dissect.target 3.20.dev64__py3-none-any.whl → 3.20.2.dev11__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import gzip
 import hashlib
+import struct
 from base64 import b64decode
 from datetime import datetime
 from io import BytesIO
@@ -17,11 +18,17 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor, UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
-from dissect.target.plugins.os.unix.linux.fortios._keys import KERNEL_KEY_MAP
+from dissect.target.plugins.os.unix.linux.fortios._keys import (
+    KERNEL_KEY_MAP,
+    AesKey,
+    ChaCha20Key,
+    ChaCha20Seed,
+)
 from dissect.target.target import Target
 
 try:
     from Crypto.Cipher import AES, ChaCha20
+    from Crypto.Util import Counter
 
     HAS_CRYPTO = True
 except ImportError:
@@ -95,8 +102,11 @@ class FortiOSPlugin(LinuxPlugin):
             # The rootfs.gz file could be encrypted.
             try:
                 kernel_hash = get_kernel_hash(sysvol)
-                key, iv = key_iv_for_kernel_hash(kernel_hash)
-                rfs_fh = decrypt_rootfs(rootfs.open(), key, iv)
+                target.log.info("Kernel hash: %s", kernel_hash)
+                key = key_iv_for_kernel_hash(kernel_hash)
+                target.log.info("Trying to decrypt_rootfs using key: %r", key)
+                rfs_fh = decrypt_rootfs(rootfs.open(), key)
+                target.log.info("Decrypted fh: %r", rfs_fh)
                 vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
             except RuntimeError:
                 target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
@@ -471,7 +481,7 @@ def decrypt_password(input: str) -> str:
         return "ENC:" + input
 
 
-def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
+def key_iv_for_kernel_hash(kernel_hash: str) -> AesKey | ChaCha20Key:
     """Return decryption key and IV for a specific sha256 kernel hash.
 
     The decryption key and IV are used to decrypt the ``rootfs.gz`` file.
@@ -486,17 +496,96 @@ def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
         ValueError: When no decryption keys are available for the given kernel hash.
     """
 
-    key = bytes.fromhex(KERNEL_KEY_MAP.get(kernel_hash, ""))
-    if len(key) == 32:
+    key = KERNEL_KEY_MAP.get(kernel_hash)
+    if isinstance(key, ChaCha20Seed):
         # FortiOS 7.4.x uses a KDF to derive the key and IV
-        return _kdf_7_4_x(key)
-    elif len(key) == 48:
+        key, iv = _kdf_7_4_x(key.key)
+        return ChaCha20Key(key, iv)
+    elif isinstance(key, ChaCha20Key):
         # FortiOS 7.0.13 and 7.0.14 uses a static key and IV
-        return key[:32], key[32:]
+        return key
+    elif isinstance(key, AesKey):
+        # FortiOS 7.0.16, 7.2.9, 7.4.4, 7.6.0 and higher uses AES-CTR with a custom CTR increment
+        return key
     raise ValueError(f"No known decryption keys for kernel hash: {kernel_hash}")
 
 
-def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
+def chacha20_decrypt(fh: BinaryIO, key: ChaCha20Key) -> bytes:
+    """Decrypt file using ChaCha20 with given ChaCha20Key.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: ChaCha20Key.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    # First 8 bytes = counter, last 8 bytes = nonce
+    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
+    # We're interested in updating the position in the ChaCha20 internal state, so to make
+    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
+    cipher = ChaCha20.new(key=key.key, nonce=key.iv[8:])
+    cipher.seek(int.from_bytes(key.iv[:8], "little") * 64)
+    return cipher.decrypt(fh.read())
+
+
+def calculate_counter_increment(iv: bytes) -> int:
+    """Calculate the custom FortiGate CTR increment from IV.
+
+    Args:
+        iv: 16 bytes IV.
+
+    Returns:
+        Custom CTR increment.
+    """
+    increment = 0
+    for i in range(16):
+        increment ^= (iv[i] & 15) ^ ((iv[i] >> 4) & 0xFF)
+    return max(increment, 1)
+
+
+def aes_decrypt(fh: BinaryIO, key: AesKey) -> bytes:
+    """Decrypt file using a custom AES CTR increment with given AesKey.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: AesKey.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    data = bytearray(fh.read())
+
+    # Calculate custom CTR increment from IV
+    increment = calculate_counter_increment(key.iv)
+    advance_block = (b"\x69" * 16) * (increment - 1)
+
+    # AES counter is little-endian and has a prefix
+    prefix, counter = struct.unpack("<8sQ", key.iv)
+    ctr = Counter.new(
+        64,
+        prefix=prefix,
+        initial_value=counter,
+        little_endian=True,
+        allow_wraparound=True,
+    )
+    cipher = AES.new(key.key, mode=AES.MODE_CTR, counter=ctr)
+
+    nblocks, nleft = divmod(len(data), 16)
+    for i in range(nblocks):
+        offset = i * 16
+        data[offset : offset + 16] = cipher.decrypt(data[offset : offset + 16])
+        cipher.decrypt(advance_block)  # custom advance the counter
+
+    if nleft:
+        data[nblocks * 16 :] = cipher.decrypt(data[nblocks * 16 :])
+
+    return data
+
+
+def decrypt_rootfs(fh: BinaryIO, key: ChaCha20Key | AesKey) -> BinaryIO:
     """Attempt to decrypt an encrypted ``rootfs.gz`` file with given key and IV.
 
     FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
@@ -511,8 +600,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
 
     Args:
         fh: File-like object to the encrypted rootfs.gz file.
-        key: ChaCha20 key.
-        iv: ChaCha20 iv.
+        key: ChaCha20Key or AesKey.
 
     Returns:
         File-like object to the decrypted rootfs.gz file.
@@ -525,13 +613,12 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     if not HAS_CRYPTO:
         raise RuntimeError("Missing pycryptodome dependency")
 
-    # First 8 bytes = counter, last 8 bytes = nonce
-    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
-    # We're interested in updating the position in the ChaCha20 internal state, so to make
-    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
-    cipher = ChaCha20.new(key=key, nonce=iv[8:])
-    cipher.seek(int.from_bytes(iv[:8], "little") * 64)
-    result = cipher.decrypt(fh.read())
+    result = b""
+    if isinstance(key, ChaCha20Key):
+        result = chacha20_decrypt(fh, key)
+    elif isinstance(key, AesKey):
+        result = aes_decrypt(fh, key)
+        result = result[:-256]  # strip off the 256 byte footer
 
     if result[0:2] != b"\x1f\x8b":
         raise ValueError("Failed to decrypt: No gzip magic header found.")
@@ -539,7 +626,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     return BytesIO(result)
 
 
-def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
+def _kdf_7_4_x(key_data: str | bytes, offset_key: int = 4, offset_iv: int = 5) -> tuple[bytes, bytes]:
     """Derive 32 byte key and 16 byte IV from 32 byte seed.
 
     As the IV needs to be 16 bytes, we return the first 16 bytes of the sha256 hash.
@@ -548,8 +635,8 @@ def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
     if isinstance(key_data, str):
         key_data = bytes.fromhex(key_data)
 
-    key = hashlib.sha256(key_data[4:32] + key_data[:4]).digest()
-    iv = hashlib.sha256(key_data[5:32] + key_data[:5]).digest()[:16]
+    key = hashlib.sha256(key_data[offset_key:32] + key_data[:offset_key]).digest()
+    iv = hashlib.sha256(key_data[offset_iv:32] + key_data[:offset_iv]).digest()[:16]
     return key, iv
 
 

