dissect.target 3.20.dev45__py3-none-any.whl → 3.20.dev48__py3-none-any.whl

dissect/target/plugins/os/unix/log/auth.py

@@ -1,62 +1,373 @@
+from __future__ import annotations
+
+import itertools
+import logging
 import re
+from abc import ABC, abstractmethod
+from datetime import datetime
+from functools import lru_cache
 from itertools import chain
-from typing import Iterator
+from pathlib import Path
+from typing import Any, Iterator
 
+from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.helpers.fsutil import open_decompress
+from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
-from dissect.target.plugin import Plugin, export
-
-AuthLogRecord = TargetRecordDescriptor(
-    "linux/log/auth",
-    [
-        ("datetime", "ts"),
-        ("string", "message"),
-        ("path", "source"),
-    ],
+from dissect.target.plugin import Plugin, alias, export
+
+log = logging.getLogger(__name__)
+
+RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
+RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
+RE_LINE = re.compile(
+    r"""
+    \d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
+    (?P<hostname>\S+)\s                     # The hostname
+    (?P<service>\S+?)(\[(?P<pid>\d+)\])?:   # The service with optionally the PID between brackets
+    \s*(?P<message>.+?)\s*$                 # The log message stripped from spaces left and right
+    """,
+    re.VERBOSE,
+)
+
+# Generic regular expressions
+RE_IPV4_ADDRESS = re.compile(
+    r"""
+    ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}   # First three octets
+    (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)          # Last octet
+    """,
+    re.VERBOSE,
 )
+RE_USER = re.compile(r"for ([^\s]+)")
+
+
+class BaseService(ABC):
+    @classmethod
+    @abstractmethod
+    def parse(cls, message: str) -> dict[str, any]:
+        pass
+
+
+class SudoService(BaseService):
+    """Parsing of sudo service messages in the auth log."""
+
+    RE_SUDO_COMMAND = re.compile(
+        r"""
+        TTY=(?P<tty>\w+\/\w+)\s;\s          # The TTY -> TTY=pts/0 ;
+        PWD=(?P<pwd>[\/\w]+)\s;\s           # The current working directory -> PWD="/home/user" ;
+        USER=(?P<effective_user>\w+)\s;\s   # The effective user -> USER=root ;
+        COMMAND=(?P<command>.+)$            # The command -> COMMAND=/usr/bin/whoami
+        """,
+        re.VERBOSE,
+    )
+
+    @classmethod
+    def parse(cls, message: str) -> dict[str, str]:
+        """Parse auth log message from sudo."""
+        if not (match := cls.RE_SUDO_COMMAND.search(message)):
+            return {}
+
+        additional_fields = {}
+        for key, value in match.groupdict().items():
+            additional_fields[key] = value
+
+        return additional_fields
+
+
+class SshdService(BaseService):
+    """Class for parsing sshd messages in the auth log."""
+
+    RE_SSHD_PORTREGEX = re.compile(r"port\s(\d+)")
+    RE_USER = re.compile(r"for\s([^\s]+)")
+
+    @classmethod
+    def parse(cls, message: str) -> dict[str, str | int]:
+        """Parse message from sshd"""
+        additional_fields = {}
+        if ip_address := RE_IPV4_ADDRESS.search(message):
+            field_name = "host_ip" if "listening" in message else "remote_ip"
+            additional_fields[field_name] = ip_address.group(0)
+        if port := cls.RE_SSHD_PORTREGEX.search(message):
+            additional_fields["port"] = int(port.group(1))
+        if user := cls.RE_USER.search(message):
+            additional_fields["user"] = user.group(1)
+        # Accepted publickey for test_user from 8.8.8.8 IP port 12345 ssh2: RSA SHA256:123456789asdfghjklertzuio
+        if "Accepted publickey" in message:
+            ssh_protocol, encryption_algo, key_info = message.split()[-3:]
+            hash_algo, key_hash = key_info.split(":")
+            additional_fields["ssh_protocol"] = ssh_protocol.strip(":")
+            additional_fields["encryption_algorithm"] = encryption_algo
+            additional_fields["hash_algorithm"] = hash_algo
+            additional_fields["key_hash"] = key_hash
+        if (failed := "Failed" in message) or "Accepted" in message:
+            action_type = "failed" if failed else "accepted"
