dissect.target 3.18.dev15__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/plugins/filesystem/yara.py

@@ -1,14 +1,27 @@
+from __future__ import annotations
+
+import hashlib
+import logging
+from io import BytesIO
 from pathlib import Path
+from typing import Iterator
+
+from dissect.target.helpers import hashutil
 
 try:
     import yara
+
+    HAS_YARA = True
+
 except ImportError:
-    raise ImportError("Please install 'yara-python' to use 'target-query -f yara'.")
+    HAS_YARA = False
 
-from dissect.target.exceptions import FileNotFoundError
+from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, arg, export
 
+log = logging.getLogger(__name__)
+
 YaraMatchRecord = TargetRecordDescriptor(
     "filesystem/yara/match",
     [
@@ -16,48 +29,156 @@ YaraMatchRecord = TargetRecordDescriptor(
         ("digest", "digest"),
         ("string", "rule"),
         ("string[]", "tags"),
+        ("string", "namespace"),
     ],
 )
 
+DEFAULT_MAX_SCAN_SIZE = 10 * 1024 * 1024
+
 
 class YaraPlugin(Plugin):
     """Plugin to scan files against a local YARA rules file."""
 
-    DEFAULT_MAX_SIZE = 10 * 1024 * 1024
-
     def check_compatible(self) -> None:
-        pass
+        if not HAS_YARA:
+            raise UnsupportedPluginError("Please install 'yara-python' to use the yara plugin.")
 
-    @arg("--rule-files", "-r", type=Path, nargs="+", required=True, help="path to YARA rule file")
-    @arg("--scan-path", default="/", help="path to recursively scan")
-    @arg("--max-size", "-m", default=DEFAULT_MAX_SIZE, help="maximum file size in bytes to scan")
+    @arg("-r", "--rules", required=True, nargs="*", help="path(s) to YARA rule file(s) or folder(s)")
+    @arg("-p", "--path", default="/", help="path on target(s) to recursively scan")
+    @arg("-m", "--max-size", type=int, default=DEFAULT_MAX_SCAN_SIZE, help="maximum file size in bytes to scan")
+    @arg("-c", "--check", default=False, action="store_true", help="check if every YARA rule is valid")
     @export(record=YaraMatchRecord)
-    def yara(self, rule_files, scan_path="/", max_size=DEFAULT_MAX_SIZE):
-        """Scan files up to a given maximum size with a local YARA rule file.
+    def yara(
+        self,
+        rules: list[str | Path],
+        path: str = "/",
+        max_size: int = DEFAULT_MAX_SCAN_SIZE,
+        check: bool = False,
+    ) -> Iterator[YaraMatchRecord]:
+        """Scan files inside the target up to a given maximum size with YARA rule file(s).
+
+        Args:
+            rules: ``list`` of strings or ``Path`` objects pointing to rule files to use.
+            path: ``string`` of absolute target path to scan.
+            max_size: Files larger than this size will not be scanned.
+            check: Check if provided rules are valid, only compiles valid rules.
 
-        Example:
-            target-query <TARGET> -f yara --rule-file /path/to/yara_sigs.rule
+        Returns:
+            Iterator yields ``YaraMatchRecord``.
         """
 
-        rule_data = "\n".join([rule_file.read_text() for rule_file in rule_files])
+        compiled_rules = process_rules(rules, check)
 
-        rules = yara.compile(source=rule_data)
-        for _, _, files in self.target.fs.walk_ext(scan_path):
-            for file_entry in files:
-                path = self.target.fs.path(file_entry.path)
+        if not rules:
+            self.target.log.error("No working rules found in '%s'", ",".join(rules))
+            return
+
+        if hasattr(compiled_rules, "warnings") and (num_warns := len(compiled_rules.warnings)) > 0:
+            self.target.log.warning("YARA generated %s warnings while compiling rules", num_warns)
+            for warning in compiled_rules.warnings:
+                self.target.log.info(warning)
+
+        self.target.log.warning("Will not scan files larger than %s MB", max_size // 1024 // 1024)
+
+        for _, _, files in self.target.fs.walk_ext(path):
+            for file in files:
                 try:
-                    if path.stat().st_size > max_size:
+                    if (file_size := file.stat().st_size) > max_size:
+                        self.target.log.info("Not scanning file of %s MB: '%s'", (file_size // 1024 // 1024), file)
                         continue
 