dissect/target/plugins/os/unix/linux/network.py

@@ -0,0 +1,338 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from ipaddress import ip_address, ip_interface
+from typing import TYPE_CHECKING, Any, Iterator, Literal, NamedTuple
+
+from dissect.target.helpers import configutil
+from dissect.target.helpers.record import UnixInterfaceRecord
+from dissect.target.helpers.utils import to_list
+from dissect.target.plugins.general.network import NetworkPlugin
+
+if TYPE_CHECKING:
+    from ipaddress import IPv4Address, IPv4Interface, IPv6Address, IPv6Interface
+
+    from dissect.target import Target
+    from dissect.target.target import TargetPath
+
+    NetAddress = IPv4Address | IPv6Address
+    NetInterface = IPv4Interface | IPv6Interface
+
+
+class LinuxNetworkPlugin(NetworkPlugin):
+    """Linux network interface plugin."""
+
+    def _interfaces(self) -> Iterator[UnixInterfaceRecord]:
+        """Try all available network configuration managers and aggregate the results."""
+        for manager_cls in MANAGERS:
+            manager: LinuxNetworkConfigParser = manager_cls(self.target)
+            yield from manager.interfaces()
+
+
+VlanIdByInterface = dict[str, set[int]]
+
+
+class LinuxNetworkConfigParser:
+    def __init__(self, target: Target):
+        self._target = target
+
+    def _config_files(self, config_paths: list[str], glob: str) -> list[TargetPath]:
+        """Returns all configuration files in config_paths matching the given extension."""
+        all_files = []
+        for config_path in config_paths:
+            paths = self._target.fs.path(config_path).glob(glob)
+            all_files.extend(config_file for config_file in paths if config_file.is_file())
+
+        return sorted(all_files, key=lambda p: p.stem)
+
+    def interfaces(self) -> Iterator[UnixInterfaceRecord]:
+        """Parse network interfaces from configuration files."""
+        yield from ()
+
+
+class NetworkManagerConfigParser(LinuxNetworkConfigParser):
+    """NetworkManager configuration parser.
+
+    NetworkManager configuration files are generally in an INI-like format.
+    Note that Red Hat and Fedora deprecated ifcfg files.
+    Documentation: https://networkmanager.dev/docs/api/latest/nm-settings-keyfile.html
+    """
+
+    config_paths: list[str] = [
+        "/etc/NetworkManager/system-connections/",
+        "/usr/lib/NetworkManager/system-connections/",
+        "/run/NetworkManager/system-connections/",
+    ]
+
+    @dataclass
+    class ParserContext:
+        source: str
+        uuid: str | None = None
+        last_connected: datetime | None = None
+        name: str | None = None
+        mac_address: str | None = None
+        type: str = ""
+        dns: set[NetAddress] = field(default_factory=set)
+        ip_interfaces: set[NetInterface] = field(default_factory=set)
+        gateways: set[NetAddress] = field(default_factory=set)
+        dhcp_ipv4: bool = False
+        dhcp_ipv6: bool = False
+        vlan: set[int] = field(default_factory=set)
+
+        def to_record(self) -> UnixInterfaceRecord:
+            return UnixInterfaceRecord(
+                source=self.source,
+                last_connected=self.last_connected,
+                name=self.name,
+                mac=[self.mac_address] if self.mac_address else [],
+                type=self.type,
+                dhcp_ipv4=self.dhcp_ipv4,
+                dhcp_ipv6=self.dhcp_ipv6,
+                dns=list(self.dns),
+                ip=[interface.ip for interface in self.ip_interfaces],
+                network=[interface.network for interface in self.ip_interfaces],
+                gateway=list(self.gateways),
+                vlan=list(self.vlan),
+                configurator="NetworkManager",
+            )
+
+    def interfaces(self) -> Iterator[UnixInterfaceRecord]:
+        connections: list[NetworkManagerConfigParser.ParserContext] = []
+        vlan_id_by_interface: VlanIdByInterface = {}
+
+        for connection_file_path in self._config_files(self.config_paths, "*"):
+            try:
+                config = configutil.parse(connection_file_path, hint="ini")
+                context = self.ParserContext(source=connection_file_path)
+                common_section: dict[str, str] = config.get("connection", {})
+                context.type = common_section.get("type", "")
+                sub_type: dict[str, str] = config.get(context.type, {})
+
+                if context.type == "vlan":
+                    self._parse_vlan(sub_type, vlan_id_by_interface)
+                    continue
+
+                for ip_version in ["ipv4", "ipv6"]:
+                    ip_section: dict[str, str] = config.get(ip_version, {})
+                    for key, value in ip_section.items():
+                        self._parse_ip_section_key(key, value, context, ip_version)
+
+                context.name = common_section.get("interface-name")
