dissect.target 3.20.dev47__py3-none-any.whl → 3.20.dev48__py3-none-any.whl

dissect/target/plugins/os/unix/log/utmp.py

@@ -1,17 +1,17 @@
-import gzip
+from __future__ import annotations
+
 import ipaddress
 import struct
 from collections import namedtuple
 from typing import Iterator
 
 from dissect.cstruct import cstruct
-from dissect.util.stream import BufferedStream
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.fsutil import TargetPath, open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import OperatingSystem, Plugin, export
+from dissect.target.plugin import Plugin, alias, export
 from dissect.target.target import Target
 
 UTMP_FIELDS = [
@@ -27,16 +27,12 @@ UTMP_FIELDS = [
 
 BtmpRecord = TargetRecordDescriptor(
     "linux/log/btmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 WtmpRecord = TargetRecordDescriptor(
     "linux/log/wtmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 utmp_def = """
@@ -104,24 +100,13 @@ UTMP_ENTRY = namedtuple(
 class UtmpFile:
     """utmp maintains a full accounting of the current status of the system"""
 
-    def __init__(self, target: Target, path: TargetPath):
-        self.fh = target.fs.path(path).open()
-
-        if "gz" in path:
-            self.compressed = True
-        else:
-            self.compressed = False
+    def __init__(self, path: TargetPath):
+        self.fh = open_decompress(path, "rb")
 
     def __iter__(self):
-        if self.compressed:
-            gzip_entry = BufferedStream(gzip.open(self.fh, mode="rb"))
-            byte_stream = gzip_entry
-        else:
-            byte_stream = self.fh
-
         while True:
             try:
-                entry = c_utmp.entry(byte_stream)
+                entry = c_utmp.entry(self.fh)
 
                 r_type = ""
                 if entry.ut_type in c_utmp.Type:
@@ -151,7 +136,7 @@ class UtmpFile:
                             # ut_addr_v6 is parsed as IPv4 address. This could not lead to incorrect results.
                             ut_addr = ipaddress.ip_address(struct.pack("<i", entry.ut_addr_v6[0]))
 
-                utmp_entry = UTMP_ENTRY(
+                yield UTMP_ENTRY(
                     ts=from_unix(entry.ut_tv.tv_sec),
                     ut_type=r_type,
                     ut_pid=entry.ut_pid,
@@ -162,7 +147,6 @@ class UtmpFile:
                     ut_addr=ut_addr,
                 )
 
-                yield utmp_entry
             except EOFError:
                 break
 
@@ -170,17 +154,28 @@ class UtmpFile:
 class UtmpPlugin(Plugin):
     """Unix utmp log plugin."""
 
-    WTMP_GLOB = "/var/log/wtmp*"
-    BTMP_GLOB = "/var/log/btmp*"
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.btmp_paths = list(self.target.fs.path("/").glob("var/log/btmp*"))
+        self.wtmp_paths = list(self.target.fs.path("/").glob("var/log/wtmp*"))
+        self.utmp_paths = list(self.target.fs.path("/").glob("var/run/utmp*"))
 
     def check_compatible(self) -> None:
-        if not self.target.os == OperatingSystem.LINUX and not any(
-            [
-                list(self.target.fs.glob(self.BTMP_GLOB)),
-                list(self.target.fs.glob(self.WTMP_GLOB)),
-            ]
-        ):
-            raise UnsupportedPluginError("No WTMP or BTMP log files found")
+        if not any(self.btmp_paths + self.wtmp_paths + self.utmp_paths):
+            raise UnsupportedPluginError("No wtmp and/or btmp log files found")
+
+    def _build_record(self, record: TargetRecordDescriptor, entry: UTMP_ENTRY) -> Iterator[BtmpRecord | WtmpRecord]:
+        return record(
+            ts=entry.ts,
+            ut_type=entry.ut_type,
+            ut_pid=entry.ut_pid,
+            ut_user=entry.ut_user,
+            ut_line=entry.ut_line,
+            ut_id=entry.ut_id,
+            ut_host=entry.ut_host,
+            ut_addr=entry.ut_addr,
+            _target=self.target,
+        )
 
