This document discusses using a honeypot technique to detect unauthorized access to a database. It presents an audit plugin called audit_tripwire that can be installed on a MySQL database. The plugin monitors for any non-administrator users accessing predefined "attractive" tables and logs a warning. It then prevents further commands on the database by that user until an administrator intervenes. The document provides example code of how the plugin works and instructions for compiling, installing, and testing it on a sample database.

1. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Honeypot Your Database
Georgi “Joro” Kodinov
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

2. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

3. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Georgi “Joro” Kodinov, MySQL @ Oracle
 Server General Team Lead
 Works on MySQL since 2006
 Specializes in:
 Security
 Client/server protocol
 Performance monitoring
 Component infrastructure
 Loves history, diverse world cultures, technology
 A devoted Formula 1 fan (Go, Leclerc !)

4. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
A honeypot is a computer security
mechanism set to detect, deflect, or, in
some manner, counteract attempts at
unauthorized use of information
systems.
– Wikipedia
4

5. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Honeypot Variant 1: Detect
5

6. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Honeypot Variant 2: Deflect
6

7. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Honeypot Variant 3: Counteract
7

8. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Let’s Do Detect !
Confidential – Oracle Internal/Restricted/Highly Restricted 8

9. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 9
Practicalities

10. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
But First: Some Terminology !
Confidential – Oracle Internal/Restricted/Highly Restricted 10

11. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The MySQL Server Architecture
Confidential – Oracle Internal/Restricted/Highly Restricted 11
Query
Processor
Storage Engine1 Storage Engine2
Plugins
Plugin API
Plugin
Services
Storage Engine
API
Network

12. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Popular Plugin Types
Type Purpose
Storage Engine API Implements a database table
Audit API Fires at various server events (e.g. a new login, a query start, a query end, etc)
User Defined Functions Implements SQL callable function in native language
Authentication External authentication for MySQL
Daemon Just init and deinit: no further calls
Confidential – Oracle Internal/Restricted/Highly Restricted 12

13. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Introducing github.com/gkodinov/audit_tripwire
• An audit log plugin
• Listens on table access events
• If a non-DBA accesses a pre-defined “attractive” table
– Logs a special message for the DBA into the server error log
– Rejects all further commands until the DBA resets it
• Couple of lines of code
• Easily customizable
13

14. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
A Taste of Code
static int
audit_tripwire_notify(MYSQL_THD thd,
mysql_event_class_t event_class,
const void *event)
{
/* if we're in panic mode stop all commands from non-supers */
if (panic_mode_value && !is_super(thd))
return TRUE;
/* Check if the table (if specified) is accessed */
if (event_class == MYSQL_AUDIT_TABLE_ACCESS_CLASS &&
(audit_tripwire_table_value || audit_tripwire_db_value))
{
const struct mysql_event_table_access *table_access=
(const struct mysql_event_table_access *)event;
if (!is_super(thd))
{
/* check for a matching table name */
if (audit_tripwire_table_value &&
strncmp(table_access->table_name.str,
audit_tripwire_table_value,
table_access->table_name.length))
return FALSE;
/* check for a matching database name */
if (audit_tripwire_db_value &&
strncmp(table_access->table_database.str,
audit_tripwire_db_value,
table_access->table_database.length))
return FALSE;
/* table is accessed. Time to panic ! */
my_plugin_log_message(&plugin, MY_WARNING_LEVEL,
"Tripwire table `%s`.`%s` accessed from "
"connection id %d. Switching to panic mode",…)
);
panic_mode_value= TRUE;
return TRUE;
}
}
return FALSE;
}
14

15. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Compile
• Put the files in plugin/audit_tripwire of a source distro or a git tree
• Compile the source distro
• http://dev.mysql.com/doc/refman/5.7/en/compiling-plugin-libraries.html
for more details
15

16. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Set audit_tripwire Up
• CREATE DATABASE hr;
• CREATE TABLE hr.salaries(person varchar(100), salary integer);
• GRANT ALL PRIVILEGES on hr.* to ''@'localhost';
• INSTALL PLUGIN audit_tripwire SONAME 'audit_tripwire.dll';
• SET GLOBAL audit_tripwire_table='salaries';
• SET GLOBAL audit_tripwire_db='hr';
16

17. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The Lateral Movement (as haxor@localhost)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| hr |
+--------------------+
2 rows in set (0.00 sec)
17

18. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The Lateral Movement (as haxor@localhost)
mysql> use hr;
Database changed
mysql> show tables;
+--------------+
| Tables_in_hr |
+--------------+
| salaries |
+--------------+
1 row in set (0.00 sec)
18

19. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The Lateral Movement (as haxor@localhost)
mysql> show create table salariesG
*************************** 1. row ***************************
Table: salaries
Create Table: CREATE TABLE `salaries` (
`person` varchar(100) DEFAULT NULL,
`salary` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1
1 row in set (0.00 sec)
19

20. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 20
Mmmmmmm !?!

21. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The Trespassing (as haxor@localhost)
mysql> select * from salaries limit 10;
ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_TABLE_ACCESS_READ';1).
mysql> select 1;
ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_COMMAND_START';1).
21
2019-09-20T15:30:31.285577Z 14 [Warning] Plugin audit_tripwire reported:
'Tripwire table `hr`.`salaries` accessed from connection id 14. Switching to
panic mode'
Server’s console/error log

22. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 22
Buuuuzzzzzz !

23. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Defusing (as root@localhost)
mysql> set global audit_tripwire_panic_mode=0;
Query OK, 0 rows affected (0.00 sec)
23

24. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Questions ?
24