How to avoid DEFAULT_COMMAND of container console


#1

Hello,
I’m trying to secure K8s environments with PodSecurityPolicy and Keylogging.

For automated(start as pid 1) keylogging, I’d like to use /usr/bin/script at ENTRYPOINT/CMD, which looks like below.

#  docker run --rm -it -u 1000:100 ubuntu:xenial /usr/bin/script -a -f /tmp/test.log
$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
1000         1     0  0 07:45 pts/0    00:00:00 /usr/bin/script -a -f /tmp/test.log
1000         7     1  0 07:45 pts/1    00:00:00 sh -i
1000        12     7  0 07:48 pts/1    00:00:00 ps -ef
$ ls -l /tmp/test.log
-rw-r--r--. 1 1000 users 1955 Nov 12 07:48 /tmp/test.log
$ ls -l /tmp/test.log
-rw-r--r--. 1 1000 users 2076 Nov 12 07:48 /tmp/test.log

But, when I deploy and click execute shell from Rancher UI, logging seems not work.

I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
1000         1     0  0 00:43 pts/0    00:00:00 /usr/bin/script -a -f -c /bin/bash /tmp/test.log
1000         7     1  0 00:43 pts/1    00:00:00 sh -c /bin/bash
1000         8     7  0 00:43 pts/1    00:00:00 /bin/bash
1000        11     0  0 00:43 pts/2    00:00:00 /bin/sh -c TERM=xterm-256color; export TERM; [ -x /bin/bash ] && ([ -x /usr/bin/script ] && /usr/bin/script -q -c "/bin/bash" /dev/null || exec /bin/bash) || exec /bin/sh
1000        17    11  0 00:43 pts/2    00:00:00 /bin/sh -c TERM=xterm-256color; export TERM; [ -x /bin/bash ] && ([ -x /usr/bin/script ] && /usr/bin/script -q -c "/bin/bash" /dev/null || exec /bin/bash) || exec /bin/sh
1000        18    17  0 00:43 pts/2    00:00:00 /usr/bin/script -q -c /bin/bash /dev/null
1000        19    18  0 00:43 pts/3    00:00:00 sh -c /bin/bash
1000        20    19  0 00:43 pts/3    00:00:00 /bin/bash
1000        23    20  0 00:43 pts/3    00:00:00 ps -ef
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log
I have no name!@ubuntu-original-77c55467d7-8xdvj:/$ ls -l /tmp/test.log
-rw-r--r-- 1 1000 root 95 Nov 13 00:43 /tmp/test.log

I don’t know why, but just simply guessing it might related to DEFAULT_COMMAND behavior.

So, I tried using my own shell script, but that also starts with DEFAULT_COMMAND.

  • tried put /usr/bin/script in .bashrc, caused nested loop : script > bash > script > bash > and so on.
  • tried python or other binary entrypoint, changed nothing, just started with /bin/bash > /bin/sh -c …

As @vincent comment in link How to interpret the DEFAULT_COMMAND of container console, DEFAULT_COMMAND is so complicated (coloring, set sh to bash, etc.) that I couldn’t solve the problem.

Is there any possible way of avoiding DEFAULT_COMMAND for keylogging?

thanks,