How to live audit an other users SSH session when a protocol tunnel was used with PRA

1.
First party opens a protocol tunnel and after that an SSH Session with putty to the Endpoint.

2.
Auditing party opens a protocol tunnel and after that an SSH Session with putty to the Endpoint.

3.
Auditing party checks its own pts id with the following command:
> who am i

4.
Auditing party now checks who else is logged in with the following command:
> who -a

5.
Now remember the [ptsid] that is not your own (from Step 3).

6.
Now we are going to "mirror" the other users SSH session:
> tty=pts/[ptsid]
> sudo peekfd -8cnd $(ps -fat | grep "$tty *Ss" | awk '{print$1}') 0 1 2




Alternatively a 3rd party tool like ssh-audit can be used for that purpose.


Powered by BetterDocs

Scroll to Top