feat(ssh): capture attacker-dropped files with session attribution

inotifywait watches writable paths in the SSH decky and mirrors any file close_write/moved_to into a per-decky host-mounted quarantine dir. Each artifact carries a .meta.json with attacker attribution resolved by walking the writer PID's PPid chain to the sshd session leader, then cross-referencing ss and utmp for source IP/user/login time. Also emits an RFC 5424 syslog line per capture for SIEM correlation.
2026-04-17 22:20:05 -04:00
parent edc5c59f93
commit a773dddd5c
5 changed files with 390 additions and 4 deletions
--- a/templates/ssh/entrypoint.sh
+++ b/templates/ssh/entrypoint.sh
@@ -40,5 +40,10 @@ cat /var/run/decnet-logs &
 # Start rsyslog (reads /etc/rsyslog.d/99-decnet.conf, writes to the pipe above)
 rsyslogd

+# File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
+# exec -a masks the process name so casual `ps` inspection doesn't reveal the honeypot.
+CAPTURE_DIR=/var/decnet/captured \
+    bash -c 'exec -a "[kworker/u8:0]" /usr/local/sbin/decnet-capture' &
+
 # sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
 exec /usr/sbin/sshd -D