anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): cloak syslog relay pipe and cat process

Browse Source 
Rename the rsyslog→stdout pipe from /var/run/decnet-logs (dead giveaway)
to /run/systemd/journal/syslog-relay, and launch the relay via
exec -a "systemd-journal-fwd" so ps shows a plausible systemd forwarder
instead of a bare cat. Casual ps/ls inspection now shows nothing
with "decnet" in the name.
This commit is contained in:
anti
2026-04-17 22:51:34 -04:00
parent 09d9f8595e
commit 69510fb880
3 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
templates/ssh/Dockerfile
View File

@@ -36,8 +36,8 @@ RUN sed -i \
RUN printf '%s\n' \
'# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
'$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
'auth,authpriv.* |/var/run/decnet-logs;RFC5424fmt' \
'user.* |/var/run/decnet-logs;RFC5424fmt' \
'auth,authpriv.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
'user.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
> /etc/rsyslog.d/99-decnet.conf
# Silence default catch-all rules so we own auth/user routing exclusively

10
templates/ssh/entrypoint.sh
View File

@@ -31,11 +31,13 @@ ls /var/www/html
HIST
fi
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture
mkfifo /var/run/decnet-logs
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture.
# Pipe lives under /run/systemd/journal/ and the relay process is cloaked via
# exec -a so `ps aux` shows "systemd-journal-fwd" instead of a raw `cat`.
mkdir -p /run/systemd/journal
mkfifo /run/systemd/journal/syslog-relay
# Relay pipe to stdout so Docker captures all syslog events
cat /var/run/decnet-logs &
bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
# Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
rsyslogd

20
tests/test_ssh.py
View File

@@ -148,6 +148,26 @@ def test_entrypoint_creates_named_pipe():
assert "mkfifo" in _entrypoint_text()
def test_entrypoint_relay_pipe_path_is_disguised():
ep = _entrypoint_text()
# Pipe lives under /run/systemd/journal/, not the obvious /var/run/decnet-logs.
assert "/run/systemd/journal/syslog-relay" in ep
assert "decnet-logs" not in ep
def test_entrypoint_cat_relay_is_cloaked():
ep = _entrypoint_text()
# `cat` is invoked via exec -a so ps shows systemd-journal-fwd.
assert "systemd-journal-fwd" in ep
assert "exec -a" in ep
def test_dockerfile_rsyslog_uses_disguised_pipe():
df = _dockerfile_text()
assert "/run/systemd/journal/syslog-relay" in df
assert "decnet-logs" not in df
def test_entrypoint_starts_rsyslogd():
assert "rsyslogd" in _entrypoint_text()