-                    for match in rules.match(data=path.read_bytes()):
+                    buf = file.open().read()
+                    for match in compiled_rules.match(data=buf):
                         yield YaraMatchRecord(
-                            path=path,
-                            digest=path.get().hash(),
+                            path=self.target.fs.path(file.path),
+                            digest=hashutil.common(BytesIO(buf)),
                             rule=match.rule,
                             tags=match.tags,
+                            namespace=match.namespace,
                             _target=self.target,
                         )
+
                 except FileNotFoundError:
                     continue
-                except Exception:
-                    self.target.log.exception("Error scanning file: %s", path)
+                except RuntimeWarning as e:
+                    self.target.log.warning("Runtime warning while scanning file '%s': %s", file, e)
+                except Exception as e:
+                    self.target.log.error("Exception scanning file '%s'", file)
+                    self.target.log.debug("", exc_info=e)
+
+
+def process_rules(paths: list[str | Path], check: bool = False) -> yara.Rules | None:
+    """Generate compiled YARA rules from the given path(s).
+
+    Provide path to one (compiled) YARA file or directory containing YARA files.
+
+    Args:
+        paths: Path to file(s) or folder(s) containing YARA files.
+        check: Attempt to compile every rule file before appending to rules.
+
+    Returns:
+        Compiled YARA rules or None.
+    """
+    files = set()
+    compiled_rules = None
+
+    for rules_path in paths:
+        if isinstance(rules_path, str):
+            rules_path = Path(rules_path)
+
+        if not rules_path.exists():
+            log.warning("File %s does not exist!", rules_path)
+            continue
+
+        if rules_path.is_dir():
+            for file in rules_path.rglob("*"):
+                if not file.is_file():
+                    continue
+                files.add(file)
+        else:
+            files.add(rules_path)
+
+    for file in set(files):
+        with file.open("rb") as fh:
+            magic = fh.read(4)
+
+        if magic == b"YARA":
+            if len(files) > 1:
+                log.error("Providing multiple compiled YARA files is not supported. Did not add %s", file)
+                continue
+            else:
+                log.info("Adding single compiled YARA file %s", file)
+                compiled_rules = compile_yara(file, is_compiled=True)
+                break
+
+        elif check and not is_valid_yara({"check_namespace": file}):
+            log.warning("File %s contains invalid rule(s)!", file)
+            files.remove(file)
+            continue
+
+    if files and not compiled_rules:
+        try:
+            compiled_rules = compile_yara({hashlib.md5(file.as_posix().encode()).hexdigest(): file for file in files})
+        except yara.Error as e:
+            log.error("Failed to compile YARA file(s): %s", e)
+
+    return compiled_rules
+
+
+def compile_yara(files: dict[str, Path] | Path, is_compiled: bool = False) -> yara.Rules | None:
+    """Compile or load the given YARA file(s) to rules."""
+    if is_compiled and isinstance(files, Path):
+        return yara.load(files.as_posix())
+    else:
+        return yara.compile(filepaths={ns: Path(path).as_posix() for ns, path in files.items()})
+
+
+def is_valid_yara(files: dict[str, Path] | Path, is_compiled: bool = False) -> bool:
+    """Determine if the given YARA file(s) compile without errors or warnings."""
+    try:
+        compile_yara(files, is_compiled)
+        return True
+
+    except (yara.SyntaxError, yara.WarningError, yara.Error) as e:
+        log.debug("Rule file(s) '%s' invalid: %s", files, e)
+        return False

