From 1519390f085f73b4babfc84cef0797ac32134e1e Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 19 Oct 2025 16:40:42 +0000 Subject: [PATCH] security: enhance logging for denied privileged method calls Improved security audit trail for attempted container privilege escalation: - Added detailed logging when containers attempt privileged methods - Logs UID, GID, PID, correlation ID, and method name - Marked with "SECURITY:" prefix for easy filtering/alerting - Helps operators detect and investigate compromise attempts Example log output: SECURITY: Container attempted to call privileged method - access denied method=ensure_cluster_keys uid=101000 gid=101000 pid=12345 Addresses Codex recommendation for comprehensive logging of denied privileged RPCs to enable monitoring and alerting on attempted abuse. --- cmd/pulse-sensor-proxy/main.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cmd/pulse-sensor-proxy/main.go b/cmd/pulse-sensor-proxy/main.go index 4e23672..de636a2 100644 --- a/cmd/pulse-sensor-proxy/main.go +++ b/cmd/pulse-sensor-proxy/main.go @@ -400,9 +400,13 @@ func (p *Proxy) handleConnection(conn net.Conn) { // Privileged methods can only be called from host (not from containers) if p.isIDMappedRoot(cred) { resp.Error = "method requires host-level privileges" - logger.Warn(). + log.Warn(). Str("method", req.Method). - Msg("Container attempted to call privileged method") + Uint32("uid", cred.uid). + Uint32("gid", cred.gid). + Uint32("pid", cred.pid). + Str("corr_id", req.CorrelationID). + Msg("SECURITY: Container attempted to call privileged method - access denied") p.sendResponse(conn, resp) p.metrics.rpcRequests.WithLabelValues(req.Method, "unauthorized").Inc() return