_user_path = nstmp_path + "{username}"
-
-        for entry in self.target.fs.scandir(nstmp_path):
-            if entry.is_dir() and entry.name != "#nsinternal#":
-                nstmp_users.add(entry.name)
+        seen = set()
+        nstmp_path = self.target.fs.path("/var/nstmp/")
+
+        # Build a set of nstmp users
+        if nstmp_path.exists():
+            for entry in nstmp_path.iterdir():
+                if entry.is_dir() and entry.name != "#nsinternal#":
+                    # The nsmonitor user has a home directory of /var/nstmp/monitors rather than /var/nstmp/nsmonitor
+                    username = "nsmonitor" if entry.name == "monitors" else entry.name
+                    nstmp_users.add(username)
+
+        # Yield users from the config, matching them to their 'home' in /var/nstmp if it exists.
         for username in self._config_usernames:
-            nstmp_home = nstmp_user_path.format(username=username)
-            user_home = nstmp_home if self.target.fs.exists(nstmp_home) else None
+            nstmp_home = nstmp_path.joinpath(username)
+            user_home = nstmp_home if nstmp_home.exists() else None
 
             if user_home:
                 # After this loop we will yield all users who are not in the config, but are listed in /var/nstmp/
@@ -114,13 +139,28 @@ class CitrixBsdPlugin(BsdPlugin):
 
             if username == "root" and self.target.fs.exists("/root"):
                 # If we got here, 'root' is present both in /var/nstmp and in /root. In such cases, we yield
-                # the 'root' user as having '/root' as a home, not in /var/nstmp.
-                user_home = "/root"
+                # the 'root' user as having '/root' as a home, not in /var/nstmp, as there is no 'nscli_history'
+                # for the root user in /var/nstmp.
+                user_home = self.target.fs.path("/root")
 
+            seen.add((username, user_home.as_posix() if user_home else None, None))
             yield UnixUserRecord(name=username, home=user_home)
 
+        # Yield all users in nstmp that were not observed in the config
         for username in nstmp_users:
-            yield UnixUserRecord(name=username, home=nstmp_user_path.format(username=username))
+            # The nsmonitor user has a home directory of /var/nstmp/monitors rather than /var/nstmp/nsmonitor
+            home = nstmp_path.joinpath(username) if username != "nsmonitor" else nstmp_path.joinpath("monitors")
+            seen.add((username, home.as_posix(), None))
+            yield UnixUserRecord(name=username, home=home)
+
+        # Yield users from /etc/passwd if we have not seem them in previous loops
+        for user in super().users():
+            if (user.name, user.home.as_posix(), user.shell) in seen:
+                continue
+            # To prevent bogus command history for all users without a home whenever a history is located at the root
+            # of the filesystem, we set the user home to None if their home is equivalent to '/'
+            user.home = user.home if user.home != "/" else None
+            yield user
 
     @export(property=True)
     def os(self) -> str:

dissect/target/plugins/os/unix/bsd/citrix/history.py

@@ -0,0 +1,130 @@
+import re
+from typing import Iterator, Optional
+
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import UnixUserRecord
+from dissect.target.helpers.utils import year_rollover_helper
+from dissect.target.plugin import export
+from dissect.target.plugins.os.unix.history import (
+    CommandHistoryPlugin,
+    CommandHistoryRecord,
+)
+
+RE_CITRIX_NETSCALER_BASH_HISTORY_DATE = re.compile(r"(?P<date>[^<]+)\s")
+
+CITRIX_NETSCALER_BASH_HISTORY_RE = re.compile(
+    r"""
+        (?P<date>[^<]+)
+        \s
+        <
+            (?P<syslog_facility>[^\.]+)
+            \.
+            (?P<syslog_loglevel>[^>]+)
+        >
+        \s
+        (?P<hostname>[^\s]+)
+        \s
+        (?P<process_name>[^\[]+)
+            \[
+                (?P<process_id>\d+)
+            \]
+        :
+        \s
+        (?P<username>.*)\s
+        on\s
+            (?P<destination>[^\s]+)\s
+        shell_command=
+        \"
+            (?P<command>.*)
+        \"
+    $
+    """,
+    re.VERBOSE,
+)
+
+
+class CitrixCommandHistoryPlugin(CommandHistoryPlugin):
+    COMMAND_HISTORY_ABSOLUTE_PATHS = (("citrix-netscaler-bash", "/var/log/bash.log*"),)
+    COMMAND_HISTORY_RELATIVE_PATHS = CommandHistoryPlugin.COMMAND_HISTORY_RELATIVE_PATHS + (
+        ("citrix-netscaler-cli", ".nscli_history"),
+    )
+
+    def _find_history_files(self) -> list[tuple[str, TargetPath, Optional[UnixUserRecord]]]:
+        """Find history files on the target that this plugin can parse."""
+        history_files = []
+        for shell, history_absolute_path_glob in self.COMMAND_HISTORY_ABSOLUTE_PATHS:
+            for path in self.target.fs.path("/").glob(history_absolute_path_glob.lstrip("/")):
+                history_files.append((shell, path, None))
+
+        # Also utilize the _find_history_files function of the parent class
+        history_files.extend(super()._find_history_files())
+        return history_files
+
+    def _find_user_by_name(self, username: str) -> Optional[UnixUserRecord]:
+        """Cached function to return the matching UnixUserRecord for a given username."""
+        if username is None:
+            return None
+
+        user_details = self.target.user_details.find(username=username)
+        return user_details.user if user_details else None
+
+    @export(record=CommandHistoryRecord)
+    def commandhistory(self) -> Iterator[CommandHistoryRecord]:
+        """Return shell history for all users.
+
+        When using a shell, history of the used commands is kept on the system.
+        """
+
+        for shell, history_path, user in self._history_files:
+            if shell == "citrix-netscaler-cli":
+                yield from self.parse_netscaler_cli_history(history_path, user)
+            elif shell == "citrix-netscaler-bash":
+                yield from self.parse_netscaler_bash_history(history_path)
+
+    def parse_netscaler_bash_history(self, path: TargetPath) -> Iterator[CommandHistoryRecord]:
+        """Parse bash.log* contents."""
+        for ts, line in year_rollover_helper(path, RE_CITRIX_NETSCALER_BASH_HISTORY_DATE, "%b %d %H:%M:%S "):
+            line = line.strip()
+            if not line:
+                continue
+
+            match = CITRIX_NETSCALER_BASH_HISTORY_RE.match(line)
+            if not match:
+                continue
+
+            group = match.groupdict()
+            command = group.get("command")
+            user = self._find_user_by_name(group.get("username"))
+
+            yield CommandHistoryRecord(
+                ts=ts,
+                command=command,
+                shell="citrix-netscaler-bash",
+                source=path,
+                _target=self.target,
+                _user=user,
+            )
+
+    def parse_netscaler_cli_history(
+        self, history_file: TargetPath, user: UnixUserRecord
+    ) -> Iterator[CommandHistoryRecord]:
+        """Parses the history file of the Citrix Netscaler CLI.
+
+        The only difference compared to generic bash history files is that the first line will start with
+        ``_HiStOrY_V2_``, which we will skip.
+        """
+        for idx, line in enumerate(history_file.open("rt")):
+            if not (line := line.strip()):
+                continue
+
+            if idx == 0 and line == "_HiStOrY_V2_":
+                continue
+
+            yield CommandHistoryRecord(
+                ts=None,
+                command=line,
+                shell="citrix-netscaler-cli",
+                source=history_file,
+                _target=self.target,
+                _user=user,
+            )

