CN104135483A - Automatic configuration management system for network security - Google Patents
Automatic configuration management system for network security Download PDFInfo
- Publication number
- CN104135483A CN104135483A CN201410387150.2A CN201410387150A CN104135483A CN 104135483 A CN104135483 A CN 104135483A CN 201410387150 A CN201410387150 A CN 201410387150A CN 104135483 A CN104135483 A CN 104135483A
- Authority
- CN
- China
- Prior art keywords
- configuration
- module
- security
- scanned
- repository
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an automatic configuration management system for network security. The automatic configuration management system comprises a configuration connection module and a daily operation module, wherein the configuration connection module is connected to an object to be scanned, wherein the object to be scanned comprises a combination of two or more of the following objects: network equipment, electronic equipment, a system and a database; the daily operation module is used for carrying out operation processing on the connected object to be scanned, wherein the operation processing at least comprises the following steps of: scanning a configuration file in the object to be scanned, positioning clauses with configuration defect in the configuration file, and carrying out security configuration repair on the clauses with configuration defect. The automatic configuration management system provided by the invention is capable of scanning a combined object, correctly positioning the improperly configured position in the combined object, and meanwhile, carrying out security configuration repair on the clauses with configuration defect (namely, improper configuration) of the combined object, so that the combined object conforms to the standard requirement of the configuration, and security of operation of the configuration file of the combined object is greatly improved.
Description
Technical field
The present invention relates to network safety filed, in particular to the automatic configuration management system of a kind of network security.
Background technology
Along with the development of network technology, information security events quantity fast rise, security situation allows of no optimist.According to statistics, 2012 national the Internet emergency center (CNCERT) receive altogether 19124 network safety events report (and not comprising scanning and spam class event), compared growth by 24.5% with 2011; Totally 18805 of CNCER coprocessing disparate networks in 2012 security incidents, compared with 2011 and increase by 72.1%.All in all, China's network information security event number is the gesture of fast rise in recent years, directly affects netizen and equity of an enterprise, hinders industry healthy development, and Global Information form of security allows of no optimist.
Now, most domestic enterprise still rests on and installs on antivirus software the solution of information security issue, yet in the Internet, mobile Internet is instantly highly developed, this safety measure can not meet the demand of enterprise network information security far away.The network management personnel of the most of unit particularly webmaster personal security consciousness of medium-sized and small enterprises is very thin, and security protection level is low, without capacity of will, completes the most basic network security configuration, causes unit to face great security risk.
From a large amount of hacker's behaviors, analyze, the conventional means of being not difficult to obtain assault is as follows:
Utilize network and system vulnerability to permeate;
Utilize the configuration defect of equipment: as not enabled is encrypted, does not open escape way, does not limit root authority, do not opened effective access control etc.;
Utilizing the logic flaw of business to carry out safety walks around;
Utilizing a large amount of flow access to carry out DDoS (Distributed Denial of Service, distributed denial of service) attacks.
So as long as equipment, system and software are carried out to security configuration, just can avoid most security intrusion to threaten.Correlation technique for security configuration on Vehicles Collected from Market mainly contains two classes: the first kind is that equipment, system and software are carried out to security configuration scanning, finds out the place that configuration does not conform to rule; Equations of The Second Kind is to carry out security configuration for independent system or equipment.
But above-mentioned two class technology have obvious defect: first kind technology is can only bond-allocating local improperly, can not repair according to correct configuration; Equations of The Second Kind technology can only be repaired for independent equipment or system, can not contain different equipment (as the network equipment, safety means etc.), different system (as windows, linux etc.) and different software (as oracle, mysql etc.).
Summary of the invention
The object of the present invention is to provide the automatic configuration management system of a kind of network security, to solve the above problems.
Provide in an embodiment of the present invention a kind of network security automatic configuration management system, having comprised:
Configuration link block, for being connected with object to be scanned; Wherein, object to be scanned comprises two kinds and above combination in following object: the network equipment, electronic equipment, system and database;
Regular job module, carries out operational processes for the object to be scanned to after connecting; Wherein, operational processes at least comprises: scan the entry of the configuration defect in configuration file, bond-allocating file in object to be scanned and the entry of configuration defect is carried out to security configuration reparation.
Further, this system also comprises login module;
Login module, for the identity information of authentication of users input, and enters operation interface according to correct identity information, so that regular job module operates object to be scanned.
Further, this system also comprises repository administration module and system management module;
Repository administration module, for upgrading, importing and the derivation of the configuration entry in administration configuration storehouse, so that regular job module operates according to configuration entry;
System management module, for identity information and the rights of using of leading subscriber, carry out system maintenance and record running log.
Further, in this system, configuration link block comprises: network equipment link block, electronic equipment link block and software link block;
Network equipment link block is connected with equipment to be scanned;
Electronic equipment link block is connected with system to be scanned;
Software link block, for carrying out transfer of data with software to be scanned.
