:py:mod:`dissect.target.plugins.os.unix.log.utmp`
=================================================

.. py:module:: dissect.target.plugins.os.unix.log.utmp


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.unix.log.utmp.UtmpFile
   dissect.target.plugins.os.unix.log.utmp.UtmpPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.unix.log.utmp.UTMP_FIELDS
   dissect.target.plugins.os.unix.log.utmp.BtmpRecord
   dissect.target.plugins.os.unix.log.utmp.WtmpRecord
   dissect.target.plugins.os.unix.log.utmp.c_utmp
   dissect.target.plugins.os.unix.log.utmp.utmp
   dissect.target.plugins.os.unix.log.utmp.UTMP_ENTRY


.. py:data:: UTMP_FIELDS
   :value: [('datetime', 'ts'), ('string', 'ut_type'), ('string', 'ut_user'), ('varint', 'ut_pid'),...

   

.. py:data:: BtmpRecord

   

.. py:data:: WtmpRecord

   

.. py:data:: c_utmp
   :value: Multiline-String

    .. raw:: html

        <details><summary>Show Value</summary>

    .. code-block:: python

        """
        #define UT_LINESIZE     32
        #define UT_NAMESIZE     32
        #define UT_HOSTSIZE     256
        
        typedef uint32 pid_t;
        
        enum Type : char {
            EMPTY           = 0x0,
            RUN_LVL         = 0x1,
            BOOT_TIME       = 0x2,
            NEW_TIME        = 0x3,
            OLD_TIME        = 0x4,
            INIT_PROCESS    = 0x5,
            LOGIN_PROCESS   = 0x6,
            USER_PROCESS    = 0x7,
            DEAD_PROCESS    = 0x8,
            ACCOUNTING      = 0x9,
        };
        
        struct exit_status {
            uint16 e_termination;
            uint16 e_exit;
        };
        
        struct {
            uint32 tv_sec;
            uint32 tv_usec;
        } timeval;
        
        struct entry {
            uint32  ut_type;
            pid_t   ut_pid;
            char    ut_line[UT_LINESIZE];
            char    ut_id[4];
            char    ut_user[UT_NAMESIZE];
            char    ut_host[UT_HOSTSIZE];
            struct  exit_status ut_exit;
            long    ut_session;
            struct  timeval ut_tv;
            int32_t ut_addr_v6[4];         // Internet address of remote host; IPv4 address uses just ut_addr_v6[0]
            char    __unused[20];
        };
        """

    .. raw:: html

        </details>

   

.. py:data:: utmp

   

.. py:data:: UTMP_ENTRY

   

.. py:class:: UtmpFile(target: dissect.target.target.Target, path: dissect.target.helpers.fsutil.TargetPath)


   utmp maintains a full accounting of the current status of the system

   .. py:method:: __iter__()



.. py:class:: UtmpPlugin(target: dissect.target.Target)


   Bases: :py:obj:`dissect.target.plugin.Plugin`

   Base class for plugins.

   Plugins can optionally be namespaced by specifying the ``__namespace__``
   class attribute. Namespacing results in your plugin needing to be prefixed
   with this namespace when being called. For example, if your plugin has
   specified ``test`` as namespace and a function called ``example``, you must
   call your plugin with ``test.example``::

   A ``Plugin`` class has the following private class attributes:

   - ``__namespace__``
   - ``__record_descriptors__``

   With the following three being assigned in :func:`register`:

   - ``__plugin__``
   - ``__functions__``
   - ``__exports__``

   Additionally, the methods and attributes of :class:`Plugin` receive more private attributes
   by using decorators.

   The :func:`export` decorator adds the following private attributes

   - ``__exported__``
   - ``__output__``: Set with the :func:`export` decorator.
   - ``__record__``: Set with the :func:`export` decorator.

   The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute.
   Finally. :func:`args` decorator sets the ``__args__`` attribute.

   :param target: The :class:`~dissect.target.target.Target` object to load the plugin for.

   .. py:attribute:: WTMP_GLOB
      :value: '/var/log/wtmp*'

      

   .. py:attribute:: BTMP_GLOB
      :value: '/var/log/btmp*'

      

   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with
      the current target (``self.target``). For example, check if a certain
      file exists.
      Otherwise it should raise an ``UnsupportedPluginError``.

      :raises UnsupportedPluginError: If the plugin could not be loaded.


   .. py:method:: btmp() -> Iterator[BtmpRecord]

      Return failed login attempts stored in the btmp file.

      On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.

      .. rubric:: References

      - https://en.wikipedia.org/wiki/Utmp
      - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/


   .. py:method:: wtmp() -> Iterator[WtmpRecord]

      Return the content of the wtmp log files.

      The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
      logins at which terminals, logouts, system events and current status of the system, system boot time
      (used by uptime) etc.

      .. rubric:: References

      - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/