anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): collapse duplicate journal-relay bash in ps

Browse Source 
inotify | while spawns a subshell for the tail of the pipeline, so
two bash processes (the script itself and the while-loop subshell)
showed up under /usr/libexec/udev/journal-relay in ps aux. Enable
lastpipe so the while loop runs in the main shell — ps now shows
one bash plus the inotify child, matching a simple udev helper.
This commit is contained in:
anti
2026-04-17 23:04:33 -04:00
parent 8dd4c78b33
commit a5d6860124
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
templates/ssh/capture.sh
View File

@@ -1,6 +1,12 @@
#!/bin/bash #!/bin/bash
# SSH honeypot file-catcher. # SSH honeypot file-catcher.
# #
# `lastpipe` runs the tail of `inotify | while` in the current shell, so
# `ps aux` shows one bash instead of two. Job control must be off for
# lastpipe to apply — non-interactive scripts already have it off.
shopt -s lastpipe
set +m
#
# Watches attacker-writable paths with inotifywait. On close_write/moved_to, # Watches attacker-writable paths with inotifywait. On close_write/moved_to,
# copies the file to the host-mounted quarantine dir, writes a .meta.json # copies the file to the host-mounted quarantine dir, writes a .meta.json
# with attacker attribution, and emits an RFC 5424 syslog line. # with attacker attribution, and emits an RFC 5424 syslog line.