anti a773dddd5c feat(ssh): capture attacker-dropped files with session attribution ...

inotifywait watches writable paths in the SSH decky and mirrors any
file close_write/moved_to into a per-decky host-mounted quarantine dir.
Each artifact carries a .meta.json with attacker attribution resolved
by walking the writer PID's PPid chain to the sshd session leader,
then cross-referencing ss and utmp for source IP/user/login time.
Also emits an RFC 5424 syslog line per capture for SIEM correlation.

2026-04-17 22:20:05 -04:00

3.5 KiB

Raw Blame History

View Raw