{dissect.target-3.15.dev29.dist-info → dissect.target-3.15.dev31.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.15.dev29
+Version: 3.15.dev31
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.15.dev29.dist-info → dissect.target-3.15.dev31.dist-info}/RECORD

@@ -3,7 +3,7 @@ dissect/target/container.py,sha256=9ixufT1_0WhraqttBWwQjG80caToJqvCX8VjFk8d5F0,9
 dissect/target/exceptions.py,sha256=VVW_Rq_vQinapz-2mbJ3UkxBEZpb2pE_7JlhMukdtrY,2877
 dissect/target/filesystem.py,sha256=aLkvZMgeah39Nhlscawh77cm2mzFYI9J5h3uT3Rigtc,53876
 dissect/target/loader.py,sha256=0-LcZNi7S0qsXR7XGtrzxpuCh9BsLcqNR1T15O7SnBM,7257
-dissect/target/plugin.py,sha256=-ME1mkgsnVGlgACFWjM_4DyQ230toCMuh6tPJshSLsw,48112
+dissect/target/plugin.py,sha256=_g5RM8GHXFR1oQvjfCOxq0_m5bbgY-kNr2uFK74nSWI,48128
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
 dissect/target/target.py,sha256=1mj4VoDmFZ2d8oXWKVQ-zBK-gXzr0lop6ytQ8E-8GH0,32137
 dissect/target/volume.py,sha256=aQZAJiny8jjwkc9UtwIRwy7nINXjCxwpO-_UDfh6-BA,15801
@@ -185,7 +185,8 @@ dissect/target/plugins/os/unix/packagemanager.py,sha256=Wm2AAJOD_B3FAcZNXgWtSm_Y
 dissect/target/plugins/os/unix/shadow.py,sha256=TvN04uzFnUttNMZAa6_1XdXSP-8V6ztbZNoetDvfD0w,3535
 dissect/target/plugins/os/unix/bsd/_os.py,sha256=e5rttTOFOmd7e2HqP9ZZFMEiPLBr-8rfH0XH1IIeroQ,1372
 dissect/target/plugins/os/unix/bsd/citrix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/bsd/citrix/_os.py,sha256=Y5kTpOJLyko0Q8Tx6DQ5t0tngzpg8ISNer210JoG0pg,5172
+dissect/target/plugins/os/unix/bsd/citrix/_os.py,sha256=u9agLXoMt_k-nARtSJ78_-ScJae4clZhkqFiEVsB9b8,7910
+dissect/target/plugins/os/unix/bsd/citrix/history.py,sha256=cXMA4rZQBsOMwd_aLbXjW_CAEzNnsr2bUZB9cPufnQo,4498
 dissect/target/plugins/os/unix/bsd/freebsd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/bsd/freebsd/_os.py,sha256=Vqiyn08kv1IioNUwpgtBJ9SToCFhLCsJdpVhl5E7COM,789
 dissect/target/plugins/os/unix/bsd/ios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -318,10 +319,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.15.dev29.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.15.dev29.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.15.dev29.dist-info/METADATA,sha256=Zxnx68v6hVRI_vLQaSXRRL9r_K7h_ofCjJQWgabrYUs,11113
-dissect.target-3.15.dev29.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.15.dev29.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.15.dev29.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.15.dev29.dist-info/RECORD,,
+dissect.target-3.15.dev31.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.15.dev31.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.15.dev31.dist-info/METADATA,sha256=OTRkkYJl8XwDN-U1m0Nh7C9DBRMl8dsy_NPut3PXJ6U,11113
+dissect.target-3.15.dev31.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.15.dev31.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.15.dev31.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.15.dev31.dist-info/RECORD,,