+                context.mac_address = sub_type.get("mac-address")
+                context.uuid = common_section.get("uuid")
+                context.source = str(connection_file_path)
+                context.last_connected = self._parse_lastconnected(common_section.get("timestamp", ""))
+
+                connections.append(context)
+
+            except Exception as e:
+                self._target.log.warning("Error parsing network config file %s", connection_file_path)
+                self._target.log.debug("", exc_info=e)
+
+        for connection in connections:
+            vlan_ids_from_interface = vlan_id_by_interface.get(connection.name, set())
+            connection.vlan.update(vlan_ids_from_interface)
+
+            vlan_ids_from_uuid = vlan_id_by_interface.get(connection.uuid, set())
+            connection.vlan.update(vlan_ids_from_uuid)
+
+            yield connection.to_record()
+
+    def _parse_route(self, route: str) -> NetAddress | None:
+        """Parse a route and return gateway IP address."""
+        if (elements := route.split(",")) and len(elements) > 1:
+            return ip_address(elements[1])
+
+        return None
+
+    def _parse_lastconnected(self, last_connected: str) -> datetime | None:
+        """Parse last connected timestamp."""
+        if not last_connected:
+            return None
+
+        return datetime.fromtimestamp(int(last_connected), timezone.utc)
+
+    def _parse_ip_section_key(
+        self, key: str, value: str, context: ParserContext, ip_version: Literal["ipv4", "ipv6"]
+    ) -> None:
+        if not (trimmed := value.strip()):
+            return
+
+        if key == "dns":
+            context.dns.update(ip_address(addr) for addr in trimmed.split(";") if addr)
+        elif key.startswith("address"):
+            # Undocumented: single gateway on address line. Observed when running:
+            # nmcli connection add type ethernet ... ip4 192.168.2.138/24 gw4 192.168.2.1
+            ip, *gateway = trimmed.split(",", 1)
+            context.ip_interfaces.add(ip_interface(ip))
+            if gateway:
+                context.gateways.add(ip_address(gateway[0]))
+        elif key.startswith("gateway"):
+            context.gateways.add(ip_address(trimmed))
+        elif key == "method":
+            if ip_version == "ipv4":
+                context.dhcp_ipv4 = trimmed == "auto"
+            elif ip_version == "ipv6":
+                context.dhcp_ipv6 = trimmed == "auto"
+        elif key.startswith("route"):
+            if gateway := self._parse_route(value):
+                context.gateways.add(gateway)
+
+    def _parse_vlan(self, sub_type: dict[str, Any], vlan_id_by_interface: VlanIdByInterface) -> None:
+        parent_interface = sub_type.get("parent")
+        vlan_id = sub_type.get("id")
+        if not parent_interface or not vlan_id:
+            return
+
+        ids = vlan_id_by_interface.setdefault(parent_interface, set())
+        ids.add(int(vlan_id))
+
+
+class SystemdNetworkConfigParser(LinuxNetworkConfigParser):
+    """Systemd network configuration parser.
+
+    Systemd network configuration files are generally in an INI-like format with some quirks.
+    Note that drop-in directories are not yet supported.
+
+    Documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html
+    """
+
+    config_paths: list[str] = [
+        "/etc/systemd/network/",
+        "/run/systemd/network/",
+        "/usr/lib/systemd/network/",
+        "/usr/local/lib/systemd/network/",
+    ]
+
+    class DhcpConfig(NamedTuple):
+        ipv4: bool
+        ipv6: bool
+
+    # Can be enclosed in brackets for IPv6. Can also have port, iface name, and SNI, which we ignore.
+    # Example: [1111:2222::3333]:9953%ifname#example.com
+    dns_ip_patttern = re.compile(
+        r"(?P<withoutBrackets>(?:\d{1,3}\.){3}\d{1,3})|\[(?P<withBrackets>\[?[0-9a-fA-F:]+\]?)\]"
+    )
+
+    def interfaces(self) -> Iterator:
+        virtual_networks = self._parse_virtual_networks()
+        yield from self._parse_networks(virtual_networks)
+
+    def _parse_virtual_networks(self) -> VlanIdByInterface:
+        """Parse virtual network configurations from systemd network configuration files."""
+
+        virtual_networks: VlanIdByInterface = {}
+        for config_file in self._config_files(self.config_paths, "*.netdev"):
+            try:
+                virtual_network_config = configutil.parse(config_file, hint="systemd")
+                net_dev_section: dict[str, str] = virtual_network_config.get("NetDev", {})
+                if net_dev_section.get("Kind") != "vlan":
+                    continue
+
+                vlan_id = virtual_network_config.get("VLAN", {}).get("Id")
+                if (name := net_dev_section.get("Name")) and vlan_id:
+                    vlan_ids = virtual_networks.setdefault(name, set())
