anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor: strip DECNET tokens from container-visible surface

Browse Source 
Rename the container-side logging module decnet_logging → syslog_bridge
(canonical at templates/syslog_bridge.py, synced into each template by
the deployer). Drop the stale per-template copies; setuptools find was
picking them up anyway. Swap useradd/USER/chown "decnet" for "logrelay"
so no obvious token appears in the rendered container image.

Apply the same cloaking pattern to the telnet template that SSH got:
syslog pipe moves to /run/systemd/journal/syslog-relay and the relay
is cat'd via exec -a "systemd-journal-fwd". rsyslog.d conf rename
99-decnet.conf → 50-journal-forward.conf. SSH capture script:
/var/decnet/captured → /var/lib/systemd/coredump (real systemd path),
logger tag decnet-capture → systemd-journal. Compose volume updated
to match the new in-container quarantine path.

SD element ID shifts decnet@55555 → relay@55555; synced across
collector, parser, sniffer, prober, formatter, tests, and docs so the
host-side pipeline still matches what containers emit.
This commit is contained in:
anti
2026-04-17 22:57:53 -04:00
parent 69510fb880
commit 8dd4c78b33
114 changed files with 220 additions and 2712 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
tests/live/test_service_isolation_live.py
View File

@@ -172,7 +172,7 @@ class TestCollectorLiveIsolation:
def test_rfc5424_parser_handles_real_formats(self):
"""Parser works on real log lines, not just test fixtures."""
valid = '<134>1 2026-04-14T12:00:00Z decky-01 ssh - login_attempt [decnet@55555 src_ip="10.0.0.1" username="root" password="toor"] Failed login'
valid = '<134>1 2026-04-14T12:00:00Z decky-01 ssh - login_attempt [relay@55555 src_ip="10.0.0.1" username="root" password="toor"] Failed login'
result = parse_rfc5424(valid)
assert result is not None
assert result["decky"] == "decky-01"
@@ -236,7 +236,7 @@ class TestIngesterLiveIsolation:
"attacker_ip": "10.99.99.1",
"fields": {"username": "root", "password": "toor"},
"msg": "Failed login",
"raw_line": '<134>1 2026-04-14T12:00:00Z decky-live-01 ssh - login_attempt [decnet@55555 src_ip="10.99.99.1"] Failed login',
"raw_line": '<134>1 2026-04-14T12:00:00Z decky-live-01 ssh - login_attempt [relay@55555 src_ip="10.99.99.1"] Failed login',
}
json_file.write_text(json.dumps(record) + "\n")
@@ -333,7 +333,7 @@ class TestAttackerWorkerLiveIsolation:
"attacker_ip": "10.77.77.1",
"fields": {"username": "admin"},
"msg": "",
"raw_line": f'<134>1 2026-04-14T14:0{i}:00Z decky-live-03 {"ssh" if i < 2 else "http"} - login_attempt [decnet@55555 src_ip="10.77.77.1" username="admin"]',
"raw_line": f'<134>1 2026-04-14T14:0{i}:00Z decky-live-03 {"ssh" if i < 2 else "http"} - login_attempt [relay@55555 src_ip="10.77.77.1" username="admin"]',
})
state = _WorkerState()