Initial FortiOS support (#503)

Co-authored-by: JSCU-CNI <121175071+JSCU-CNI@users.noreply.github.com>

dissect/target/plugin.py

@@ -64,7 +64,7 @@ class OperatingSystem(StrEnum):
     ANDROID = "android"
     VYOS = "vyos"
     IOS = "ios"
-    FORTIGATE = "fortigate"
+    FORTIOS = "fortios"
     CITRIX = "citrix-netscaler"
 
 
@@ -683,10 +683,14 @@ def _walk(
                             prev_module_path=module_path,
                         )
 
-    yield from _walk(
-        _get_plugins(),
-        special_keys=special_keys,
-        only_special_keys=only_special_keys,
+    yield from sorted(
+        _walk(
+            _get_plugins(),
+            special_keys=special_keys,
+            only_special_keys=only_special_keys,
+        ),
+        key=lambda plugin: len(plugin["module"]),
+        reverse=True,
     )
 
 

dissect/target/plugins/os/unix/_os.py

@@ -254,7 +254,7 @@ def _parse_os_release(self, glob: Optional[str] = None) -> dict[str, str]:
                                 continue
         return os_release
 
-    def _get_architecture(self, os: str = "unix") -> Optional[str]:
+    def _get_architecture(self, os: str = "unix", path: str = "/bin/ls") -> Optional[str]:
         arch_strings = {
             0x00: "Unknown",
             0x02: "SPARC",
@@ -271,8 +271,8 @@ def _get_architecture(self, os: str = "unix") -> Optional[str]:
         }
 
         for fs in self.target.filesystems:
-            if fs.exists("/bin/ls"):
-                fh = fs.open("/bin/ls")
+            if fs.exists(path):
+                fh = fs.open(path)
                 fh.seek(4)
                 # ELF - e_ident[EI_CLASS]
                 bits = unpack("B", fh.read(1))[0]

dissect/target/plugins/os/unix/generic.py

@@ -1,4 +1,5 @@
 from datetime import datetime
+from pathlib import Path
 from statistics import median
 from typing import Optional
 
@@ -15,18 +16,7 @@ def check_compatible(self) -> None:
     def activity(self) -> Optional[datetime]:
         """Return last seen activity based on filesystem timestamps."""
         var_log = self.target.fs.path("/var/log")
-        if not var_log.exists():
-            return
-
-        last_seen = 0
-        for f in var_log.iterdir():
-            if not f.exists():
-                continue
-            if f.stat().st_mtime > last_seen:
-                last_seen = f.stat().st_mtime
-
-        if last_seen != 0:
-            return ts.from_unix(last_seen)
+        return calculate_last_activity(var_log)
 
     @export(property=True)
     def install_date(self) -> Optional[datetime]:
@@ -63,3 +53,18 @@ def install_date(self) -> Optional[datetime]:
         root_stat = self.target.fs.stat("/")
         if root_stat.st_ctime == root_stat.st_mtime:
             return ts.from_unix(root_stat.st_ctime)
+
+
+def calculate_last_activity(folder: Path) -> Optional[datetime]:
+    if not folder.exists():
+        return
+
+    last_seen = 0
+    for file in folder.iterdir():
+        if not file.exists():
+            continue
+        if file.stat().st_mtime > last_seen:
+            last_seen = file.stat().st_mtime
+
+    if last_seen != 0:
+        return ts.from_unix(last_seen)