anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ssh,telnet): move PROMPT_COMMAND out of /root/.bashrc + pin readonly

Browse Source 
ANTI flagged two regressions in the existing command-event capture:

1. **Tell**: PROMPT_COMMAND lived in /root/.bashrc, the FIRST file
   an attacker greps after landing root. The logger invocation
   sitting there is plain-text honeypot signage.
2. **Bypass**: even when missed, `export PROMPT_COMMAND=""` silently
   disables capture. ANTI personally bypasses this on engagements.

Reshape:

* Move the assignment to **/etc/environment** — read by pam_env at
  session open (sshd via /etc/pam.d/sshd, telnet via
  /etc/pam.d/login), before any shell rc file fires. Far less
  obvious than .bashrc; a casual `cat .bashrc` no longer surfaces
  the capture.
* Define the helper as a function `__bash_history_sync` in
  **/etc/bash.bashrc** (system-wide bashrc, sourced by every
  interactive bash). Function name reads as generic bash
  housekeeping; no DECNET branding in the symbol.
* Pin both the function and PROMPT_COMMAND **readonly** so
  `export PROMPT_COMMAND=""` fails with "readonly variable"
  instead of silently winning. Mitigation, not airtight —
  `bash --norc` still bypasses — but the passive `export`
  bypass is closed.

The actual `logger --rfc5424 --msgid command ... CMD ...` invocation
is preserved exactly; only its location and the readonly guard
change. R0001–R0030 (command-rule pack) consume the same syslog
shape as before.

Three new tests assert: the value lands in /etc/environment, the
function body lives in /etc/bash.bashrc, no PROMPT_COMMAND line
remains in /root/.bashrc, and `readonly PROMPT_COMMAND` /
`readonly -f __bash_history_sync` are both present. Mirror
assertions added on the Telnet Dockerfile via
test_config_schema.py.
This commit is contained in:
anti
2026-05-02 19:50:24 -04:00
parent 3e9c4c29b9
commit cdbb3d3571
4 changed files with 87 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tests/services/test_config_schema.py
View File

@@ -173,6 +173,22 @@ def test_telnet_default_non_root_user():
assert env["TELNET_USER_PASSWORD"] == "admin"
def test_telnet_prompt_command_moved_out_of_root_bashrc():
"""Mirror of test_ssh.test_prompt_command_lives_in_etc_environment.
Telnet had the same /root/.bashrc tell — moved to
/etc/environment + readonly guard."""
df = (TelnetService().dockerfile_context() / "Dockerfile").read_text()
assert "PROMPT_COMMAND=__bash_history_sync" in df
assert "__bash_history_sync()" in df
assert "readonly PROMPT_COMMAND" in df
for line in df.splitlines():
if "PROMPT_COMMAND" in line and "/root/.bashrc" in line:
raise AssertionError(
"PROMPT_COMMAND must not live in /root/.bashrc; "
f"found tell-line: {line!r}"
)
def test_rdp_schema_matches_and_bool_coerces():
assert {f.key for f in RDPService.config_schema} == {"nla"}
svc = RDPService()