+            additional_fields["action"] = f"{action_type} authentication"
+            additional_fields["authentication_type"] = "password" if "password" in message else "publickey"
+
+        return additional_fields
+
+
+class SystemdLogindService(BaseService):
+    """Class for parsing systemd-logind messages in the auth log."""
+
+    RE_SYSTEMD_LOGIND_WATCHING = re.compile(
+        r"""
+        (?P<action>Watching\ssystem\sbuttons)\s # Action is "Watching system buttons"
+        on\s(?P<device>[^\s]+)\s                # The device the button is related to -> /dev/input/event0
+        \((?P<device_name>.*?)\)                # The device (button) name -> (Power button)
+        """,
+        re.VERBOSE,
+    )
+
+    @classmethod
+    def parse(cls, message: str):
+        """Parse auth log message from systemd-logind."""
+        additional_fields = {}
+        # Example: Nov 14 07:14:09 ubuntu-1 systemd-logind[4]: Removed session 4.
+        if "Removed" in message:
+            additional_fields["action"] = "removed session"
+            additional_fields["session"] = message.split()[-1].strip(".")
+        elif "Watching" in message and (match := cls.RE_SYSTEMD_LOGIND_WATCHING.search(message)):
+            for key, value in match.groupdict().items():
+                additional_fields[key] = value
+        # Example: New session 4 of user sampleuser.
+        elif "New session" in message:
+            parts = message.removeprefix("New session ").split()
+            additional_fields["action"] = "new session"
+            additional_fields["session"] = parts[0]
+            additional_fields["user"] = parts[-1].strip(".")
+        # Example: Session 4 logged out. Waiting for processes to exit.
+        elif "logged out" in message:
+            session = message.removeprefix("Session ").split(maxsplit=1)[0]
+            additional_fields["action"] = "logged out session"
+            additional_fields["session"] = session
+        # Example: New seat seat0.
+        elif "New seat" in message:
+            seat = message.split()[-1].strip(".")
+            additional_fields["action"] = "new seat"
+            additional_fields["seat"] = seat
+
+        return additional_fields
+
+
+class SuService(BaseService):
+    """Class for parsing su messages in the auth log."""
+
+    RE_SU_BY = re.compile(r"by\s([^\s]+)")
+    RE_SU_ON = re.compile(r"on\s([^\s]+)")
+    RE_SU_COMMAND = re.compile(r"'(.*?)'")
+
+    @classmethod
+    def parse(cls, message: str) -> dict[str, str]:
+        additional_fields = {}
+        if user := RE_USER.search(message):
+            additional_fields["user"] = user.group(1)
+        if by := cls.RE_SU_BY.search(message):
+            additional_fields["by"] = by.group(1)
+        if on := cls.RE_SU_ON.search(message):
+            additional_fields["device"] = on.group(1)
+        if command := cls.RE_SU_COMMAND.search(message):
+            additional_fields["command"] = command.group(1)
+        if (failed := "failed" in message) or "Successful" in message:
+            additional_fields["su_result"] = "failed" if failed else "success"
+
+        return additional_fields
+
+
+class PkexecService(BaseService):
+    """Class for parsing pkexec messages in the auth log."""
+
+    RE_PKEXEC_COMMAND = re.compile(
+        r"""
+        (?P<user>\S+?):\sExecuting\scommand\s   # Starts with actual user -> user:
+        \[USER=(?P<effective_user>[^\]]+)\]\s   # The impersonated user -> [USER=root]
+        \[TTY=(?P<tty>[^\]]+)\]\s               # The tty -> [TTY=unknown]
+        \[CWD=(?P<cwd>[^\]]+)\]\s               # Current working directory -> [CWD=/home/user]
+        \[COMMAND=(?P<command>[^\]]+)\]         # Command -> [COMMAND=/usr/lib/example]
+        """,
+        re.VERBOSE,
+    )
+
+    @classmethod
+    def parse(cls, message: str) -> dict[str, str]:
+        """Parse auth log message from pkexec"""
+        additional_fields = {}
+        if exec_cmd := cls.RE_PKEXEC_COMMAND.search(message):
+            additional_fields["action"] = "executing command"
+            for key, value in exec_cmd.groupdict().items():
+                if value and value.isdigit():
+                    value = int(value)
+                additional_fields[key] = value
 
