anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): cloak syslog relay pipe and cat process

Browse Source 
Rename the rsyslog→stdout pipe from /var/run/decnet-logs (dead giveaway)
to /run/systemd/journal/syslog-relay, and launch the relay via
exec -a "systemd-journal-fwd" so ps shows a plausible systemd forwarder
instead of a bare cat. Casual ps/ls inspection now shows nothing
with "decnet" in the name.
This commit is contained in:
anti
2026-04-17 22:51:34 -04:00
parent 09d9f8595e
commit 69510fb880
3 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
templates/ssh/Dockerfile
View File

@@ -36,8 +36,8 @@ RUN sed -i \
RUN printf '%s\n' \
'# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
'$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
'auth,authpriv.* |/var/run/decnet-logs;RFC5424fmt' \
'user.* |/var/run/decnet-logs;RFC5424fmt' \
'auth,authpriv.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
'user.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
> /etc/rsyslog.d/99-decnet.conf
# Silence default catch-all rules so we own auth/user routing exclusively