anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): drop relay FIFO, rsyslog→/proc/1/fd/1 direct

Browse Source 
The named pipe at /run/systemd/journal/syslog-relay had two problems
beyond its argv leak: any root-in-container process could (a) `cat`
the pipe and watch the live SIEM feed, and (b) write to it and inject
forged log lines. Since an attacker with a shell is already root
inside the honeypot, file permissions can't fix it.

Point rsyslog's auth/user actions directly at /proc/1/fd/1 — the
container-stdout fd Docker attached to PID 1 — and delete the
mkfifo + cat relay from the entrypoint. No pipe on disk, nothing to
read, nothing to inject, and one fewer cloaked process in `ps`.
This commit is contained in:
anti
2026-04-18 02:12:32 -04:00
parent 2843aafa1a
commit b0e00a6cc4
3 changed files with 23 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
tests/test_ssh.py
View File

@@ -144,27 +144,25 @@ def test_dockerfile_prompt_command_logger():
assert "logger" in df
def test_entrypoint_creates_named_pipe():
assert "mkfifo" in _entrypoint_text()
def test_entrypoint_relay_pipe_path_is_disguised():
def test_entrypoint_has_no_named_pipe():
# Named pipes in the container are a liability — readable and writable
# by any root process. The log bridge must not rely on one.
ep = _entrypoint_text()
# Pipe lives under /run/systemd/journal/, not the obvious /var/run/decnet-logs.
assert "/run/systemd/journal/syslog-relay" in ep
assert "decnet-logs" not in ep
assert "mkfifo" not in ep
assert "syslog-relay" not in ep
def test_entrypoint_cat_relay_is_cloaked():
def test_entrypoint_has_no_relay_cat():
# No intermediate cat relay either (removed together with the pipe).
ep = _entrypoint_text()
# `cat` is invoked via exec -a so ps shows systemd-journal-fwd.
assert "systemd-journal-fwd" in ep
assert "exec -a" in ep
assert "systemd-journal-fwd" not in ep
def test_dockerfile_rsyslog_uses_disguised_pipe():
def test_dockerfile_rsyslog_targets_pid1_stdout():
df = _dockerfile_text()
assert "/run/systemd/journal/syslog-relay" in df
# rsyslog writes straight to /proc/1/fd/1 — no pipe file on disk.
assert "/proc/1/fd/1" in df
assert "syslog-relay" not in df
assert "decnet-logs" not in df