-_TS_REGEX = r"^[A-Za-z]{3}\s*[0-9]{1,2}\s[0-9]{1,2}:[0-9]{2}:[0-9]{2}"
-RE_TS = re.compile(_TS_REGEX)
-RE_TS_AND_HOSTNAME = re.compile(_TS_REGEX + r"\s\S+\s")
+        return additional_fields
+
+
+class PamUnixService(BaseService):
+    RE_PAM_UNIX = re.compile(
+        r"""
+        pam_unix\([^\s]+:session\):\s(?P<action>session\s\w+)\s     # Session action, usually opened or closed
+        for\suser\s(?P<user>[^\s\(]+)(?:\(uid=(?P<user_uid>\d+)\))? # User may contain uid like: root(uid=0)
+        (?:\sby\s\(uid=(?P<by_uid>\d+)\))?$                         # Opened action also contains by
+        """,
+        re.VERBOSE,
+    )
+
+    @classmethod
+    def parse(cls, message):
+        """Parse auth log message from pluggable authentication modules (PAM)."""
+        if not (match := cls.RE_PAM_UNIX.search(message)):
+            return {}
+
+        additional_fields = {}
+        for key, value in match.groupdict().items():
+            if value and value.isdigit():
+                value = int(value)
+            additional_fields[key] = value
+
+        return additional_fields
+
+
+class AuthLogRecordBuilder:
+    """Class for dynamically creating auth log records."""
+
+    RECORD_NAME = "linux/log/auth"
+    SERVICES: dict[str, BaseService] = {
+        "su": SuService,
+        "sudo": SudoService,
+        "sshd": SshdService,
+        "systemd-logind": SystemdLogindService,
+        "pkexec": PkexecService,
+    }
+
+    def __init__(self, target: Target):
+        self._create_event_descriptor = lru_cache(4096)(self._create_event_descriptor)
+        self.target = target
+
+    def _parse_additional_fields(self, service: str | None, message: str) -> dict[str, Any]:
+        """Parse additional fields in the message based on the service."""
+        if "pam_unix(" in message:
+            return PamUnixService.parse(message)
+
+        if service not in self.SERVICES:
+            self.target.log.debug("Service %s is not recognised, no additional fields could be parsed", service)
+            return {}
+
+        try:
+            return self.SERVICES[service].parse(message)
+        except Exception as e:
+            self.target.log.warning("Parsing additional fields in message '%s' for service %s failed", message, service)
+            self.target.log.debug("", exc_info=e)
+            raise e
+
+    def build_record(self, ts: datetime, source: Path, line: str) -> TargetRecordDescriptor:
+        """Builds an ``AuthLog`` event record."""
+
+        record_fields = [
+            ("datetime", "ts"),
+            ("path", "source"),
+            ("string", "service"),
+            ("varint", "pid"),
+            ("string", "message"),
+        ]
+
+        record_values = {
+            "ts": ts,
+            "message": line,
+            "service": None,
+            "pid": None,
+            "source": source,
+            "_target": self.target,
+        }
+
+        match = RE_LINE.search(line)
+        if match:
+            record_values.update(match.groupdict())
+
+        for key, value in self._parse_additional_fields(record_values["service"], line).items():
+            record_type = "string"
+            if isinstance(value, int):
+                record_type = "varint"
+
+            record_fields.append((record_type, key))
+            record_values[key] = value
+
+        # tuple conversion here is needed for lru_cache
+        desc = self._create_event_descriptor(tuple(record_fields))
+        return desc(**record_values)
+
+    def _create_event_descriptor(self, record_fields) -> TargetRecordDescriptor:
+        return TargetRecordDescriptor(self.RECORD_NAME, record_fields)
 
 
 class AuthPlugin(Plugin):
-    """Unix auth log plugin."""
+    """Unix authentication log plugin."""
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self._auth_log_builder = AuthLogRecordBuilder(target)
 
     def check_compatible(self) -> None:
         var_log = self.target.fs.path("/var/log")
         if not any(var_log.glob("auth.log*")) and not any(var_log.glob("secure*")):
             raise UnsupportedPluginError("No auth log files found")
 
