Hello,
I’m trying to secure K8s environments with PodSecurityPolicy and Keylogging.
For automated(start as pid 1) keylogging, I’d like to use /usr/bin/script at ENTRYPOINT/CMD, which looks like below.
# docker run --rm -it -u 1000:100 ubuntu:xenial /usr/bin/script -a -f /tmp/test.log
$ ps -ef
UID PID PPID C STIME TTY TIME CMD
1000 1 0 0 07:45 pts/0 00:00:00 /usr/bin/script -a -f /tmp/test.log
1000 7 1 0 07:45 pts/1 00:00:00 sh -i
1000 12 7 0 07:48 pts/1 00:00:00 ps -ef
$ ls -l /tmp/test.log
-rw-r--r--. 1 1000 users 1955 Nov 12 07:48 /tmp/test.log
$ ls -l /tmp/test.log
-rw-r--r--. 1 1000 users 2076 Nov 12 07:48 /tmp/test.log
But, when I deploy and click execute shell from Rancher UI, logging seems not work.
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ps -ef
UID PID PPID C STIME TTY TIME CMD
1000 1 0 0 00:43 pts/0 00:00:00 /usr/bin/script -a -f -c /bin/bash /tmp/test.log
1000 7 1 0 00:43 pts/1 00:00:00 sh -c /bin/bash
1000 8 7 0 00:43 pts/1 00:00:00 /bin/bash
1000 11 0 0 00:43 pts/2 00:00:00 /bin/sh -c TERM=xterm-256color; export TERM; [ -x /bin/bash ] && ([ -x /usr/bin/script ] && /usr/bin/script -q -c "/bin/bash" /dev/null || exec /bin/bash) || exec /bin/sh
1000 17 11 0 00:43 pts/2 00:00:00 /bin/sh -c TERM=xterm-256color; export TERM; [ -x /bin/bash ] && ([ -x /usr/bin/script ] && /usr/bin/script -q -c "/bin/bash" /dev/null || exec /bin/bash) || exec /bin/sh
1000 18 17 0 00:43 pts/2 00:00:00 /usr/bin/script -q -c /bin/bash /dev/null
1000 19 18 0 00:43 pts/3 00:00:00 sh -c /bin/bash
1000 20 19 0 00:43 pts/3 00:00:00 /bin/bash
1000 23 20 0 00:43 pts/3 00:00:00 ps -ef
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log
I don’t know why, but just simply guessing it might related to DEFAULT_COMMAND behavior.
So, I tried using my own shell script, but that also starts with DEFAULT_COMMAND.
- tried put
/usr/bin/scriptin .bashrc, caused nested loop : script > bash > script > bash > and so on. - tried python or other binary entrypoint, changed nothing, just started with /bin/bash > /bin/sh -c …
As @vincent comment in link How to interpret the DEFAULT_COMMAND of container console, DEFAULT_COMMAND is so complicated (coloring, set sh to bash, etc.) that I couldn’t solve the problem.
Is there any possible way of avoiding DEFAULT_COMMAND for keylogging?
thanks,