dissect/target/plugins/general/network.py

@@ -0,0 +1,82 @@
+from __future__ import annotations
+
+from typing import Any, Iterator, Union
+
+from flow.record.fieldtypes.net import IPAddress, IPNetwork
+
+from dissect.target.helpers.record import (
+    MacInterfaceRecord,
+    UnixInterfaceRecord,
+    WindowsInterfaceRecord,
+)
+from dissect.target.plugin import Plugin, export, internal
+from dissect.target.target import Target
+
+InterfaceRecord = Union[UnixInterfaceRecord, WindowsInterfaceRecord, MacInterfaceRecord]
+
+
+class NetworkPlugin(Plugin):
+    __namespace__ = "network"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self._interface_list: list[InterfaceRecord] | None = None
+
+    def check_compatible(self) -> None:
+        pass
+
+    def _interfaces(self) -> Iterator[InterfaceRecord]:
+        yield from ()
+
+    def _get_record_type(self, field_name: str) -> Iterator[Any]:
+        for record in self.interfaces():
+            if (output := getattr(record, field_name, None)) is None:
+                continue
+
+            if isinstance(output, list):
+                yield from output
+            else:
+                yield output
+
+    @export(record=InterfaceRecord)
+    def interfaces(self) -> Iterator[InterfaceRecord]:
+        # Only search for the interfaces once
+        if self._interface_list is None:
+            self._interface_list = list(self._interfaces())
+
+        yield from self._interface_list
+
+    @export
+    def ips(self) -> list[IPAddress]:
+        return list(self._get_record_type("ip"))
+
+    @export
+    def gateways(self) -> list[IPAddress]:
+        return list(self._get_record_type("gateway"))
+
+    @export
+    def macs(self) -> list[str]:
+        return list(self._get_record_type("mac"))
+
+    @export
+    def dns(self) -> list[str]:
+        return list(self._get_record_type("dns"))
+
+    @internal
+    def with_ip(self, ip_addr: str) -> Iterator[InterfaceRecord]:
+        for interface in self.interfaces():
+            if ip_addr in interface.ip:
+                yield interface
+
+    @internal
+    def with_mac(self, mac: str) -> Iterator[InterfaceRecord]:
+        for interface in self.interfaces():
+            if interface.mac == mac:
+                yield interface
+
+    @internal
+    def in_cidr(self, cidr: str) -> Iterator[InterfaceRecord]:
+        cidr = IPNetwork(cidr)
+        for interface in self.interfaces():
+            if any(ip_addr in cidr for ip_addr in interface.ip):
+                yield interface

dissect/target/plugins/general/users.py

@@ -1,5 +1,7 @@
+from __future__ import annotations
+
 from functools import lru_cache
-from typing import Generator, NamedTuple, Optional, Union
+from typing import Iterator, NamedTuple, Union
 
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
@@ -7,10 +9,12 @@ from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import UnixUserRecord, WindowsUserRecord
 from dissect.target.plugin import InternalPlugin
 
+UserRecord = Union[UnixUserRecord, WindowsUserRecord]
+
 
 class UserDetails(NamedTuple):
-    user: Union[UnixUserRecord, WindowsUserRecord]
-    home_path: Optional[TargetPath]
+    user: UserRecord
+    home_path: TargetPath | None
 
 
 class UsersPlugin(InternalPlugin):
@@ -28,11 +32,11 @@ class UsersPlugin(InternalPlugin):
 
     def find(
         self,
-        sid: Optional[str] = None,
-        uid: Optional[str] = None,
-        username: Optional[str] = None,
+        sid: str | None = None,
+        uid: str | None = None,
+        username: str | None = None,
         force_case_sensitive: bool = False,
-    ) -> Optional[UserDetails]:
+    ) -> UserDetails | None:
         """Find User record matching provided sid, uid or username and return UserDetails object"""
         if all(map(lambda x: x is None, [sid, uid, username])):
             raise ValueError("Either sid or uid or username is expected")
@@ -52,7 +56,7 @@ class UsersPlugin(InternalPlugin):
             ):
                 return self.get(user)
 
