anti
4c37ece39e
Adds a new decnet orchestrate worker whose job is to keep the honeypot
ecosystem from looking suspiciously static — a frozen LAN with no
inter-host traffic and no filesystem aging is its own honeypot tell.
MVP scope:
- New OrchestratorEvent table + repo methods (purpose-built sibling
to Log so synthetic events stay separable from attacker-driven ones).
- New orchestrator.{activity,file}.<decky_id> bus topics +
system.orchestrator.health heartbeat.
- SSH-only driver. Traffic action runs python3 inside src container
to TCP-connect dst:22 and read the SSH banner — real on-the-wire
SSH-protocol traffic without shipping creds. File action drops or
refreshes a small file via docker exec on the destination.
- Random scheduler (50/50 traffic/file when >=2 SSH-capable deckies
are running). Diurnal shaping, role-aware pairing, and session-aware
backoff are explicit non-goals for MVP.
- CLI registration, systemd unit (SupplementaryGroups=docker),
worker-registry entry so the dashboard shows orchestrator health.
- 11 tests: scheduler policy, driver argv shape + injection-safety,
end-to-end one-tick integration with FakeBus + SQLite.
53 lines
2.2 KiB
Python
53 lines
2.2 KiB
Python
"""Orchestrator-emitted activity events.
|
|
|
|
Purpose-built sibling to ``logs.Log`` so attacker-originated events stay
|
|
cleanly separable from synthetic life-injection events at query time.
|
|
The orchestrator worker is the sole writer.
|
|
"""
|
|
from datetime import datetime, timezone
|
|
from typing import Optional
|
|
from uuid import uuid4
|
|
|
|
from sqlalchemy import Column, Index, Text
|
|
from sqlmodel import Field, SQLModel
|
|
|
|
|
|
class OrchestratorEvent(SQLModel, table=True):
|
|
"""One orchestrator-driven action against a decky.
|
|
|
|
``kind`` discriminates the two MVP flavours:
|
|
|
|
* ``"traffic"`` — a protocol-driven interaction (SSH command exec for
|
|
MVP). ``src_decky_uuid`` is the *logical* originator and may differ
|
|
from the actual TCP source for the duration of the MVP, where the
|
|
orchestrator process drives the connection from the host. ``v1``
|
|
will execute the connection from inside the source container.
|
|
* ``"file"`` — a filesystem touch via ``docker exec`` against the
|
|
destination decky. ``src_decky_uuid`` is null.
|
|
|
|
``payload`` is the per-action JSON envelope: command run, exit code,
|
|
stdout/stderr digest, file path, byte counts, etc. Schema is
|
|
deliberately loose — the worker can extend it without a migration.
|
|
"""
|
|
__tablename__ = "orchestrator_events"
|
|
__table_args__ = (
|
|
Index("ix_orchestrator_events_dst_ts", "dst_decky_uuid", "ts"),
|
|
)
|
|
uuid: str = Field(default_factory=lambda: str(uuid4()), primary_key=True)
|
|
ts: datetime = Field(
|
|
default_factory=lambda: datetime.now(timezone.utc), index=True
|
|
)
|
|
kind: str = Field(index=True, max_length=16) # traffic|file
|
|
protocol: str = Field(index=True, max_length=16) # ssh for MVP
|
|
action: str = Field(max_length=64) # exec:uptime|file:create|...
|
|
src_decky_uuid: Optional[str] = Field(
|
|
default=None, foreign_key="topology_deckies.uuid", index=True
|
|
)
|
|
dst_decky_uuid: str = Field(
|
|
foreign_key="topology_deckies.uuid", index=True
|
|
)
|
|
success: bool = Field(default=False, index=True)
|
|
payload: str = Field(
|
|
sa_column=Column("payload", Text, nullable=False, default="{}")
|
|
)
|