dissect.target 3.20.dev60__py3-none-any.whl → 3.20.dev62__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -248,10 +248,16 @@ class FortiOSPlugin(LinuxPlugin):
                 self.target.log.warning("Exception while parsing FortiManager admin users")
                 self.target.log.debug("", exc_info=e)
 
-        if self._config.get("root-config"):
+        if self._config.get("root-config", {}).get("user", {}).get("local"):
             # Local users
             try:
                 local_groups = local_groups_to_users(self._config["root-config"]["user"]["group"])
+            except KeyError as e:
+                self.target.log.warning("Unable to get local user groups in root config")
+                self.target.log.debug("", exc_info=e)
+                local_groups = {}
+
+            try:
                 for username, entry in self._config["root-config"]["user"].get("local", {}).items():
                     try:
                         password = decrypt_password(entry["passwd"][-1])
@@ -269,6 +275,7 @@ class FortiOSPlugin(LinuxPlugin):
                 self.target.log.warning("Exception while parsing FortiOS local users")
                 self.target.log.debug("", exc_info=e)
 
+        if self._config.get("root-config", {}).get("user", {}).get("group", {}).get("guestgroup"):
             # Temporary guest users
             try:
                 for _, entry in (

dissect/target/plugins/os/windows/log/mssql.py

@@ -0,0 +1,103 @@
+import re
+from datetime import datetime, timezone
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+MssqlErrorlogRecord = TargetRecordDescriptor(
+    "microsoft/sql/errorlog",
+    [
+        ("datetime", "ts"),
+        ("string", "instance"),
+        ("string", "process"),
+        ("string", "message"),
+        ("path", "path"),
+    ],
+)
+
+RE_TIMESTAMP_PATTERN = re.compile(r"^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{2}")
+
+
+class MssqlPlugin(Plugin):
+    """Return information related to Microsoft SQL Server.
+
+    Currently returns ERRORLOG messages. These log files contain information such as:
+        - Logon failures
+        - Enabling/disabling of features, such as xp_cmdshell
+
+    References:
+        - https://learn.microsoft.com/en-us/sql/relational-databases/logs/view-offline-log-files
+    """
+
+    __namespace__ = "mssql"
+
+    MSSQL_KEY = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server"
+    FILE_GLOB = "ERRORLOG*"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.instances = self._find_instances()
+
+    def check_compatible(self) -> None:
+        if not self.instances:
+            raise UnsupportedPluginError("System does not seem to be running SQL Server")
+
+    @export(record=MssqlErrorlogRecord)
+    def errorlog(self) -> Iterator[MssqlErrorlogRecord]:
+        """Return all Microsoft SQL Server ERRORLOG messages.
+
+        These log files contain information such as:
+         - Logon failures
+         - Enabling/disabling of features, such as xp_cmdshell
+
+        Yields MssqlErrorlogRecord instances with fields:
+
+        .. code-block:: text
+
+            ts (datetime): Timestamp of the log line.
+            instance (str): SQL Server instance name.
+            process (str): Process name.
+            message (str): Log message.
+            path (Path): Path to the log file.
+
+        References:
+            - https://learn.microsoft.com/en-us/sql/relational-databases/logs/view-offline-log-files
+        """
+
+        for instance, log_path in self.instances:
+            for errorlog in log_path.glob(self.FILE_GLOB):
+                # The errorlog includes a BOM, so endianess gets determined automatically
+                fh = errorlog.open(mode="rt", encoding="utf-16", errors="surrogateescape")
+                buf = ""
+
+                for line in fh:
+                    if ts := RE_TIMESTAMP_PATTERN.match(line):
+                        yield MssqlErrorlogRecord(
+                            ts=datetime.strptime(ts.group(), "%Y-%m-%d %H:%M:%S.%f").replace(tzinfo=timezone.utc),
+                            instance=instance,
+                            # The process name is a fixed-width field and is always 12 characters long.
+                            process=buf[23:35].strip(),
+                            message=buf[35:].strip(),
+                            path=errorlog,
+                            _target=self.target,
+                        )
+                        buf = ""
+
+                    buf += line
+
+    def _find_instances(self) -> list[str, TargetPath]:
+        instances = []
+
+        for subkey in self.target.registry.key(self.MSSQL_KEY).subkeys():
+            if subkey.name.startswith("MSSQL") and "." in subkey.name:
+                instances.append(
+                    (
+                        subkey.name,
+                        self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent,
+                    )
+                )
+        return instances

{dissect.target-3.20.dev60.dist-info → dissect.target-3.20.dev62.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev60
+Version: 3.20.dev62
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev60.dist-info → dissect.target-3.20.dev62.dist-info}/RECORD

