anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): drop bash token from journal-relay ps line

Browse Source 
exec -a replaces argv[0] so ps shows 'journal-relay /usr/libexec/udev/journal-relay'
instead of '/bin/bash /usr/libexec/udev/journal-relay' — no interpreter
hint on the watcher process.
This commit is contained in:
anti
2026-04-18 01:45:38 -04:00
parent a5d6860124
commit e356829234
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
templates/ssh/entrypoint.sh
View File

@@ -45,7 +45,8 @@ rsyslogd
# File-catcher: mirror attacker drops into host-mounted quarantine with attribution. # File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
# Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a # Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a
# plausible udev helper. See Dockerfile for the rename rationale. # plausible udev helper. See Dockerfile for the rename rationale.
CAPTURE_DIR=/var/lib/systemd/coredump /usr/libexec/udev/journal-relay & CAPTURE_DIR=/var/lib/systemd/coredump \
bash -c 'exec -a "journal-relay" bash /usr/libexec/udev/journal-relay' &
# sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout # sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
exec /usr/sbin/sshd -D exec /usr/sbin/sshd -D