-    def get(self, user: Union[UnixUserRecord, WindowsUserRecord]) -> UserDetails:
+    def get(self, user: UserRecord) -> UserDetails:
         """Return additional details about the user"""
         # Resolving the user home can not use the user's environment variables,
         # as those depend on the user's home to be known first. So we resolve
@@ -60,12 +64,12 @@ class UsersPlugin(InternalPlugin):
         home_path = self.target.fs.path(self.target.resolve(str(user.home))) if user.home else None
         return UserDetails(user=user, home_path=home_path)
 
-    def all(self) -> Generator[UserDetails, None, None]:
+    def all(self) -> Iterator[UserDetails]:
         """Return UserDetails objects for all users found"""
         for user in self.target.users():
             yield self.get(user)
 
-    def all_with_home(self) -> Generator[UserDetails, None, None]:
+    def all_with_home(self) -> Iterator[UserDetails]:
         """Return UserDetails objects for users that have existing directory set as home directory"""
         for user in self.target.users():
             if user.home:

dissect/target/plugins/os/unix/_os.py

@@ -40,12 +40,18 @@ class UnixPlugin(OSPlugin):
     @export(record=UnixUserRecord)
     @arg("--sessions", action="store_true", help="Parse syslog for recent user sessions")
     def users(self, sessions: bool = False) -> Iterator[UnixUserRecord]:
-        """Recover users from /etc/passwd, /etc/master.passwd or /var/log/syslog session logins."""
+        """Yield unix user records from passwd files or syslog session logins.
+
+        Resources:
+            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html
+        """
+
+        PASSWD_FILES = ["/etc/passwd", "/etc/passwd-", "/etc/master.passwd"]
 
         seen_users = set()
 
         # Yield users found in passwd files.
-        for passwd_file in ["/etc/passwd", "/etc/master.passwd"]:
+        for passwd_file in PASSWD_FILES:
             if (path := self.target.fs.path(passwd_file)).exists():
                 for line in path.open("rt"):
                     line = line.strip()
@@ -53,7 +59,12 @@ class UnixPlugin(OSPlugin):
                         continue
 
                     pwent = dict(enumerate(line.split(":")))
-                    seen_users.add((pwent.get(0), pwent.get(5), pwent.get(6)))
+
+                    current_user = (pwent.get(0), pwent.get(5), pwent.get(6))
+                    if current_user in seen_users:
+                        continue
+
+                    seen_users.add(current_user)
                     yield UnixUserRecord(
                         name=pwent.get(0),
                         passwd=pwent.get(1),
@@ -202,11 +213,13 @@ class UnixPlugin(OSPlugin):
                 fs_id = None
                 fs_subvol = None
                 fs_subvolid = None
-                fs_volume_name = fs.volume.name if fs.volume and not isinstance(fs.volume, list) else None
                 fs_last_mount = None
+                fs_volume_name = None
+                vol_volume_name = fs.volume.name if fs.volume and not isinstance(fs.volume, list) else None
 
                 if fs.__type__ == "xfs":
                     fs_id = fs.xfs.uuid
+                    fs_volume_name = fs.xfs.name
                 elif fs.__type__ == "ext":
                     fs_id = fs.extfs.uuid
                     fs_last_mount = fs.extfs.last_mount
@@ -224,8 +237,9 @@ class UnixPlugin(OSPlugin):
 