@@ -128,6 +128,7 @@ dissect/target/plugins/apps/browser/firefox.py,sha256=mZBBagFfIdiz9kUyK4Hi989I4g
 dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-CXZp39FVquRhPFGdTE,8801
 dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/container/docker.py,sha256=LTsZplaECSfO1Ysp_Y-9WsnNocsreu_iHO8fbSif3g0,16221
+dissect/target/plugins/apps/database/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/editor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/editor/editor.py,sha256=yJctXY0XTfwW3GKy6XLO2WaWFQLssdBck9ZOcZSyf80,495
 dissect/target/plugins/apps/editor/windowsnotepad.py,sha256=A9cfFrqbU2zjHRrzYsCnXr-uxKAIsVIKdXXJPYMt6MU,15068
@@ -251,7 +252,7 @@ dissect/target/plugins/os/unix/linux/debian/vyos/__init__.py,sha256=47DEQpj8HBSa
 dissect/target/plugins/os/unix/linux/debian/vyos/_os.py,sha256=TPjcfv1n68RCe3Er4aCVQwQDCZwJT-NLvje3kPjDfhk,1744
 dissect/target/plugins/os/unix/linux/fortios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/fortios/_keys.py,sha256=jDDHObfsUn9BGoIir9p4J_-rg9rI1rgoOfnL3R3lg4o,123358
-dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=381VI9TDMR2-XPwLsvCU8hcRgTz1H5yJ-q_sCNQzSiM,19790
+dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=7ZIwWFEfYwE924IvGfuinv1mEP6Uh28pl8VHSmsGKmM,20152
 dissect/target/plugins/os/unix/linux/fortios/generic.py,sha256=dc6YTDLV-VZq9k8IWmY_PE0sTGkkp3yamR-cYNUCtes,1265
 dissect/target/plugins/os/unix/linux/fortios/locale.py,sha256=Pe7Bdj8UemCiktLeQnQ50TpY_skARAzRJA0ewAB4710,5243
 dissect/target/plugins/os/unix/linux/redhat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -327,6 +328,7 @@ dissect/target/plugins/os/windows/log/amcache.py,sha256=TabtjNx9Ve-u-Fn0K95A0v_S
 dissect/target/plugins/os/windows/log/etl.py,sha256=t5GpunjzYMvAO9CBOP1ynH6053_PlasnIEIvlLNLU10,7255
 dissect/target/plugins/os/windows/log/evt.py,sha256=pYRVK3u309yK5pJoogohHWV2a_Lev8FK2zte_ys4SN8,7133
 dissect/target/plugins/os/windows/log/evtx.py,sha256=eSnMkU7HRmIDZ19WRsF9li08HuEOo51pRJDN2JOua5U,6148
+dissect/target/plugins/os/windows/log/mssql.py,sha256=sn9LZvKTaam15G1Vl2BZp2P6uph7_jw03L8P9NjlMKw,3745
 dissect/target/plugins/os/windows/log/pfro.py,sha256=d53Mm7ovZa9crSwVRPwjMVxTd_jCGtE1Kv07GslX9_s,2789
 dissect/target/plugins/os/windows/log/schedlgu.py,sha256=JaP8H8eTEypWXhx2aFSR_IMam6rQiksbLKhMr_U4fz8,5570
 dissect/target/plugins/os/windows/regf/7zip.py,sha256=Ox8cLyQtbyYQS7m4eY3onNv1K8N2IkS5wexrC55Urd4,3444
@@ -378,10 +380,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev60.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev60.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev60.dist-info/METADATA,sha256=PKJNh3uYMVxvxjgCZEqLjaaCG0258UlC3scxrul0ngQ,13025
-dissect.target-3.20.dev60.dist-info/WHEEL,sha256=a7TGlA-5DaHMRrarXjVbQagU3Man_dCnGIWMJr5kRWo,91
-dissect.target-3.20.dev60.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev60.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev60.dist-info/RECORD,,
+dissect.target-3.20.dev62.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev62.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev62.dist-info/METADATA,sha256=Jxh4wrXxgKedtQ0Hql8CSr6Q2kz64t25ZsD3aWz5RIg,13025
+dissect.target-3.20.dev62.dist-info/WHEEL,sha256=R06PA3UVYHThwHvxuRWMqaGcr-PuniXahwjmQRFMEkY,91
+dissect.target-3.20.dev62.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev62.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev62.dist-info/RECORD,,

{dissect.target-3.20.dev60.dist-info → dissect.target-3.20.dev62.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.4.0)
+Generator: setuptools (75.5.0)
 Root-Is-Purelib: true
 Tag: py3-none-any