SQL Traffic Recording
PAM Session Event recording enables the ability to save SQL statements to the Session Events Logs when connecting to a MySQL or MS SQL Server database through the use of a SSH Proxy tunnel using native clients such as MySQL Workbench, MS SQL Studio, command line SQL prompts or other client applications.
The option to record this SQL traffic helps management and auditors to understand typical administration activities, alert stakeholders about suspicious queries or to comply with regulations.
The traffic recording option is enabled automatically for PAM channels opened through the SSH Tunnel using the database’s standard ports (port 3306 for MySQL and port 1433 for MS SQL).
It is also possible to provide hints to the SSH Tunnel to enable traffic monitoring established over non-standard ports.
See the section below named Capturing SQL Traffic from PAM SSH Tunnel Sessions Over Non-Standard Ports for configuration.
The traffic recording option is enabled by PAM’s Session Control Recording roles.
To capture the SQL traffic of a user or group, simply assign one of the Session Control levels that include the with Session Events options.
More information about PAM Permission Levels can be found here.
Capturing SQL Traffic from PAM SSH Tunnel Sessions Over Standard Ports
The following section describes how to enable SQL Traffic to be recorded to a session’s Session Event report when the tunnel is using standard ports (for example, port 3306 for MySQL or port 1433 for MS SQL).
It is assumed that an SSH Tunnel session is already configured properly in PAM.
Capturing SQL Traffic from PAM SSH Tunnel Sessions Over Non-Standard Ports