fix(packaging): move templates/ into decnet/ package so they ship with pip install
The docker build contexts and syslog_bridge.py lived at repo root, which meant setuptools (include = ["decnet*"]) never shipped them. Agents installed via `pip install $RELEASE_DIR` got site-packages/decnet/** but no templates/, so every deploy blew up in deployer._sync_logging_helper with FileNotFoundError on templates/syslog_bridge.py. Move templates/ -> decnet/templates/ and declare it as setuptools package-data. Path resolutions in services/*.py and engine/deployer.py drop one .parent since templates now lives beside the code. Test fixtures, bandit exclude path, and coverage omit glob updated to match.
This commit is contained in:
24
decnet/templates/llmnr/Dockerfile
Normal file
24
decnet/templates/llmnr/Dockerfile
Normal file
@@ -0,0 +1,24 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
python3 \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY syslog_bridge.py /opt/syslog_bridge.py
|
||||
COPY server.py /opt/server.py
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
EXPOSE 5355/udp
|
||||
EXPOSE 5353/udp
|
||||
RUN useradd -r -s /bin/false -d /opt logrelay \
|
||||
&& apt-get update && apt-get install -y --no-install-recommends libcap2-bin \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& (find /usr/bin/ -maxdepth 1 -name 'python3*' -type f -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true)
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
|
||||
CMD kill -0 1 || exit 1
|
||||
|
||||
USER logrelay
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
3
decnet/templates/llmnr/entrypoint.sh
Normal file
3
decnet/templates/llmnr/entrypoint.sh
Normal file
@@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
exec python3 /opt/server.py
|
||||
113
decnet/templates/llmnr/server.py
Normal file
113
decnet/templates/llmnr/server.py
Normal file
@@ -0,0 +1,113 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
LLMNR / mDNS poisoning detector (UDP 5355 and UDP 5353).
|
||||
Listens for any incoming name-resolution queries. Any traffic here is a
|
||||
strong signal of an attacker running Responder or similar tools on the LAN.
|
||||
Logs every packet with source IP and decoded query name where possible.
|
||||
"""
|
||||
|
||||
import asyncio
|
||||
import os
|
||||
import struct
|
||||
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
|
||||
|
||||
NODE_NAME = os.environ.get("NODE_NAME", "lan-host")
|
||||
SERVICE_NAME = "llmnr"
|
||||
LOG_TARGET = os.environ.get("LOG_TARGET", "")
|
||||
|
||||
|
||||
|
||||
|
||||
def _log(event_type: str, severity: int = 6, **kwargs) -> None:
|
||||
line = syslog_line(SERVICE_NAME, NODE_NAME, event_type, severity, **kwargs)
|
||||
write_syslog_file(line)
|
||||
forward_syslog(line, LOG_TARGET)
|
||||
|
||||
|
||||
def _decode_dns_name(data: bytes, offset: int) -> str:
|
||||
"""Decode a DNS-encoded label sequence starting at offset."""
|
||||
labels = []
|
||||
visited = set()
|
||||
pos = offset
|
||||
while pos < len(data):
|
||||
if pos in visited:
|
||||
break
|
||||
visited.add(pos)
|
||||
length = data[pos]
|
||||
if length == 0:
|
||||
break
|
||||
if length & 0xc0 == 0xc0: # pointer
|
||||
if pos + 1 >= len(data):
|
||||
break
|
||||
ptr = ((length & 0x3f) << 8) | data[pos + 1]
|
||||
labels.append(_decode_dns_name(data, ptr))
|
||||
break
|
||||
pos += 1
|
||||
labels.append(data[pos:pos + length].decode(errors="replace"))
|
||||
pos += length
|
||||
return ".".join(labels)
|
||||
|
||||
|
||||
def _parse_query(data: bytes, proto: str, src_addr) -> None:
|
||||
"""Parse DNS/LLMNR/mDNS query and log the queried name."""
