dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Create class for Linux network interface plugin

Open DissectBot opened this issue 1 year ago • 0 comments

Task 4/4 for network interface plugin

  • Create linux OS-specific class
  • separate DHCP and static IP
  • calculate network subnet (using method in base class)
  • Below is the design scheme with notes for linux:
windows/
    _os.py
    network.py

_os.py:
    Still has the ips export for backwards compatibility
    
network.py
    Can take inspiration from datetime namespace plugin.
    
    Define a NetworkPlugin based on a base class with some defined exports.
    It should be defined in plugins/general/network.py, so that the Default OS plugin can also make use of it. 
    The exported functions can just return empty iterators.
    
    Should also have some @internal functions for interface lookup (similar to user_details)
    
    - interfaces
      - InterfaceRecord
        - Base record for common stuff, OS specialized fields where applicable
          - Can take inspiration from UserRecord/Browser*Record
        - Fields (in no particular order):
          - Type (TUN/TAP/Physical)
          - Name
          - Enabled/disabled
          - MAC (optional)
          - IP / subnet
          - VLAN? (macOS/windows)
          - Gateway
          - DNS server / Search domain (Windows/macOS specific?)
          - Proxy (at least macOS specific)
          - Metric (Windows specific)
          - Interface service order (macOS)
          - Last connected (maybe only Windows?)
          - Config source (similar to how we use the source field in other records)
    - ips -> shorthand for getting all ips
    - gateways/mac/dns/other common fields -> idem as ^

Linux notes:
  - Need to parse information from static configuration files on disk
  - Maybe not initially, but should also support parsing information from log files (e.g. messages/sysvol/journalctl) for similar information
    - ips in LinuxPlugin already does this
    - This is best effort information, but very valuable if dissect can do this for the analyst
  - Could also be nice to extend with /proc information down the line
  - Maybe each network manager can be its own "NetworkPlugin", and there's a "parent" network plugin that loads as many compatible sub-network plugins and just iterates over all of them.
    - Like the browser/other similar namespace plugins
    - Log based can be a separate one of these as well
  - Can utilize unix config parser

DissectBot avatar Jul 31 '24 15:07 DissectBot