                 if (
                     (fs_id and (fs_id == dev_id and (subvol == fs_subvol or subvolid == fs_subvolid)))
-                    or (fs_volume_name and (fs_volume_name == volume_name))
                     or (fs_last_mount and (fs_last_mount == mount_point))
+                    or (fs_volume_name and (fs_volume_name == volume_name))
+                    or (vol_volume_name and (vol_volume_name == volume_name))
                 ):
                     self.target.log.debug("Mounting %s (%s) at %s", fs, fs.volume, mount_point)
                     self.target.fs.mount(mount_point, fs)

dissect/target/plugins/os/unix/bsd/freebsd/_os.py

@@ -1,7 +1,5 @@
 from __future__ import annotations
 
-from typing import Optional
-
 from dissect.target.filesystem import Filesystem
 from dissect.target.plugin import export
 from dissect.target.plugins.os.unix.bsd._os import BsdPlugin
@@ -14,13 +12,13 @@ class FreeBsdPlugin(BsdPlugin):
         self._os_release = self._parse_os_release("/bin/freebsd-version*")
 
     @classmethod
-    def detect(cls, target: Target) -> Optional[Filesystem]:
+    def detect(cls, target: Target) -> Filesystem | None:
         for fs in target.filesystems:
-            if fs.exists("/net") or fs.exists("/.sujournal"):
+            if fs.exists("/net") and (fs.exists("/.sujournal") or fs.exists("/entropy")):
                 return fs
 
         return None
 
     @export(property=True)
-    def version(self) -> Optional[str]:
+    def version(self) -> str | None:
         return self._os_release.get("USERLAND_VERSION")

dissect/target/plugins/os/unix/esxi/_os.py

@@ -8,7 +8,7 @@ import subprocess
 from configparser import ConfigParser
 from configparser import Error as ConfigParserError
 from io import BytesIO
-from typing import Any, BinaryIO, Iterator, Optional, TextIO
+from typing import Any, BinaryIO, Iterator, TextIO
 
 from defusedxml import ElementTree
 from dissect.hypervisor.util import vmtar
@@ -17,9 +17,14 @@ from dissect.sql import sqlite3
 from dissect.target.helpers.fsutil import TargetPath
 
 try:
-    from dissect.hypervisor.util.envelope import Envelope, KeyStore
+    from dissect.hypervisor.util.envelope import (
+        HAS_PYCRYPTODOME,
+        HAS_PYSTANDALONE,
+        Envelope,
+        KeyStore,
+    )
 
-    HAS_ENVELOPE = True
+    HAS_ENVELOPE = HAS_PYCRYPTODOME or HAS_PYSTANDALONE
 except ImportError:
     HAS_ENVELOPE = False
 
@@ -68,9 +73,10 @@ class ESXiPlugin(UnixPlugin):
         if configstore.exists():
             self._configstore = parse_config_store(configstore.open())
 
-    def _cfg(self, path: str) -> Optional[str]:
+    def _cfg(self, path: str) -> str | None:
         if not self._config:
-            raise ValueError("No ESXi config!")
+            self.target.log.warning("No ESXi config!")
+            return None
 
         value_name = path.strip("/").split("/")[-1]
         obj = _traverse(path, self._config)
@@ -81,7 +87,7 @@ class ESXiPlugin(UnixPlugin):
         return obj.get(value_name) if obj else None
 
     @classmethod
-    def detect(cls, target: Target) -> Optional[Filesystem]:
+    def detect(cls, target: Target) -> Filesystem | None:
         bootbanks = [
             fs for fs in target.filesystems if fs.path("boot.cfg").exists() and list(fs.path("/").glob("*.v00"))
         ]
@@ -95,13 +101,13 @@ class ESXiPlugin(UnixPlugin):
     def create(cls, target: Target, sysvol: Filesystem) -> ESXiPlugin:
         cfg = parse_boot_cfg(sysvol.path("boot.cfg").open("rt"))
 
+        # Mount all the visor tars in individual filesystem layers
+        _mount_modules(target, sysvol, cfg)
+
         # Create a root layer for the "local state" filesystem
         # This stores persistent configuration data
         local_layer = target.fs.append_layer()
 
