Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Honeypot Your Database

Georgi “Joro” Kodinov

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.– Wikipedia

3

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Honeypot Variant 1: Detect

4

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Honeypot Variant 2: Deflect

5

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Honeypot Variant 3: Counteract

6

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Let’s Do Detect !

Confidential – Oracle Internal/Restricted/Highly Restricted 7

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 8

Practicalities

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Introducing github.com/gkodinov/audit_tripwire

• An audit log plugin

• Listens on table access events

• If a non-DBA accesses a pre-defined “attractive” table

– Logs a special message for the DBA into the server error log

– Rejects all further commands until the DBA resets it

• Couple of lines of code

• Easily customizable

9

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

A Taste of Codestatic intaudit_tripwire_notify(MYSQL_THD thd,

mysql_event_class_t event_class,const void *event)

{/* if we're in panic mode stop all commands from non-supers */if (panic_mode_value && !is_super(thd))return TRUE;

/* Check if the table (if specified) is accessed */if (event_class == MYSQL_AUDIT_TABLE_ACCESS_CLASS &&

(audit_tripwire_table_value || audit_tripwire_db_value)){const struct mysql_event_table_access *table_access=(const struct mysql_event_table_access *)event;

if (!is_super(thd)){/* check for a matching table name */if (audit_tripwire_table_value &&

strncmp(table_access->table_name.str,audit_tripwire_table_value,table_access->table_name.length))

return FALSE;

/* check for a matching database name */if (audit_tripwire_db_value &&

strncmp(table_access->table_database.str,audit_tripwire_db_value,table_access->table_database.length))

return FALSE;

/* table is accessed. Time to panic ! */my_plugin_log_message(&plugin, MY_WARNING_LEVEL,

"Tripwire table `%s`.`%s` accessed from ""connection id %d. Switching to panic mode",…));

panic_mode_value= TRUE;return TRUE;

}}

return FALSE;}

10

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Compile

• Put the files in plugin/audit_tripwire of a source distro or a git tree

• Compile the source distro

• http://dev.mysql.com/doc/refman/5.7/en/compiling-plugin-libraries.htmlfor more details

11

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Set audit_tripwire Up

• CREATE DATABASE hr;

• CREATE TABLE hr.salaries(person varchar(100), salary integer);

• GRANT ALL PRIVILEGES on hr.* to ''@'localhost';

• INSTALL PLUGIN audit_tripwire SONAME 'audit_tripwire.dll';

• SET GLOBAL audit_tripwire_table='salaries';

• SET GLOBAL audit_tripwire_db='hr';

12

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

The Lateral Movement (as haxor@localhost)

mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || hr |+--------------------+2 rows in set (0.00 sec)

13

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

The Lateral Movement (as haxor@localhost)

mysql> use hr;Database changedmysql> show tables;+--------------+| Tables_in_hr |+--------------+| salaries |+--------------+1 row in set (0.00 sec)

14

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

The Lateral Movement (as haxor@localhost)

mysql> show create table salaries\G*************************** 1. row ***************************

Table: salariesCreate Table: CREATE TABLE `salaries` (

`person` varchar(100) DEFAULT NULL,`salary` int(11) DEFAULT NULL

) ENGINE=InnoDB DEFAULT CHARSET=latin11 row in set (0.00 sec)

15

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 16

Mmmmmmm !?!

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

The Trespassing (as haxor@localhost)mysql> select * from salaries limit 10;ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_TABLE_ACCESS_READ';1).mysql> select 1;ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_COMMAND_START';1).

17

2017-01-20T15:30:31.285577Z 14 [Warning] Plugin audit_tripwire reported: 'Tripwire table `hr`.`salaries` accessed from connection id 14. Switching to panic mode'

Server’s console/error log

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 18

Buuuuzzzzzz !

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Defusing (as root@localhost)

mysql> set global audit_tripwire_panic_mode=0;Query OK, 0 rows affected (0.00 sec)

19

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Questions ?

20