From e356829234712ebc6d4685d7225ca784e57131dd Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sat, 18 Apr 2026 01:45:38 -0400
Subject: [PATCH] fix(ssh-capture): drop bash token from journal-relay ps line
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

exec -a replaces argv[0] so ps shows 'journal-relay /usr/libexec/udev/journal-relay'
instead of '/bin/bash /usr/libexec/udev/journal-relay' — no interpreter
hint on the watcher process.
---
 templates/ssh/entrypoint.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/ssh/entrypoint.sh b/templates/ssh/entrypoint.sh
index b6b9d96..75b5a8a 100644
--- a/templates/ssh/entrypoint.sh
+++ b/templates/ssh/entrypoint.sh
@@ -45,7 +45,8 @@ rsyslogd
 # File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
 # Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a
 # plausible udev helper. See Dockerfile for the rename rationale.
-CAPTURE_DIR=/var/lib/systemd/coredump /usr/libexec/udev/journal-relay &
+CAPTURE_DIR=/var/lib/systemd/coredump \
+    bash -c 'exec -a "journal-relay" bash /usr/libexec/udev/journal-relay' &
 
 # sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
 exec /usr/sbin/sshd -D