refactor: strip DECNET tokens from container-visible surface

Rename the container-side logging module decnet_logging → syslog_bridge (canonical at templates/syslog_bridge.py, synced into each template by the deployer). Drop the stale per-template copies; setuptools find was picking them up anyway. Swap useradd/USER/chown "decnet" for "logrelay" so no obvious token appears in the rendered container image. Apply the same cloaking pattern to the telnet template that SSH got: syslog pipe moves to /run/systemd/journal/syslog-relay and the relay is cat'd via exec -a "systemd-journal-fwd". rsyslog.d conf rename 99-decnet.conf → 50-journal-forward.conf. SSH capture script: /var/decnet/captured → /var/lib/systemd/coredump (real systemd path), logger tag decnet-capture → systemd-journal. Compose volume updated to match the new in-container quarantine path. SD element ID shifts decnet@55555 → relay@55555; synced across collector, parser, sniffer, prober, formatter, tests, and docs so the host-side pipeline still matches what containers emit.
2026-04-17 22:57:53 -04:00
parent 69510fb880
commit 8dd4c78b33
114 changed files with 220 additions and 2712 deletions
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -316,7 +316,7 @@ class TestCorrelateCommand:
        log_file = tmp_path / "test.log"
        log_file.write_text(
            "<134>1 2024-01-15T12:00:00+00:00 decky-01 ssh - auth "
-            '[decnet@55555 src_ip="10.0.0.5" username="admin"] login\n'
+            '[relay@55555 src_ip="10.0.0.5" username="admin"] login\n'
        )
        result = runner.invoke(app, ["correlate", "--log-file", str(log_file)])
        assert result.exit_code == 0