+                    vlan_ids.add(int(vlan_id))
+            except Exception as e:
+                self._target.log.warning("Error parsing virtual network config file %s", config_file)
+                self._target.log.debug("", exc_info=e)
+
+        return virtual_networks
+
+    def _parse_networks(self, virtual_networks: VlanIdByInterface) -> Iterator[UnixInterfaceRecord]:
+        """Parse network configurations from systemd network configuration files."""
+        for config_file in self._config_files(self.config_paths, "*.network"):
+            try:
+                config = configutil.parse(config_file, hint="systemd")
+
+                match_section: dict[str, str] = config.get("Match", {})
+                network_section: dict[str, str] = config.get("Network", {})
+                link_section: dict[str, str] = config.get("Link", {})
+
+                ip_interfaces: set[NetInterface] = set()
+                gateways: set[NetAddress] = set()
+                dns: set[NetAddress] = set()
+                mac_addresses: set[str] = set()
+
+                if link_mac := link_section.get("MACAddress"):
+                    mac_addresses.add(link_mac)
+                mac_addresses.update(match_section.get("MACAddress", "").split())
+                mac_addresses.update(match_section.get("PermanentMACAddress", "").split())
+
+                dns_value = to_list(network_section.get("DNS", []))
+                dns.update(self._parse_dns_ip(dns_ip) for dns_ip in dns_value)
+
+                address_value = to_list(network_section.get("Address", []))
+                ip_interfaces.update(ip_interface(addr) for addr in address_value)
+
+                gateway_value = to_list(network_section.get("Gateway", []))
+                gateways.update(ip_address(gateway) for gateway in gateway_value)
+
+                vlan_ids: set[int] = set()
+                vlan_names = to_list(network_section.get("VLAN", []))
+                for vlan_name in vlan_names:
+                    if ids := virtual_networks.get(vlan_name):
+                        vlan_ids.update(ids)
+
+                # There are possibly multiple route sections, but they are collapsed into one by the parser.
+                route_section: dict[str, Any] = config.get("Route", {})
+                gateway_values = to_list(route_section.get("Gateway", []))
+                gateways.update(filter(None, map(self._parse_gateway, gateway_values)))
+
+                dhcp_ipv4, dhcp_ipv6 = self._parse_dhcp(network_section.get("DHCP"))
+
+                yield UnixInterfaceRecord(
+                    source=str(config_file),
+                    type=match_section.get("Type"),
+                    enabled=None,  # Unknown, dependent on run-time state
+                    dhcp_ipv4=dhcp_ipv4,
+                    dhcp_ipv6=dhcp_ipv6,
+                    name=match_section.get("Name"),
+                    dns=list(dns),
+                    mac=list(mac_addresses),
+                    ip=[interface.ip for interface in ip_interfaces],
+                    network=[interface.network for interface in ip_interfaces],
+                    gateway=list(gateways),
+                    vlan=list(vlan_ids),
+                    configurator="systemd-networkd",
+                )
+            except Exception as e:
+                self._target.log.warning("Error parsing network config file %s", config_file)
+                self._target.log.debug("", exc_info=e)
+
+    def _parse_dns_ip(self, address: str) -> NetAddress:
+        """Parse DNS address from systemd network configuration file.
+
+        The optional brackets and port number make this hard to parse.
+        See https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html and search for DNS.
+        """
+
+        if match := self.dns_ip_patttern.search(address):
+            return ip_address(match.group("withoutBrackets") or match.group("withBrackets"))
+
+        raise ValueError(f"Invalid DNS address format: {address}")
+
+    def _parse_dhcp(self, value: str | None) -> DhcpConfig:
+        """Parse DHCP value from systemd network configuration file to a named tuple (ipv4, ipv6)."""
+
+        if value is None or value == "no":
+            return self.DhcpConfig(ipv4=False, ipv6=False)
+        elif value == "yes":
+            return self.DhcpConfig(ipv4=True, ipv6=True)
+        elif value == "ipv4":
+            return self.DhcpConfig(ipv4=True, ipv6=False)
+        elif value == "ipv6":
+            return self.DhcpConfig(ipv4=False, ipv6=True)
+
+        raise ValueError(f"Invalid DHCP value: {value}")
+
+    def _parse_gateway(self, value: str | None) -> NetAddress | None:
+        if (not value) or (value in {"_dhcp4", "_ipv6ra"}):
+            return None
+
+        return ip_address(value)
+
+
+MANAGERS = [NetworkManagerConfigParser, SystemdNetworkConfigParser]