-    @export(record=AuthLogRecord)
-    def securelog(self) -> Iterator[AuthLogRecord]:
-        """Return contents of /var/log/auth.log* and /var/log/secure*."""
-        return self.authlog()
+    @alias("securelog")
+    @export(record=DynamicDescriptor(["datetime", "path", "string"]))
+    def authlog(self) -> Iterator[Any]:
+        """Yield contents of ``/var/log/auth.log*`` and ``/var/log/secure*`` files.
+
+        Order of returned events is not guaranteed to be chronological because of year
+        rollover detection efforts for log files without a year in the timestamp.
+
+        The following timestamp formats are recognised automatically. This plugin
+        assumes that no custom ``date_format`` template is set in ``syslog-ng`` or ``systemd``
+        configuration (defaults to ``M d H:M:S``).
+
+        ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.
 
-    @export(record=AuthLogRecord)
-    def authlog(self) -> Iterator[AuthLogRecord]:
-        """Return contents of /var/log/auth.log* and /var/log/secure*."""
+        .. code-block:: text
 
-        # Assuming no custom date_format template is set in syslog-ng or systemd (M d H:M:S)
-        # CentOS format: Jan 12 13:37:00 hostname daemon: message
-        # Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message
+            CentOS format: Jan 12 13:37:00 hostname daemon: message
+            Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message
+            Ubuntu  24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message
+
+        Resources:
+            - https://help.ubuntu.com/community/LinuxLogFiles
+        """
 
         tzinfo = self.target.datetime.tzinfo
 
         var_log = self.target.fs.path("/var/log")
         for auth_file in chain(var_log.glob("auth.log*"), var_log.glob("secure*")):
-            for ts, line in year_rollover_helper(auth_file, RE_TS, "%b %d %H:%M:%S", tzinfo):
-                ts_and_hostname = re.search(RE_TS_AND_HOSTNAME, line)
-                if not ts_and_hostname:
-                    self.target.log.warning("No timstamp and hostname found on one of the lines in %s.", auth_file)
-                    self.target.log.debug("Skipping this line: %s", line)
-                    continue
-
-                message = line.replace(ts_and_hostname.group(0), "").strip()
-                yield AuthLogRecord(
-                    ts=ts,
-                    message=message,
-                    source=auth_file,
-                    _target=self.target,
-                )
+            if is_iso_fmt(auth_file):
+                iterable = iso_readlines(auth_file)
+            else:
+                iterable = year_rollover_helper(auth_file, RE_TS, "%b %d %H:%M:%S", tzinfo)
+
+            for ts, line in iterable:
+                yield self._auth_log_builder.build_record(ts, auth_file, line)
+
+
+def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
+    """Iterator reading the provided auth log file in ISO format. Mimics ``year_rollover_helper`` behaviour."""
+    with open_decompress(file, "rt") as fh:
+        for line in fh:
+            if not (match := RE_TS_ISO.match(line)):
+                log.warning("No timestamp found in one of the lines in %s!", file)
+                log.debug("Skipping line: %s", line)
+                continue
+
+            try:
+                ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
+            except ValueError as e:
+                log.warning("Unable to parse ISO timestamp in line: %s", line)
+                log.debug("", exc_info=e)
+                continue
+
+            yield ts, line
+
+
+def is_iso_fmt(file: Path) -> bool:
+    """Determine if the provided auth log file uses new ISO format logging or not."""
+    return any(itertools.islice(iso_readlines(file), 0, 2))

dissect/target/plugins/os/unix/log/utmp.py

@@ -1,17 +1,17 @@
-import gzip
+from __future__ import annotations
+
 import ipaddress
 import struct
 from collections import namedtuple
 from typing import Iterator
 
 from dissect.cstruct import cstruct
-from dissect.util.stream import BufferedStream
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.fsutil import TargetPath, open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import OperatingSystem, Plugin, export
+from dissect.target.plugin import Plugin, alias, export
 from dissect.target.target import Target
 
