From a5d686012430ef0b9b827ef9318ea9558531a2f1 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Fri, 17 Apr 2026 23:04:33 -0400
Subject: [PATCH] fix(ssh-capture): collapse duplicate journal-relay bash in ps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

inotify | while spawns a subshell for the tail of the pipeline, so
two bash processes (the script itself and the while-loop subshell)
showed up under /usr/libexec/udev/journal-relay in ps aux. Enable
lastpipe so the while loop runs in the main shell — ps now shows
one bash plus the inotify child, matching a simple udev helper.
---
 templates/ssh/capture.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/ssh/capture.sh b/templates/ssh/capture.sh
index c65e7b4..745926a 100755
--- a/templates/ssh/capture.sh
+++ b/templates/ssh/capture.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 # SSH honeypot file-catcher.
 #
+# `lastpipe` runs the tail of `inotify | while` in the current shell, so
+# `ps aux` shows one bash instead of two. Job control must be off for
+# lastpipe to apply — non-interactive scripts already have it off.
+shopt -s lastpipe
+set +m
+#
 # Watches attacker-writable paths with inotifywait. On close_write/moved_to,
 # copies the file to the host-mounted quarantine dir, writes a .meta.json
 # with attacker attribution, and emits an RFC 5424 syslog line.