Monitoring local database access(not via ethernet)

MingchunZhao · October 22, 2015, 12:36am

Would you have any plan for Packetbeat to deal with local access to a database?
Sorry for the question that might be a bit off-topic.

steffens · October 22, 2015, 2:32pm

Can you explain 'local access to a database'? packetbeat has protocol analysers for mysql and postgresql.

MingchunZhao · October 23, 2015, 5:26am

What I meant was that connections via Unix Domain Socket(or via PIPE,MEMORY on Windows) to MySQL,PostgreSQL.

The following is what I've tried:

First, connect with telnet to server where MySQL or PostgreSQL is running.
and then,

For MySQL

####sniffing a tcp connection succeeded:
shell> mysql --protocol=tcp -u xxx -p
####sniffing a socket connection failed:
shell> mysql --protocol=socket -u xxx -p

For PostgreSQL

####sniffing a tcp connection succeeded:
shell> psql -h localhost
####sniffing a socket connection failed:
shell> psql

steffens · October 26, 2015, 2:56pm

You are right, unix sockets or pipes are not supported. What's the exact usecase?

If you are worried by having you database open to public, restrict your database to bind the socket to localhost only. This way only localhost can access your database. Alternatively you can use socat to forward from unix socket to tcp port to get similar behavior for shell tool (or use alias in your shell).

packetbeat is mainly supposed to work on network traffic. Trying to get it to work with unix sockets might be some major effort to implement. On linux ptrace (approach used by strace) might be possible, or maybe even leveraging systemtap (not sure).

MingchunZhao · October 27, 2015, 4:35am

Hi Steffen,
It's so kind of you to answer this off-topic discussion.

My usecase is as follows:
Assuming I need to monitor privilege user access to database by Packetbeat in purpose of an audit,
It is very important to sniff on certain protocols including socket,pipe to meet security requirement(e.g. SOX).

So considering my usecase, the best thing is Packetbeat will be able to support unix socket or pipe,
However, those workarounds as you mentioned is very helpful for me,

Best Regards,
Mingchun

steffens · October 27, 2015, 3:32pm

Yeah, I'm not aware of any good sniffer for unix sockets. It might be possible by writing a kernel module (like SystemTap does) or use ptrace tricks. Using ptrace means basically writing a debugger attaching to all processes opening the unix socket (not recommended).

For very very simple auditing maybe SystemTap can be useful (basically uses kernel module approach). See this example sniffing unix sockets. Maybe you can find process name and uid of processes communicating.

But for application layer analysis and indexing having an active proxy (e.g. socat) might be the better option. When using socat you can debug/test approach using tcpdump. If required you can still try to disable pipe (unix sockets) in general forcing users to use TCP only.

MingchunZhao · October 28, 2015, 12:37am

Thanks for your detailed information on sniffing unix sockect.
I'll look into these approaches.