anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): drop relay FIFO, rsyslog→/proc/1/fd/1 direct

Browse Source 
The named pipe at /run/systemd/journal/syslog-relay had two problems
beyond its argv leak: any root-in-container process could (a) `cat`
the pipe and watch the live SIEM feed, and (b) write to it and inject
forged log lines. Since an attacker with a shell is already root
inside the honeypot, file permissions can't fix it.

Point rsyslog's auth/user actions directly at /proc/1/fd/1 — the
container-stdout fd Docker attached to PID 1 — and delete the
mkfifo + cat relay from the entrypoint. No pipe on disk, nothing to
read, nothing to inject, and one fewer cloaked process in `ps`.
This commit is contained in:
anti
2026-04-18 02:12:32 -04:00
parent 2843aafa1a
commit b0e00a6cc4
3 changed files with 23 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
templates/ssh/Dockerfile
View File

@@ -34,13 +34,15 @@ RUN sed -i \
-e 's|^#\?LogLevel.*|LogLevel VERBOSE|' \
/etc/ssh/sshd_config
# rsyslog: forward auth.* and user.* to named pipe in RFC 5424 format.
# The entrypoint relays the pipe to stdout for Docker log capture.
# rsyslog: forward auth.* and user.* to PID 1's stdout in RFC 5424 format.
# /proc/1/fd/1 is the container-stdout fd Docker attached — writing there
# surfaces lines in `docker logs` without needing a named pipe + relay cat
# (which would be readable AND writable by any root-in-container process).
RUN printf '%s\n' \
'# syslog-relay log bridge — auth + user events → named pipe as RFC 5424' \
'# auth + user events → container stdout as RFC 5424' \
'$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
'auth,authpriv.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
'user.* |/run/systemd/journal/syslog-relay;RFC5424fmt' \
'auth,authpriv.* /proc/1/fd/1;RFC5424fmt' \
'user.* /proc/1/fd/1;RFC5424fmt' \
> /etc/rsyslog.d/50-journal-forward.conf
# Silence default catch-all rules so we own auth/user routing exclusively

13
templates/ssh/entrypoint.sh
View File

@@ -31,15 +31,10 @@ ls /var/www/html
HIST
fi
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture.
# Pipe lives under /run/systemd/journal/ and the relay process is cloaked via
# exec -a so `ps aux` shows "systemd-journal-fwd" instead of a raw `cat`.
mkdir -p /run/systemd/journal
mkfifo /run/systemd/journal/syslog-relay
bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
# Start rsyslog (reads /etc/rsyslog.d/50-journal-forward.conf, writes to the pipe above)
# Logging pipeline: rsyslogd (RFC 5424) → /proc/1/fd/1 → Docker log capture.
# No intermediate pipe/relay — a named FIFO would be readable AND writable
# by any root-in-container process, letting an attacker either eavesdrop on
# the SIEM feed or inject forged log lines.
rsyslogd
# File-catcher: mirror attacker drops into host-mounted quarantine with attribution.