|
||||
try:
|
||||
if len(data) < 12:
|
||||
raise ValueError("too short")
|
||||
flags = struct.unpack(">H", data[2:4])[0]
|
||||
qr = (flags >> 15) & 1
|
||||
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||
if qr != 0 or qdcount < 1:
|
||||
return # not a query or no questions
|
||||
name = _decode_dns_name(data, 12)
|
||||
pos = 12
|
||||
while pos < len(data) and data[pos] != 0:
|
||||
pos += data[pos] + 1
|
||||
pos += 1
|
||||
qtype = struct.unpack(">H", data[pos:pos + 2])[0] if pos + 2 <= len(data) else 0
|
||||
_log(
|
||||
"query",
|
||||
proto=proto,
|
||||
src=src_addr[0],
|
||||
src_port=src_addr[1],
|
||||
name=name,
|
||||
qtype=qtype,
|
||||
)
|
||||
except Exception as e:
|
||||
_log("raw_packet", proto=proto, src=src_addr[0], data=data[:64].hex(), error=str(e))
|
||||
|
||||
|
||||
class LLMNRProtocol(asyncio.DatagramProtocol):
|
||||
def __init__(self, proto_label: str):
|
||||
self._proto = proto_label
|
||||
|
||||
def datagram_received(self, data, addr):
|
||||
_parse_query(data, self._proto, addr)
|
||||
|
||||
def error_received(self, exc):
|
||||
pass
|
||||
|
||||
|
||||
async def main():
|
||||
_log("startup", msg=f"LLMNR/mDNS server starting as {NODE_NAME}")
|
||||
loop = asyncio.get_running_loop()
|
||||
|
||||
# LLMNR: UDP 5355
|
||||
llmnr_transport, _ = await loop.create_datagram_endpoint(
|
||||
lambda: LLMNRProtocol("LLMNR"),
|
||||
local_addr=("0.0.0.0", 5355), # nosec B104
|
||||
)
|
||||
# mDNS: UDP 5353
|
||||
mdns_transport, _ = await loop.create_datagram_endpoint(
|
||||
lambda: LLMNRProtocol("mDNS"),
|
||||
local_addr=("0.0.0.0", 5353), # nosec B104
|
||||
)
|
||||
|
||||
try:
|
||||
await asyncio.sleep(float("inf"))
|
||||
finally:
|
||||
llmnr_transport.close()
|
||||
mdns_transport.close()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
asyncio.run(main())
|
||||
89
decnet/templates/llmnr/syslog_bridge.py
Normal file
89
decnet/templates/llmnr/syslog_bridge.py
Normal file
@@ -0,0 +1,89 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Shared RFC 5424 syslog helper used by service containers.
|
||||
|
||||
Services call syslog_line() to format an RFC 5424 message, then
|
||||
write_syslog_file() to emit it to stdout — the container runtime
|
||||
captures it, and the host-side collector streams it into the log file.
|
||||
|
||||
RFC 5424 structure:
|
||||
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
|
||||
|
||||
Facility: local0 (16). SD element ID uses PEN 55555.
|
||||
"""
|
||||
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
# ─── Constants ────────────────────────────────────────────────────────────────
|
||||
|
||||
_FACILITY_LOCAL0 = 16
|
||||
_SD_ID = "relay@55555"
|
||||
_NILVALUE = "-"
|
||||
|
||||
SEVERITY_EMERG = 0
|
||||
SEVERITY_ALERT = 1
|
||||
SEVERITY_CRIT = 2
|
||||
SEVERITY_ERROR = 3
|
||||
SEVERITY_WARNING = 4
|
||||
SEVERITY_NOTICE = 5
|
||||
SEVERITY_INFO = 6
|
||||
SEVERITY_DEBUG = 7
|
||||
|
||||
_MAX_HOSTNAME = 255
|
||||
_MAX_APPNAME = 48
|
||||
_MAX_MSGID = 32
|
||||
|
||||
# ─── Formatter ────────────────────────────────────────────────────────────────
|
||||
|
||||
def _sd_escape(value: str) -> str:
|
||||
"""Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
|
||||
return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
|
||||
|
||||
|
||||
def _sd_element(fields: dict[str, Any]) -> str:
|
||||
if not fields:
|
||||
return _NILVALUE
|
||||
params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
|
||||
return f"[{_SD_ID} {params}]"
|
||||
|
||||
|
||||
def syslog_line(
|
||||
service: str,
|
||||
hostname: str,
|
||||
event_type: str,
|
||||
severity: int = SEVERITY_INFO,
|
||||
timestamp: datetime | None = None,
|
||||
msg: str | None = None,
|
||||
**fields: Any,
|
||||
) -> str:
|
||||
"""
|
||||
Return a single RFC 5424-compliant syslog line (no trailing newline).
|
||||
|
||||
Args:
|
||||
service: APP-NAME (e.g. "http", "mysql")
|
||||
hostname: HOSTNAME (node name)
|
||||
event_type: MSGID (e.g. "request", "login_attempt")
|
||||
severity: Syslog severity integer (default: INFO=6)
|
||||
timestamp: UTC datetime; defaults to now
|
||||
msg: Optional free-text MSG
|
||||
**fields: Encoded as structured data params
|
||||
"""
|
||||
pri = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
|
||||
ts = (timestamp or datetime.now(timezone.utc)).isoformat()
|
||||
host = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
|
||||
appname = (service or _NILVALUE)[:_MAX_APPNAME]
|
||||
msgid = (event_type or _NILVALUE)[:_MAX_MSGID]
|
||||
sd = _sd_element(fields)
|
||||
message = f" {msg}" if msg else ""
|
||||
return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
|
||||
|
||||
|
||||
def write_syslog_file(line: str) -> None:
|
||||
"""Emit a syslog line to stdout for container log capture."""
|
||||
print(line, flush=True)
|
||||
|
||||
|
||||
def forward_syslog(line: str, log_target: str) -> None:
|
||||
"""No-op stub. TCP forwarding is handled by rsyslog, not by service containers."""
|
||||
pass
|
||||
Reference in New Issue
Block a user