anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(ssh): capture attacker-dropped files with session attribution

Browse Source 
inotifywait watches writable paths in the SSH decky and mirrors any
file close_write/moved_to into a per-decky host-mounted quarantine dir.
Each artifact carries a .meta.json with attacker attribution resolved
by walking the writer PID's PPid chain to the sshd session leader,
then cross-referencing ss and utmp for source IP/user/login time.
Also emits an RFC 5424 syslog line per capture for SIEM correlation.
This commit is contained in:
anti
2026-04-17 22:20:05 -04:00
parent edc5c59f93
commit a773dddd5c
5 changed files with 390 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
decnet/services/ssh.py
View File

@@ -36,12 +36,17 @@ class SSHService(BaseService):
if "hostname" in cfg:
env["SSH_HOSTNAME"] = cfg["hostname"]
# File-catcher quarantine: bind-mount a per-decky host dir so attacker
# drops (scp/sftp/wget) are mirrored out-of-band for forensic analysis.
# The container path is internal-only; attackers never see this mount.
quarantine_host = f"/var/lib/decnet/artifacts/{decky_name}/ssh"
return {
"build": {"context": str(TEMPLATES_DIR)},
"container_name": f"{decky_name}-ssh",
"restart": "unless-stopped",
"cap_add": ["NET_BIND_SERVICE"],
"environment": env,
"volumes": [f"{quarantine_host}:/var/decnet/captured:rw"],
}
def dockerfile_context(self) -> Path: