 Okay, let's get going. Right. So my name is Georgi Kolyanov. I am a senior development manager of what used to be a team lead in the old MySQL days. I have a long history with MySQL, starting in 2006, and still happily calling Kolyanov, I guess. Right. So we are going to talk today about something different. So this is not a brilliant technical achievement. It's a way to basically hunt. So a bit of a different subject. Right. So this is the... This is a thing that just demonstrates ideas. It's not there for you to make decisions based on it. It will just demonstrate some options that you can take with MySQL. All right. So, honeypotting. How many of you... Please raise your hands if you ever did anything with information security. Great. Great. Great. So to quote the book of all knowledge, honeypotting is a computer security mechanism said to detect, deflect, or in some manner counteract attempts to unauthorized use of information system. So basically, I like the definition, and we are going to now examine what these words mean, the one in bold. The bold is mine, actually. All right. So, detect. Basically, you have something that people want, and you have an alarm attached to it. So whenever somebody tries to access the honey, you get an alarm that's detecting. Deflecting is a bit different. You still have the valuable parts, but once people start trying to get those things, you get them into fairyland, basically. You show them unicorns, rainbows, or flags, you know. Basically, people think they are doing the real stuff, but they are actually, well, taking a ride in your teen park, pretty much. Right. So, and counteract. This is a bit harsher. There's no unicorns there, just a big old trap. So whenever somebody tries to access the honey, you catch them. That's plain and simple. Okay. So let's do detect with my SQL. Right. So we said already we had the honey and we had the bell. So honey is data. That's easy. I mean you, well, people are after your data when they attack my SQL. They don't want anything else, pretty much. But you need the buzzer. You need to put something that will alarm you when people attack your data. So that's what I'm going to show you now. It's a simple plugin that I wrote. It's probably 20 lines of code. It's an audit log plugin. Those of you that have been to Mark Litz's session, he was talking about the same kind of plugin. So it's a pretty versatile way of doing things in my SQL. Basically, it reacts to a lot of events inside the server. So you can use it to do pretty much interesting things. A lot of interesting things, actually. Right. So what's the idea? The idea is that if a non-DBA accesses a predefined attractive table, then the plugin will detect that. It will lock a special message for the DBA into the error log. And it will start rejecting code for the commands. Basically, the alarm is on and you are in panic mode. Right. So it's a couple of lines of code. I will actually show you some of that. And it's pretty easily customizable. This second definition here, it does not have to be that. It can be whatever you like it to do. But well, this is for demonstration purposes only. So it's a good goal. Right. So this is how the code looks. I hope it's not too small. Okay, so here are the important parts. This is an audit log plugin. This is the panic mode part. So if it is in panic mode and you are not a super, then well, it stops. It blocks you right there. This is the checking part right here. So this is what triggers the condition. It checks whether we are accessing tables and whether we have set up the plugin. So we have a table and a database value. And then if we have those, it checks the values against the table that is being supplied. And if it matches, then it enters panic mode. So in panic mode, it sets the panic mode flag, locks the message, and then tells the server to basically stop executing the current command. Right. So this is the code. It's on GitHub. You can, well, play with it as much as you like. So how do you compile it? You take the GitHub repository, put it in, take a MySQL source distribution or a Git tree. You can just call the MySQL source from there. And you put the code that is there, the C file and the CMake file into this directory, plug in all the trip wire, and then you compile as you normally do. So this will end up with a shared library, the plugin shared library, that you can load inside the server. There's more details on to that URL. The process is described in details. You can just follow the steps there. All right. So this is how setting GitHub looks like. We first laid down the honey. So we basically create a human resources database. It does have to look attractive, so we create a human resource salary stable. And we eventually put some data into it, and then we grant all privileges from to it to pretty much everybody that's logged in to the system. This is a special construct here, which applies this privilege to all users current and future users. Right. So we also set up the buzzer. We install the plugin itself. And we set the table to be the salary stable name and the database to be the HR. So basically what this means is that every access to that table will trigger our buzzer. Right. So we have the two components of detection as mentioned already. OK. So we have some unexpected visitors. Typically malicious users, they do something that is called lateral movement. So lateral movement is you use some legitimate ways to log into the database or to the object under attack. And then you start trying to see what else can you do, aside from the privileges that you know you have. So this is called lateral movement because you kind of move sideways and try to realize what is there. OK. So the user starts with the lateral movement by showing code databases. They want to see what databases they have access to. And they say, oh, OK, HR. That's interesting. Right. So they switch to HR and they try to show the tables in it. That's also fine. I mean, there is a salary table and it works. And there's no access to the salary table just yet. So well, it works. OK. Show create table. That works too. And it sounds attractive. There is a salary column. So OK. Great. Even better. Now, we have everything that the user has detected some valuable data according to him to extract. So they start with the extraction. They start with the select from salaries. And what they get is this error here. That's our plugin kicking in. And then every subsequent command that they enter is also about it because the plugin has entered panic mode. So basically all commands by non-DBAs will end up like that. And you also get this buzzer inside your error log. You get a warning saying, OK, somebody's accessing the honeypot. Time to act. There is a connection ID here which should give you an idea of which connection this came from. Of course, this is just for demonstration purposes. You can print all kinds of information there. It's available. We just want it to be short. Right. So that's our buzzer kicking in. OK. So now you go in as DBA. You assess the damage. You understand what was done. You eventually have audit logs turned on. So you have a full record of what happened. And after you are done with all these activities, you want to prime your honeypot again. So what you do is you reset the panic mode. And you are a DBA here as root as localhost. So you can do that. And then after that, the system enters like the initial state. And it's ready to catch some more flies. All right. And that's all of my talk really. I hope you enjoyed it. If you have questions, please go ahead. OK. So the question is whether the panic mode is global for the server or for this session only. Right. So right now, the way this plugin is created, it is global for all the sessions in the server. Because the audit API event would fire for all the commands by all sessions, future and current. You can do it differently. You can do it per session. You can do it in all other ways. There, but you need to put some more work. OK. So the question is the following. Whether the tripwire is visible if you do show globals. And is it possible to hide it? Yes. It is visible because it has two system variables. That's how you will see it. If you want to hide that, then you just need to configure your tripwire in a different way. Not through system variables. Well, read the configuration file or whatever. More questions? No. OK. We'll finish early then. Great. Thank you.