anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
2843aafa1ab19a1a489622ac889e6cacd9d85155
DECNET/templates/ssh/entrypoint.sh
anti 2843aafa1a fix(ssh-capture): hide watcher bash argv and sanitize script header 
Two leaks remained after the inotifywait argv fix:

1. The bash running journal-relay showed its argv[1] (the script path)
   in /proc/PID/cmdline, producing a line like
     'journal-relay /usr/libexec/udev/journal-relay'
   Apply argv_zap.so to that bash too.

2. argv_zap previously hardcoded PR_SET_NAME to 'kmsg-watch', which was
   wrong for any caller other than inotifywait. The comm name now comes
   from ARGV_ZAP_COMM so each caller can pick its own (kmsg-watch for
   inotifywait, journal-relay for the watcher bash).

3. The capture.sh header started with 'SSH honeypot file-catcher' —
   fatal if an attacker runs 'cat' on it. Rewritten as a plausible
   systemd-journal relay helper; stray 'attacker' / 'honeypot' words
   in mid-script comments stripped too.
2026-04-18 02:06:36 -04:00

58 lines
1.8 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
# Configure root password (default: admin)
ROOT_PASSWORD="${SSH_ROOT_PASSWORD:-admin}"
echo "root:${ROOT_PASSWORD}" | chpasswd
# Optional: override hostname inside container
if [ -n "$SSH_HOSTNAME" ]; then
echo "$SSH_HOSTNAME" > /etc/hostname
hostname "$SSH_HOSTNAME"
fi
# Generate host keys if missing (first boot)
ssh-keygen -A
# Fake bash history so the box looks used
if [ ! -f /root/.bash_history ]; then
cat > /root/.bash_history <<'HIST'
apt update && apt upgrade -y
systemctl status nginx
tail -f /var/log/syslog
df -h
htop
ps aux | grep python
git pull origin main
cd /root/projects
vim notes.txt
crontab -e
ls /var/www/html
HIST
fi
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout → Docker log capture.
# Pipe lives under /run/systemd/journal/ and the relay process is cloaked via
# exec -a so `ps aux` shows "systemd-journal-fwd" instead of a raw `cat`.
mkdir -p /run/systemd/journal
mkfifo /run/systemd/journal/syslog-relay
bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
# Start rsyslog (reads /etc/rsyslog.d/50-journal-forward.conf, writes to the pipe above)
rsyslogd
# File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
# Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a
# plausible udev helper. See Dockerfile for the rename rationale.
# LD_PRELOAD + ARGV_ZAP_COMM blank bash's argv[1..] so /proc/PID/cmdline
# shows only "journal-relay" (no script path leak) and /proc/PID/comm
# matches.
CAPTURE_DIR=/var/lib/systemd/coredump \
LD_PRELOAD=/usr/lib/argv_zap.so \
ARGV_ZAP_COMM=journal-relay \
bash -c 'exec -a "journal-relay" bash /usr/libexec/udev/journal-relay' &
# sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
exec /usr/sbin/sshd -D
Reference in New Issue View Git Blame Copy Permalink