-        # Mount all the visor tars in individual filesystem layers
-        _mount_modules(target, sysvol, cfg)
-
         # Mount the local.tgz to the local state layer
         _mount_local(target, local_layer)
 
@@ -122,7 +128,7 @@ class ESXiPlugin(UnixPlugin):
         return "localhost"
 
     @export(property=True)
-    def domain(self) -> Optional[str]:
+    def domain(self) -> str | None:
         if hostname := self._cfg("/adv/Misc/HostName"):
             return hostname.partition(".")[2]
 
@@ -140,7 +146,7 @@ class ESXiPlugin(UnixPlugin):
         return list(result)
 
     @export(property=True)
-    def version(self) -> Optional[str]:
+    def version(self) -> str | None:
         boot_cfg = self.target.fs.path("/bootbank/boot.cfg")
         if not boot_cfg.exists():
             return None
@@ -181,11 +187,11 @@ class ESXiPlugin(UnixPlugin):
         return self._configstore
 
     @export(property=True)
-    def os(self):
+    def os(self) -> str:
         return OperatingSystem.ESXI.value
 
 
-def _mount_modules(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
+def _mount_modules(target: Target, sysvol: Filesystem, cfg: dict[str, str]) -> None:
     modules = [m.strip() for m in cfg["modules"].split("---")]
 
     for module in modules:
@@ -212,20 +218,22 @@ def _mount_modules(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
             target.fs.append_layer().mount("/", tfs)
 
 
-def _mount_local(target: Target, local_layer: VirtualFilesystem):
+def _mount_local(target: Target, local_layer: VirtualFilesystem) -> None:
     local_tgz = target.fs.path("local.tgz")
+    local_tgz_ve = target.fs.path("local.tgz.ve")
     local_fs = None
 
     if local_tgz.exists():
         local_fs = tar.TarFilesystem(local_tgz.open())
-    else:
-        local_tgz_ve = target.fs.path("local.tgz.ve")
+    elif local_tgz_ve.exists():
         # In the case "encryption.info" does not exist, but ".#encryption.info" does
         encryption_info = next(target.fs.path("/").glob("*encryption.info"), None)
         if not local_tgz_ve.exists() or not encryption_info.exists():
             raise ValueError("Unable to find valid configuration archive")
 
         local_fs = _create_local_fs(target, local_tgz_ve, encryption_info)
+    else:
+        target.log.warning("No local.tgz or local.tgz.ve found, skipping local state")
 
     if local_fs:
         local_layer.mount("/", local_fs)
@@ -239,7 +247,7 @@ def _decrypt_envelope(local_tgz_ve: TargetPath, encryption_info: TargetPath) ->
     return local_tgz
 
 
-def _decrypt_crypto_util(local_tgz_ve: TargetPath) -> Optional[BytesIO]:
+def _decrypt_crypto_util(local_tgz_ve: TargetPath) -> BytesIO | None:
     """Decrypt ``local.tgz.ve`` using ESXi ``crypto-util``.
 
     We write to stdout, but this results in ``crypto-util`` exiting with a non-zero return code
@@ -258,9 +266,7 @@ def _decrypt_crypto_util(local_tgz_ve: TargetPath) -> Optional[BytesIO]:
     return BytesIO(result.stdout)
 
 
-def _create_local_fs(
-    target: Target, local_tgz_ve: TargetPath, encryption_info: TargetPath
-) -> Optional[tar.TarFilesystem]:
+def _create_local_fs(target: Target, local_tgz_ve: TargetPath, encryption_info: TargetPath) -> tar.TarFilesystem | None:
     local_tgz = None
 
     if HAS_ENVELOPE:
@@ -286,7 +292,7 @@ def _create_local_fs(
         return tar.TarFilesystem(local_tgz)
 
