feat: SSH log relay emits proper DECNET syslog for sshd events
New log_relay.py replaces raw 'cat' on the rsyslog pipe. Intercepts sshd and bash lines and re-emits them as structured RFC 5424 events: login_success, session_opened, disconnect, connection_closed, command. Parsers updated to accept non-nil PROCID (sshd uses PID).
This commit is contained in:
@@ -155,37 +155,17 @@ class TestParserAttackerIP:
|
||||
assert parse_line(line) is None
|
||||
|
||||
|
||||
class TestParserBashNormalization:
|
||||
def test_bash_cmd_normalized_to_ssh_command(self):
|
||||
line = '<14>1 2026-04-14T05:48:12.628417+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=ls /var/www/html'
|
||||
class TestParserProcidFlexibility:
|
||||
def test_non_nil_procid_accepted(self):
|
||||
line = '<38>1 2026-04-14T05:48:12.611006+00:00 SRV-BRAVO-13 sshd 282 - - Accepted password for root'
|
||||
event = parse_line(line)
|
||||
assert event is not None
|
||||
assert event.service == "ssh"
|
||||
assert event.event_type == "command"
|
||||
assert event.fields["command"] == "ls /var/www/html"
|
||||
assert event.fields["uid"] == "0"
|
||||
assert event.fields["pwd"] == "/root"
|
||||
assert event.service == "sshd"
|
||||
assert event.decky == "SRV-BRAVO-13"
|
||||
|
||||
def test_bash_cmd_simple(self):
|
||||
line = '<14>1 2026-04-14T05:48:13.332072+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=ls'
|
||||
event = parse_line(line)
|
||||
def test_nil_procid_still_works(self):
|
||||
event = parse_line(_make_line())
|
||||
assert event is not None
|
||||
assert event.service == "ssh"
|
||||
assert event.fields["command"] == "ls"
|
||||
|
||||
def test_bash_non_cmd_stays_as_bash(self):
|
||||
line = '<14>1 2026-04-14T05:48:12.628417+00:00 SRV-BRAVO-13 bash - - - some other bash message'
|
||||
event = parse_line(line)
|
||||
assert event is not None
|
||||
assert event.service == "bash"
|
||||
assert event.event_type == "-"
|
||||
|
||||
def test_bash_cmd_with_complex_command(self):
|
||||
line = '<14>1 2026-04-14T05:48:32.006502+00:00 SRV-BRAVO-13 bash - - - CMD uid=0 pwd=/root cmd=cat /etc/passwd | grep root'
|
||||
event = parse_line(line)
|
||||
assert event is not None
|
||||
assert event.service == "ssh"
|
||||
assert event.fields["command"] == "cat /etc/passwd | grep root"
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user