Citrix netscaler OS fixes and add support for netscaler cli history

[MaxGroot]

The previous approach returned a virtualfilesystem on detect(). As I understand it, an OS plugin should return the system volume on detect, and bootstrap the filesystem in the create classmethod. Also added a check for /log to distinguish ramdisk from system volume. Moreover, account for usage on only the ramdisk by falling back to the ramdisk as system volume if the harddisk is not available.

Lastly, this PR adds support for netscaler-cli to the command history plugin.

[codecov]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (d4a1c66) 73.93% compared to head (e0fef85) 73.98%.

Files	Patch %	Lines
...ssect/target/plugins/os/unix/bsd/citrix/history.py	92.00%	4 Missing ⚠️
dissect/target/plugins/os/unix/bsd/citrix/_os.py	94.44%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #385      +/-   ##
==========================================
+ Coverage   73.93%   73.98%   +0.04%     
==========================================
  Files         272      273       +1     
  Lines       22572    22633      +61     
==========================================
+ Hits        16689    16744      +55     
- Misses       5883     5889       +6     

Flag	Coverage Δ
unittests	73.98% <93.02%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[MaxGroot]

While testing the code review suggestions, I ran into the nsmonitor user having monitors as its home dir in /var/nstmp, which resulted in an incorrect user name / home combination for this user. The last commit includes two additional checks to account for that.

[Politie-SOC]

@Schamper told us to add this here:
root@netscaler# mount
/dev/md0 on / (ufs, local)
devfs on /dev (devfs, local, multilabel)
procfs on /proc (procfs, local)
/dev/ar0s1a on /flash (ufs, local)
/dev/ar0s1e on /var (ufs, local)

root@netscaler# gpart show
=> 63 937703025 ad4 MBR (447G)
63 8385867 - free - (4G)
8385930 882482580 1 freebsd [active] (420G)
890868510 46834578 - free - (22G)

=> 0 882482580 ad4s1 BSD (420G)
0 281 - free - (140k)
281 50331648 1 freebsd-ufs (24G)
50331929 721420288 5 freebsd-ufs (344G)
771752217 67108864 7 freebsd-swap (32G)
838861081 43621499 8 freebsd-ufs (20G)

=> 63 937703025 ad6 MBR (447G)
63 8385867 - free - (4G)
8385930 882482580 1 freebsd [active] (420G)
890868510 46834578 - free - (22G)

=> 0 882482580 ad6s1 BSD (420G)
0 281 - free - (140k)
281 50331648 1 freebsd-ufs (24G)
50331929 721420288 5 freebsd-ufs (344G)
771752217 67108864 7 freebsd-swap (32G)
838861081 43621499 8 freebsd-ufs (20G)

=> 63 890863553 ar0 MBR (424G) [CORRUPT]
63 8385867 - free - (4G)
8385930 882482580 1 freebsd [active] (420G)

=> 0 882482580 ar0s1 BSD (420G)
0 281 - free - (140k)
281 50331648 1 freebsd-ufs (24G)
50331929 721420288 5 freebsd-ufs (344G)
771752217 67108864 7 freebsd-swap (32G)
838861081 43621499 8 freebsd-ufs (20G)

we therefore created 3 disk images.
target-fs netscaler-var.img ls /
returns:
var

target-fs netscaler-flash.img ls /
returns:
flash

target-fs netscaler-root.img ls /
returns:
.cache
.snap
;
bin
colorful
compat
configdb
dev
etc
flash
home
lib
libexec
mnt
netscaler
nscache
nsconfig
optional
proc
root
sbin
tmp
usr
var

while also returning these warnings:
Skipped FS type: procfs, proc, /proc [dissect.target.target]
Unsupported mount device: /dev/md0c / [dissect.target.target]

running:
target-mount netscaler-root.img+netscaler-flash.img+netscaler-var.img /mnt/netscaler gives me a seemingly working mount, but the /flash partition is not mounted, but / and /var are.

(dissect) root@hostname:/mnt/netscaler/fs# ls -a flash
. ..

(dissect) root@hostname:/mnt/netscaler/fs# ls -la var
total 0
drwxr-xr-x 8 root root 512 Sep 21 06:11 .
drwxr-xr-x 21 root root 512 Oct 20 06:00 ..
drwxr-xr-x 2 root root 512 Sep 21 06:11 db
drwxr-xr-x 2 root root 512 Sep 21 06:11 empty
drwxr-xr-x 2 root root 512 Sep 21 06:11 log
drwxr-xr-x 2 root root 512 Sep 21 06:11 netscaler
drwxr-xr-x 2 root root 512 Oct 10 19:49 run
drwxr-xr-x 3 root root 512 Sep 21 06:11 spool

[MaxGroot]

@Politie-SOC Thanks for posting. As you can see at https://github.com/fox-it/dissect.target/pull/385/files#diff-7e4df35dcb23e758fc9bb1932a06fed16bfbf6303e9c514cca69cfaecef7562fR84, a filesystem is currently inspected for the presence of a /nscconfig folder and a /boot folder, and if both are presented, said filesystem will be mounted at /flash.

In your output, I see the disk image that should contain the /flash filesystem has itself a folder in it named /flash? I myself have not encountered a situation like that before, as I have only created a simultaneous image of /dev/sda0 (containing both the flash and var mounts).

Could you share how you created an image of the flash partition, and why you went that route? It could be that I'm missing something from your posted output, the markdown is a bit iffy. We could add a check for a /flash folder and mount its contents at /flash, but I'd like to understand in what sort of situations this is necessary. Thanks!

[Politie-SOC]

So what we did in this case was create a dd of this:

/dev/ar0s1a on /flash (ufs, local)

As mentioned here #484 when we dd /dev/ar0 instead, we also dd the MBR (according to @Schamper ) and Dissect needs that to parse it properly.

The output above shows /dev/ar0s1a instead of /dev/ad0s1a but I'm assuming that shouldn't matter.

[MaxGroot]

All right, seems that we don't have to account for a situation where there is a /flash folder within the flash filesystem itself then, and we can leave the proposed detect() and create() as is.