anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ssh-template): drop sshd/pam_unix native chatter at rsyslog

Browse Source 
OpenSSH's native syslog ("Failed password", "Connection from",
"Connection closed by …") and the pam_unix lines emitted from sshd's
PAM stack add no signal beyond what auth-helper already captures as
structured login_attempt events. They cluttered the dashboard and
arrived without an SD wrapper, forcing prose-IP heuristics in the
collector.

Add a `:programname, isequal, "sshd" stop` rule above the forwarding
actions in /etc/rsyslog.d/50-journal-forward.conf. pam_unix lines from
sshd inherit programname=sshd so the same rule covers both. sudo /
login / su pam_unix lines keep flowing (different programname), so
post-login privilege escalation telemetry is preserved.
This commit is contained in:
anti
2026-04-27 23:26:53 -04:00
parent 9350ce195a
commit 8344b539c8
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
decnet/templates/ssh/Dockerfile
View File

@@ -52,9 +52,19 @@ RUN sed -i \
# /proc/1/fd/1 is the container-stdout fd Docker attached — writing there # /proc/1/fd/1 is the container-stdout fd Docker attached — writing there
# surfaces lines in `docker logs` without needing a named pipe + relay cat # surfaces lines in `docker logs` without needing a named pipe + relay cat
# (which would be readable AND writable by any root-in-container process). # (which would be readable AND writable by any root-in-container process).
#
# Filter: drop sshd's native chatter ("Failed password", "Connection from",
# "Connection closed by …") and the pam_unix lines emitted from sshd's PAM
# stack (programname is inherited from the calling process, so pam_unix(sshd:*)
# lines arrive as programname=sshd). These add no signal — our auth-helper
# writes structured login_attempt events directly to /proc/1/fd/1 and
# capture.sh emits sessions via `logger -t systemd-journal`. sudo / login /
# su pam_unix lines are NOT dropped (different programname), so privilege
# escalation telemetry still flows.
RUN printf '%s\n' \ RUN printf '%s\n' \
'# auth + user events → container stdout as RFC 5424' \ '# auth + user events → container stdout as RFC 5424' \
'$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \ '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
':programname, isequal, "sshd" stop' \
'auth,authpriv.* /proc/1/fd/1;RFC5424fmt' \ 'auth,authpriv.* /proc/1/fd/1;RFC5424fmt' \
'user.* /proc/1/fd/1;RFC5424fmt' \ 'user.* /proc/1/fd/1;RFC5424fmt' \
> /etc/rsyslog.d/50-journal-forward.conf > /etc/rsyslog.d/50-journal-forward.conf

17
tests/services/test_ssh.py
View File

@@ -143,6 +143,23 @@ def test_dockerfile_rsyslog_conf_created():
assert "RFC5424fmt" in df assert "RFC5424fmt" in df
def test_dockerfile_drops_sshd_native_chatter():
"""sshd's native syslog (`Failed password`, `Connection from`, …) and
the pam_unix lines emitted from sshd's PAM stack add no signal — the
auth-helper writes structured login_attempt events out-of-band. The
rsyslog config must drop them via a `:programname, isequal, "sshd" stop`
rule that comes BEFORE the forwarding actions. sudo / login pam_unix
lines must still flow (different programname)."""
df = _dockerfile_text()
stop_rule = ':programname, isequal, "sshd" stop'
assert stop_rule in df, "sshd drop rule missing from rsyslog config"
# Order matters: stop must precede the forwarding actions inside the
# same printf block, otherwise rsyslog forwards before evaluating it.
stop_idx = df.index(stop_rule)
fwd_idx = df.index("auth,authpriv.* /proc/1/fd/1;RFC5424fmt")
assert stop_idx < fwd_idx, "stop rule must come before forwarding action"
def test_dockerfile_sudoers_syslog(): def test_dockerfile_sudoers_syslog():
df = _dockerfile_text() df = _dockerfile_text()
assert "syslog=auth" in df assert "syslog=auth" in df