 
-def _mount_filesystems(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
+def _mount_filesystems(target: Target, sysvol: Filesystem, cfg: dict[str, str]) -> None:
     version = cfg["build"]
 
     osdata_fs = None
@@ -365,7 +371,7 @@ def _mount_filesystems(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
         target.fs.symlink(f"/vmfs/volumes/LOCKER-{locker_fs.vmfs.uuid}", "/locker")
 
 
-def _link_log_dir(target: Target, cfg: dict[str, str], plugin_obj: ESXiPlugin):
+def _link_log_dir(target: Target, cfg: dict[str, str], plugin_obj: ESXiPlugin) -> None:
     version = cfg["build"]
 
     # Don't really know how ESXi does this, but let's just take a shortcut for now
@@ -435,7 +441,7 @@ def parse_esx_conf(fh: TextIO) -> dict[str, Any]:
     return config
 
 
-def _traverse(path: str, obj: dict[str, Any], create: bool = False):
+def _traverse(path: str, obj: dict[str, Any], create: bool = False) -> dict[str, Any] | None:
     parts = path.strip("/").split("/")
     path_parts = parts[:-1]
     for part in path_parts:

dissect/target/plugins/os/unix/etc/etc.py

@@ -1,5 +1,4 @@
 import fnmatch
-import logging
 import re
 from pathlib import Path
 from typing import Iterator
@@ -22,8 +21,6 @@ UnixConfigTreeRecord = TargetRecordDescriptor(
     ],
 )
 
-log = logging.getLogger(__name__)
-
 
 class EtcTree(ConfigurationTreePlugin):
     __namespace__ = "etc"
@@ -65,13 +62,13 @@ class EtcTree(ConfigurationTreePlugin):
 
     @export(record=UnixConfigTreeRecord)
     @arg("--glob", dest="pattern", required=False, default="*", type=str, help="Glob-style pattern to search for")
-    def etc(self, pattern: str) -> Iterator[UnixConfigTreeRecord]:
-        for entry, subs, items in self.config_fs.walk("/"):
+    @arg("--root", dest="root", required=False, default="/", type=str, help="Path to use as root for search")
+    def etc(self, pattern: str, root: str) -> Iterator[UnixConfigTreeRecord]:
+        for entry, subs, items in self.config_fs.walk(root):
             for item in items:
                 try:
                     config_object = self.get(str(Path(entry) / Path(item)))
-                    if isinstance(config_object, ConfigurationEntry):
-                        yield from self._sub(config_object, Path(entry) / Path(item), pattern)
+                    yield from self._sub(config_object, Path(entry) / Path(item), pattern)
                 except Exception:
-                    log.warning("Could not open configuration item: %s", item)
+                    self.target.log.warning("Could not open configuration item: %s", item)
                     pass

dissect/target/plugins/os/unix/history.py

@@ -8,7 +8,7 @@ from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import UnixUserRecord, create_extended_descriptor
-from dissect.target.plugin import Plugin, export, internal
+from dissect.target.plugin import Plugin, alias, export, internal
 
 CommandHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "unix/history",
@@ -36,6 +36,7 @@ class CommandHistoryPlugin(Plugin):
         ("sqlite", ".sqlite_history"),
         ("zsh", ".zsh_history"),
         ("ash", ".ash_history"),
+        ("dissect", ".dissect_history"),  # wow so meta
     )
 
     def __init__(self, target: Target):
@@ -56,12 +57,7 @@ class CommandHistoryPlugin(Plugin):
                     history_files.append((shell, history_path, user_details.user))
         return history_files
 
-    @export(record=CommandHistoryRecord)
-    def bashhistory(self):
-        """Deprecated, use commandhistory function."""
-        self.target.log.warn("Function 'bashhistory' is deprecated, use the 'commandhistory' function instead.")
-        return self.commandhistory()
-
+    @alias("bashhistory")
     @export(record=CommandHistoryRecord)
     def commandhistory(self):
         """Return shell history for all users.