Linux distributions include the teletype writer (TTY) field. In a F5 Distributed Cloud App Infrastructure Protection (AIP) event, the TTY field indicates whether or not a terminal was in use.
Using tty as a search term in Distributed Cloud AIP quickly returns information about potentially risky user behavior. For example:
- To find all native processes running on your machine, search for tty = null
- To find all local processes (processes not issued over a remote shell, such as ssh or telnet), search for tty = null
- To find all commands issued over a remote shell, such as ssh or telnet, by an active user in an interactive session, search for tty != null
Since Ansible uses ssh to issue commands, these commands will return in a tty != null search, even though Ansible is not an active user.