0.01
No release in over 3 years
Low commit activity in last 3 years
Log logins and queries for an emulated PostgresQL server
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.13
~> 10.0
~> 3.0

Runtime

>= 0.1.8, ~> 0.1
 Project Readme

Sticky Elephant

Sticky Elephant is a medium-interaction PostgreSQL honeypot.

sticky_elephant [options]
    -c, --config CONFIG              Configuration file to read
    -h, --help                       Display this screen

Usage

Either install the gem and

% sticky_elephant

or clone the repo and

% ./bin/sticky_elephant

Configuration

sticky_elephant.conf is a YAML file that defines Sticky Elephant's behavior. You can tell Sticky Elephant what configuration file to use with -c. The configuration file looks like this:

:log_path: "./sticky_elephant.log"
:port: 5432
:host: 0.0.0.0
:debug: true
:abort_on_exception: false
:use_hpf: true
:hpf_host: 127.0.0.1
:hpf_port: 10000
:hpf_ident: 24b6875e-03f1-4c2a-b5b0-11af1f49e2bb
:hpf_secret: woofwoofcharlesisagooddog

host and port define the host address and port to which Sticky Elephant should bind. log_path is the log to which Sticky Elephant will write. Do note that HPFeeds logs go to stdout and are separate from Sticky Elephant application logs. debug turns on debug-level logging; abort_on_exception kills threads when they encounter an exception. The hpf-prefixed options are for configuring the HPFeeds server to which Sticky Elephant should report queries and connections.

Installation

You can just run sticky_elephant in a tmux session, that certainly works. If you prefer to set things up a bit nicer, make a sticky_elephant user and give them a home directory. Put your config file in /etc/sticky_elephant/sticky_elephant.conf and ensure that the sticky_elephant user can read it. Then you can use this systemd service definition to run sticky_elephant at boot:

[Unit]
Description=sticky_elephant postgres honeypot
Documentation=https://github.com/ffleming/sticky_elephant
After=network.target

[Service]
WorkingDirectory=/home/sticky_elephant/
User=sticky_elephant
ExecStart=/usr/local/bin/sticky_elephant -c /etc/sticky_elephant/sticky_elephant.conf
SyslogIdentifier=sticky_elephant
StandardOutput=syslog
StandardError=syslog
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
KillMode=process

[Install]
WantedBy=default.target
Alias=sticky_elephant.service

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/betheroot/sticky_elephant.

To do

  • Support md5 authentication
  • Anti-fingerprinting
    • Mimic commands
      • \l
      • \d
      • \dt
  • Log user-selected database in handshake
  • Remove argument to Payload#to_s
  • Break up Payload into separate objects