 UTMP_FIELDS = [
@@ -27,16 +27,12 @@ UTMP_FIELDS = [
 
 BtmpRecord = TargetRecordDescriptor(
     "linux/log/btmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 WtmpRecord = TargetRecordDescriptor(
     "linux/log/wtmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 utmp_def = """
@@ -104,24 +100,13 @@ UTMP_ENTRY = namedtuple(
 class UtmpFile:
     """utmp maintains a full accounting of the current status of the system"""
 
-    def __init__(self, target: Target, path: TargetPath):
-        self.fh = target.fs.path(path).open()
-
-        if "gz" in path:
-            self.compressed = True
-        else:
-            self.compressed = False
+    def __init__(self, path: TargetPath):
+        self.fh = open_decompress(path, "rb")
 
     def __iter__(self):
-        if self.compressed:
-            gzip_entry = BufferedStream(gzip.open(self.fh, mode="rb"))
-            byte_stream = gzip_entry
-        else:
-            byte_stream = self.fh
-
         while True:
             try:
-                entry = c_utmp.entry(byte_stream)
+                entry = c_utmp.entry(self.fh)
 
                 r_type = ""
                 if entry.ut_type in c_utmp.Type:
@@ -151,7 +136,7 @@ class UtmpFile:
                             # ut_addr_v6 is parsed as IPv4 address. This could not lead to incorrect results.
                             ut_addr = ipaddress.ip_address(struct.pack("<i", entry.ut_addr_v6[0]))
 
-                utmp_entry = UTMP_ENTRY(
+                yield UTMP_ENTRY(
                     ts=from_unix(entry.ut_tv.tv_sec),
                     ut_type=r_type,
                     ut_pid=entry.ut_pid,
@@ -162,7 +147,6 @@ class UtmpFile:
                     ut_addr=ut_addr,
                 )
 
-                yield utmp_entry
             except EOFError:
                 break
 
@@ -170,17 +154,28 @@ class UtmpFile:
 class UtmpPlugin(Plugin):
     """Unix utmp log plugin."""
 
-    WTMP_GLOB = "/var/log/wtmp*"
-    BTMP_GLOB = "/var/log/btmp*"
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.btmp_paths = list(self.target.fs.path("/").glob("var/log/btmp*"))
+        self.wtmp_paths = list(self.target.fs.path("/").glob("var/log/wtmp*"))
+        self.utmp_paths = list(self.target.fs.path("/").glob("var/run/utmp*"))
 
     def check_compatible(self) -> None:
-        if not self.target.os == OperatingSystem.LINUX and not any(
-            [
-                list(self.target.fs.glob(self.BTMP_GLOB)),
-                list(self.target.fs.glob(self.WTMP_GLOB)),
-            ]
-        ):
-            raise UnsupportedPluginError("No WTMP or BTMP log files found")
+        if not any(self.btmp_paths + self.wtmp_paths + self.utmp_paths):
+            raise UnsupportedPluginError("No wtmp and/or btmp log files found")
+
+    def _build_record(self, record: TargetRecordDescriptor, entry: UTMP_ENTRY) -> Iterator[BtmpRecord | WtmpRecord]:
+        return record(
+            ts=entry.ts,
+            ut_type=entry.ut_type,
+            ut_pid=entry.ut_pid,
+            ut_user=entry.ut_user,
+            ut_line=entry.ut_line,
+            ut_id=entry.ut_id,
+            ut_host=entry.ut_host,
+            ut_addr=entry.ut_addr,
+            _target=self.target,
+        )
 
     @export(record=BtmpRecord)
     def btmp(self) -> Iterator[BtmpRecord]:
@@ -192,26 +187,18 @@ class UtmpPlugin(Plugin):
             - https://en.wikipedia.org/wiki/Utmp
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        btmp_paths = self.target.fs.glob(self.BTMP_GLOB)
-        for btmp_path in btmp_paths:
-            btmp = UtmpFile(self.target, btmp_path)
-
-            for entry in btmp:
-                yield BtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+        for path in self.btmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse btmp file: %s is not a file", path)
+                continue
 
+            for entry in UtmpFile(path):
+                yield self._build_record(BtmpRecord, entry)
+
+    @alias("utmp")
     @export(record=WtmpRecord)
     def wtmp(self) -> Iterator[WtmpRecord]:
-        """Return the content of the wtmp log files.
+        """Yield contents of wtmp log files.
 