     @export(record=BtmpRecord)
     def btmp(self) -> Iterator[BtmpRecord]:
@@ -192,26 +187,18 @@ class UtmpPlugin(Plugin):
             - https://en.wikipedia.org/wiki/Utmp
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        btmp_paths = self.target.fs.glob(self.BTMP_GLOB)
-        for btmp_path in btmp_paths:
-            btmp = UtmpFile(self.target, btmp_path)
-
-            for entry in btmp:
-                yield BtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+        for path in self.btmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse btmp file: %s is not a file", path)
+                continue
 
+            for entry in UtmpFile(path):
+                yield self._build_record(BtmpRecord, entry)
+
+    @alias("utmp")
     @export(record=WtmpRecord)
     def wtmp(self) -> Iterator[WtmpRecord]:
-        """Return the content of the wtmp log files.
+        """Yield contents of wtmp log files.
 
         The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
         logins at which terminals, logouts, system events and current status of the system, system boot time
@@ -220,19 +207,11 @@ class UtmpPlugin(Plugin):
         References:
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        wtmp_paths = self.target.fs.glob(self.WTMP_GLOB)
-        for wtmp_path in wtmp_paths:
-            wtmp = UtmpFile(self.target, wtmp_path)
-
-            for entry in wtmp:
-                yield WtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+
+        for path in self.wtmp_paths + self.utmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse wtmp file: %s is not a file", path)
+                continue
+
+            for entry in UtmpFile(path):
+                yield self._build_record(WtmpRecord, entry)

{dissect.target-3.20.dev47.dist-info → dissect.target-3.20.dev48.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev47
+Version: 3.20.dev48
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev47.dist-info → dissect.target-3.20.dev48.dist-info}/RECORD

@@ -272,7 +272,7 @@ dissect/target/plugins/os/unix/log/auth.py,sha256=9NJvlo7Vbsp_ENJFpKd04PH_sUuOy6
 dissect/target/plugins/os/unix/log/journal.py,sha256=xe8p8MM_95uYjFNzNSP5IsoIthJtxwFEDicYR42RYAI,17681
 dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wr3-2n1-GwckN9mSx-yM55N6_L0PQyx6TGHoEvuc6c0,2515
 dissect/target/plugins/os/unix/log/messages.py,sha256=XtjZ0a2budgQm_K5JT3fMf7JcjuD0AelcD3zOFN2xpI,5732
-dissect/target/plugins/os/unix/log/utmp.py,sha256=n22dcjhclky3koF4MyRz1cBOmEeWwen6jstLsvfnMw8,7784
+dissect/target/plugins/os/unix/log/utmp.py,sha256=k2A69s2qUT2JunJrH8GO6nQ0zMDotXMTaj8OzQ7ljj8,7336
 dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/_os.py,sha256=-Bsp9696JqU7luh_AbqojzG9BxVdYIFl5Ma-LiFBQBo,12505
 dissect/target/plugins/os/windows/activitiescache.py,sha256=BbGD-vETHm1IRMoazVer_vqSJIoQxxhWcJ_xlBeOMds,6899
@@ -378,10 +378,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev47.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev47.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev47.dist-info/METADATA,sha256=28qUe6AIKvwvWI58yI9VPiy1U86ihuVGMhzR-avNrtc,12897
-dissect.target-3.20.dev47.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
-dissect.target-3.20.dev47.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev47.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev47.dist-info/RECORD,,
+dissect.target-3.20.dev48.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev48.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev48.dist-info/METADATA,sha256=coXjiskalhbUYyedrn0Fe49ZmJvIbeAaMYawTB3Q9QQ,12897
+dissect.target-3.20.dev48.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
+dissect.target-3.20.dev48.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev48.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev48.dist-info/RECORD,,