anti
b0e00a6cc4
The named pipe at /run/systemd/journal/syslog-relay had two problems beyond its argv leak: any root-in-container process could (a) `cat` the pipe and watch the live SIEM feed, and (b) write to it and inject forged log lines. Since an attacker with a shell is already root inside the honeypot, file permissions can't fix it. Point rsyslog's auth/user actions directly at /proc/1/fd/1 — the container-stdout fd Docker attached to PID 1 — and delete the mkfifo + cat relay from the entrypoint. No pipe on disk, nothing to read, nothing to inject, and one fewer cloaked process in `ps`.
1.6 KiB
1.6 KiB