feat(ssh): replace Cowrie with real OpenSSH + rsyslog logging pipeline

Scraps the Cowrie emulation layer. The real_ssh template now runs a genuine sshd backed by a three-layer logging stack forwarded to stdout as RFC 5424 for the DECNET collector: auth,authpriv.* → rsyslogd → named pipe → stdout (logins/failures) user.* → rsyslogd → named pipe → stdout (PROMPT_COMMAND cmds) sudo syslog=auth → rsyslogd → named pipe → stdout (privilege escalation) sudo logfile → /var/log/sudo.log (local backup with I/O) The ssh.py service plugin now points to templates/real_ssh and drops all COWRIE_* / NODE_NAME env vars, sharing the same compose fragment shape as real_ssh.py.
2026-04-11 19:12:54 -04:00
parent 9ca3b4691d
commit d4ac53c0c9
5 changed files with 209 additions and 37 deletions
--- a/templates/real_ssh/Dockerfile
+++ b/templates/real_ssh/Dockerfile
@@ -4,6 +4,7 @@ FROM ${BASE_IMAGE}
 RUN apt-get update && apt-get install -y --no-install-recommends \
    openssh-server \
    sudo \
+    rsyslog \
    curl \
    wget \
    vim \
@@ -14,7 +15,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    && rm -rf /var/lib/apt/lists/*

-RUN mkdir -p /var/run/sshd /root/.ssh
+RUN mkdir -p /var/run/sshd /root/.ssh /var/log/decnet

 # sshd_config: allow root + password auth
 RUN sed -i \
@@ -23,6 +24,26 @@ RUN sed -i \
    -e 's|^#\?ChallengeResponseAuthentication.*|ChallengeResponseAuthentication no|' \
    /etc/ssh/sshd_config

+# rsyslog: forward auth.* and user.* to named pipe in RFC 5424 format.
+# The entrypoint relays the pipe to stdout for Docker log capture.
+RUN printf '%s\n' \
+    '# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
+    '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
+    'auth,authpriv.*  |/var/run/decnet-logs;RFC5424fmt' \
+    'user.*           |/var/run/decnet-logs;RFC5424fmt' \
+    > /etc/rsyslog.d/99-decnet.conf
+
+# Silence default catch-all rules so we own auth/user routing exclusively
+RUN sed -i \
+    -e 's|^\(\*\.\*;auth,authpriv\.none\)|#\1|' \
+    -e 's|^auth,authpriv\.\*|#auth,authpriv.*|' \
+    /etc/rsyslog.conf
+
+# Sudo: log to syslog (auth facility) AND a local file with full I/O capture
+RUN echo 'Defaults logfile="/var/log/sudo.log"' >> /etc/sudoers && \
+    echo 'Defaults syslog=auth'                >> /etc/sudoers && \
+    echo 'Defaults log_input,log_output'       >> /etc/sudoers
+
 # Lived-in environment: motd, shell aliases, fake project files
 RUN echo "Ubuntu 22.04.3 LTS" > /etc/issue.net && \
    echo "Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)" > /etc/motd && \
@@ -32,29 +53,24 @@ RUN echo "Ubuntu 22.04.3 LTS" > /etc/issue.net && \
    echo " * Support:        https://ubuntu.com/advantage" >> /etc/motd

 RUN echo 'alias ll="ls -alF"' >> /root/.bashrc && \
-    echo 'alias la="ls -A"' >> /root/.bashrc && \
-    echo 'alias l="ls -CF"' >> /root/.bashrc && \
+    echo 'alias la="ls -A"'   >> /root/.bashrc && \
+    echo 'alias l="ls -CF"'   >> /root/.bashrc && \
    echo 'export HISTSIZE=1000' >> /root/.bashrc && \
-    echo 'export HISTFILESIZE=2000' >> /root/.bashrc
+    echo 'export HISTFILESIZE=2000' >> /root/.bashrc && \
+    echo 'PROMPT_COMMAND='"'"'logger -p user.info -t bash "CMD uid=$UID pwd=$PWD cmd=$(history 1 | sed "s/^ *[0-9]* *//")";'"'" >> /root/.bashrc

 # Fake project files to look lived-in
 RUN mkdir -p /root/projects /root/backups /var/www/html && \
-    echo "# TODO: migrate DB to new server\n# check cron jobs\n# update SSL cert" > /root/notes.txt && \
-    echo "DB_HOST=10.0.0.5\nDB_USER=admin\nDB_PASS=changeme123\nDB_NAME=prod_db" > /root/projects/.env && \
-    echo "[Unit]\nDescription=App Server\n[Service]\nExecStart=/usr/bin/python3 /opt/app/server.py" > /root/projects/app.service
+    printf '# TODO: migrate DB to new server\n# check cron jobs\n# update SSL cert\n' > /root/notes.txt && \
+    printf 'DB_HOST=10.0.0.5\nDB_USER=admin\nDB_PASS=changeme123\nDB_NAME=prod_db\n' > /root/projects/.env && \
+    printf '[Unit]\nDescription=App Server\n[Service]\nExecStart=/usr/bin/python3 /opt/app/server.py\n' > /root/projects/app.service

 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

 EXPOSE 22

-RUN useradd -r -s /bin/false -d /opt decnet \
- && apt-get update && apt-get install -y --no-install-recommends libcap2-bin \
- && rm -rf /var/lib/apt/lists/* \
- && (find /usr/bin/ -maxdepth 1 -name 'python3*' -type f -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true)
-
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD kill -0 1 || exit 1

-USER decnet
 ENTRYPOINT ["/entrypoint.sh"]