fix(ssh-capture): collapse duplicate journal-relay bash in ps

inotify | while spawns a subshell for the tail of the pipeline, so two bash processes (the script itself and the while-loop subshell) showed up under /usr/libexec/udev/journal-relay in ps aux. Enable lastpipe so the while loop runs in the main shell — ps now shows one bash plus the inotify child, matching a simple udev helper.
2026-04-17 23:04:33 -04:00
parent 8dd4c78b33
commit a5d6860124
1 changed files with 6 additions and 0 deletions
--- a/templates/ssh/capture.sh
+++ b/templates/ssh/capture.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 # SSH honeypot file-catcher.
 #
+# `lastpipe` runs the tail of `inotify | while` in the current shell, so
+# `ps aux` shows one bash instead of two. Job control must be off for
+# lastpipe to apply — non-interactive scripts already have it off.
+shopt -s lastpipe
+set +m
+#
 # Watches attacker-writable paths with inotifywait. On close_write/moved_to,
 # copies the file to the host-mounted quarantine dir, writes a .meta.json
 # with attacker attribution, and emits an RFC 5424 syslog line.