dissect/target/plugins/os/unix/linux/network_managers.py

@@ -567,7 +567,7 @@ def parse_unix_dhcp_log_messages(target: Target, iter_all: bool = False) -> set[
             continue
 
         # Debian and CentOS dhclient
-        if hasattr(record, "daemon") and record.daemon == "dhclient" and "bound to" in line:
+        if hasattr(record, "service") and record.service == "dhclient" and "bound to" in line:
             ip = line.split("bound to")[1].split(" ")[1].strip()
             ips.add(ip)
             continue

dissect/target/plugins/os/unix/log/auth.py

@@ -1,6 +1,5 @@
 from __future__ import annotations
 
-import itertools
 import logging
 import re
 from abc import ABC, abstractmethod
@@ -12,24 +11,18 @@ from typing import Any, Iterator
 
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
 from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.os.unix.log.helpers import (
+    RE_LINE,
+    RE_TS,
+    is_iso_fmt,
+    iso_readlines,
+)
 
 log = logging.getLogger(__name__)
 
-RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
-RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
-RE_LINE = re.compile(
-    r"""
-    \d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
-    (?P<hostname>\S+)\s                     # The hostname
-    (?P<service>\S+?)(\[(?P<pid>\d+)\])?:   # The service with optionally the PID between brackets
-    \s*(?P<message>.+?)\s*$                 # The log message stripped from spaces left and right
-    """,
-    re.VERBOSE,
-)
 
 # Generic regular expressions
 RE_IPV4_ADDRESS = re.compile(
@@ -347,27 +340,3 @@ class AuthPlugin(Plugin):
 
             for ts, line in iterable:
                 yield self._auth_log_builder.build_record(ts, auth_file, line)
-
-
-def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
-    """Iterator reading the provided auth log file in ISO format. Mimics ``year_rollover_helper`` behaviour."""
-    with open_decompress(file, "rt") as fh:
-        for line in fh:
-            if not (match := RE_TS_ISO.match(line)):
-                log.warning("No timestamp found in one of the lines in %s!", file)
-                log.debug("Skipping line: %s", line)
-                continue
-
-            try:
-                ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
-            except ValueError as e:
-                log.warning("Unable to parse ISO timestamp in line: %s", line)
-                log.debug("", exc_info=e)
-                continue
-
-            yield ts, line
-
-
-def is_iso_fmt(file: Path) -> bool:
-    """Determine if the provided auth log file uses new ISO format logging or not."""
-    return any(itertools.islice(iso_readlines(file), 0, 2))

dissect/target/plugins/os/unix/log/helpers.py

@@ -0,0 +1,46 @@
+import itertools
+import logging
+import re
+from datetime import datetime
+from pathlib import Path
+from typing import Iterator
+
+from dissect.target.helpers.fsutil import open_decompress
+
+log = logging.getLogger(__name__)
+
+RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
+RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
+RE_LINE = re.compile(
+    r"""
+    \d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
+    (?:\S+)\s                               # The hostname, but do not capture it
+    (?P<service>\S+?)(\[(?P<pid>\d+)\])?:    # The service / daemon with optionally the PID between brackets
+    \s*(?P<message>.+?)\s*$                 # The log message stripped from spaces left and right
+    """,
+    re.VERBOSE,
+)
+
+
+def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
+    """Iterator reading the provided log file in ISO format. Mimics ``year_rollover_helper`` behaviour."""
+    with open_decompress(file, "rt") as fh:
+        for line in fh:
+            if not (match := RE_TS_ISO.match(line)):
+                log.warning("No timestamp found in one of the lines in %s!", file)
+                log.debug("Skipping line: %s", line)
+                continue
+
+            try:
+                ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
+            except ValueError as e:
+                log.warning("Unable to parse ISO timestamp in line: %s", line)
+                log.debug("", exc_info=e)
+                continue
+
+            yield ts, line
+
+
+def is_iso_fmt(file: Path) -> bool:
+    """Determine if the provided log file uses ISO 8601 timestamp format logging or not."""
+    return any(itertools.islice(iso_readlines(file), 0, 2))