         The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
         logins at which terminals, logouts, system events and current status of the system, system boot time
@@ -220,19 +207,11 @@ class UtmpPlugin(Plugin):
         References:
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        wtmp_paths = self.target.fs.glob(self.WTMP_GLOB)
-        for wtmp_path in wtmp_paths:
-            wtmp = UtmpFile(self.target, wtmp_path)
-
-            for entry in wtmp:
-                yield WtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+
+        for path in self.wtmp_paths + self.utmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse wtmp file: %s is not a file", path)
+                continue
+
+            for entry in UtmpFile(path):
+                yield self._build_record(WtmpRecord, entry)

{dissect.target-3.20.dev45.dist-info → dissect.target-3.20.dev48.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev45
+Version: 3.20.dev48
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev45.dist-info → dissect.target-3.20.dev48.dist-info}/RECORD

@@ -268,11 +268,11 @@ dissect/target/plugins/os/unix/locate/plocate.py,sha256=0p7ibPPrDlQuJNjJbV4rU0fJ
 dissect/target/plugins/os/unix/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/log/atop.py,sha256=zjG5eKS-X0mpBXs-Sg2f7RfQvtjt0T8JcteNd9DB_ok,16361
 dissect/target/plugins/os/unix/log/audit.py,sha256=rZwxC90Q0FOB5BZxplTJwCTIp0hdVpaps1e3C1fRYaM,3754
-dissect/target/plugins/os/unix/log/auth.py,sha256=tYe54PGaJtLdBbM425_8VHJFvLqj6aqHuu6ZrQhqEKM,2417
+dissect/target/plugins/os/unix/log/auth.py,sha256=9NJvlo7Vbsp_ENJFpKd04PH_sUuOy6ueSBwQqY0MtKo,14546
 dissect/target/plugins/os/unix/log/journal.py,sha256=xe8p8MM_95uYjFNzNSP5IsoIthJtxwFEDicYR42RYAI,17681
 dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wr3-2n1-GwckN9mSx-yM55N6_L0PQyx6TGHoEvuc6c0,2515
 dissect/target/plugins/os/unix/log/messages.py,sha256=XtjZ0a2budgQm_K5JT3fMf7JcjuD0AelcD3zOFN2xpI,5732
-dissect/target/plugins/os/unix/log/utmp.py,sha256=n22dcjhclky3koF4MyRz1cBOmEeWwen6jstLsvfnMw8,7784
+dissect/target/plugins/os/unix/log/utmp.py,sha256=k2A69s2qUT2JunJrH8GO6nQ0zMDotXMTaj8OzQ7ljj8,7336
 dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/_os.py,sha256=-Bsp9696JqU7luh_AbqojzG9BxVdYIFl5Ma-LiFBQBo,12505
 dissect/target/plugins/os/windows/activitiescache.py,sha256=BbGD-vETHm1IRMoazVer_vqSJIoQxxhWcJ_xlBeOMds,6899
@@ -378,10 +378,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev45.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev45.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev45.dist-info/METADATA,sha256=h2ywkvsL6FJ-kD4V9jjhxVVxdXnDlucQJPtL5oAmG-c,12897
-dissect.target-3.20.dev45.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
-dissect.target-3.20.dev45.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev45.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev45.dist-info/RECORD,,
+dissect.target-3.20.dev48.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev48.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev48.dist-info/METADATA,sha256=coXjiskalhbUYyedrn0Fe49ZmJvIbeAaMYawTB3Q9QQ,12897
+dissect.target-3.20.dev48.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
+dissect.target-3.20.dev48.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev48.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev48.dist-info/RECORD,,