Further, in this system, object to be scanned comprises configuration file; Regular job module comprises: configuration scan module, backup module, configuration module and configuration restore module;
Configuration scan module, for configuration file is carried out to security configuration automatic scanning, and output scanning result;
Backup module, for to backing up with configuration file;
Configuration module, for according to scanning result, carries out security configuration reparation to the security configuration defect in configuration file;
Configuration restore module, during for the identification of configuration module improperly-configured, makes configuration file automatically cover the file after configuration module configuration, to complete configuration reparation.
Further, in this system, configuration module comprises: automatic configuration module and manual configuration module;
Automatically configuration module, for according to scanning result, carries out automatic safe configuration to the security configuration defect in configuration file and repairs;
Manual configuration module, for according to the control command of user's input, carries out security configuration reparation to the security configuration defect in configuration file.
Further, in this system, regular job module also comprises report generation module;
Report generation module, after finishing at configuration scan module and/or configuration module, generating report forms; Wherein, the content of form can comprise one or more in following information: configuration scanning result, security configuration defect are enumerated, configured security risk grade corresponding to defect, automatically configure entry, manual configuration bar and the configuration comparative information before and after completing.
Further, in this system, configuration file comprises a plurality of configuration entries; Repository administration module comprises repository upgrading module, repository imports module and repository is derived module;
Repository upgrading module, for upgrading and expand the configuration entry of repository;
Repository imports module, for configuration entry is imported;
Repository is derived module, for configuration entry is derived.
Further, in this system, configuration file comprises security configuration baseline; Wherein, security configuration baseline comprises a plurality of configuration entries;
Configuration scan module is used for automatically identifying and read the security configuration baseline of configuration file, and compares one by one with the security configuration baseline that prestores corresponding in repository; To be defined as security configuration defect with the inconsistent configuration entry of security configuration baseline, the scanning result of output safety configuration simultaneously.
Further, in this system, system management module comprises authorization control module, user management module, system maintaining module, system journal module and Operation Log module;
Authorization control module, for according to first order user's identity information, is first order user assignment administration authority;
User management module, for according to first order user's the user's of subordinate identity information, is subordinate's user assignment administration authority, and the user's of Bing Dui subordinate identity information manages;
System maintaining module, in time whole system being upgraded, in order to system is safeguarded;
System journal module, for carrying out log recording to the operation of system;
Operation Log module, for carrying out log recording to the operation of all modules.
The automatic configuration management system of a kind of network security that the embodiment of the present invention provides, can only bond-allocating local improperly with first kind technology of the prior art, can not repair according to correct configuration; Equations of The Second Kind technology can only be repaired for independent equipment or system, the scheme that can not contain different equipment (as the network equipment, safety means etc.), different system (as windows, linux etc.) and different software (as oracle, mysql etc.) is compared, it comprises: configuration link block, for being connected with object to be scanned; Wherein, object to be scanned comprises two kinds and above combination in following object: the network equipment, electronic equipment, system and database; Regular job module, carries out operational processes for the described object to be scanned to after connecting; Wherein, described operational processes at least comprises: scan configuration file in described object to be scanned, locate the entry of the configuration defect in described configuration file and the entry of configuration defect is carried out to security configuration reparation; System provided by the invention can scan compound object, and correctly locate the position of mis-arrange in compound object, to compound object, exist the entry of safety defect (being mis-arrange) to carry out security configuration reparation simultaneously, make this compound object meet the standard-required of configuration and the fail safe that has greatly improved the Profile Up of compound object.
Accompanying drawing explanation
Fig. 1 shows the structural representation of the automatic configuration management system of a kind of network security that the embodiment of the present invention provides;
Fig. 2 shows the structural representation of regular job module in the automatic configuration management system of a kind of network security that the embodiment of the present invention provides;
Fig. 3 shows the structural representation that module is made in repository management in the automatic configuration management system of a kind of network security that the embodiment of the present invention provides;
Fig. 4 shows the structural representation of system management module in the automatic configuration management system of a kind of network security that the embodiment of the present invention provides;
Fig. 5 shows the flow chart of the automatic configuration management system of a kind of network security of use that the embodiment of the present invention provides.
Embodiment
Below by specific embodiment, also by reference to the accompanying drawings the present invention is described in further detail.
The embodiment of the present invention provides a kind of network security automatic configuration management system, as shown in Figure 1, comprising:
Configuration link block 102, for being connected with object to be scanned; Wherein, object to be scanned comprises two kinds and above combination in following object: the network equipment, electronic equipment, system and database;
Regular job module 103, carries out operational processes for the object to be scanned to after connecting; Wherein, operational processes at least comprises: scan the entry of the configuration defect in configuration file, bond-allocating file in object to be scanned and the entry of configuration defect is carried out to security configuration reparation.
The automatic configuration management system of a kind of network security that the embodiment of the present invention provides, can only bond-allocating local improperly with first kind technology of the prior art, can not repair according to correct configuration; Equations of The Second Kind technology can only be repaired for independent equipment or system, the scheme that can not contain different equipment (as the network equipment, safety means etc.), different system (as windows, linux etc.) and different software (as oracle, mysql etc.) is compared, it comprises: configuration link block 102, for being connected with object to be scanned; Wherein, object to be scanned comprises two kinds and above combination in following object: the network equipment, electronic equipment, system and database; Regular job module 103, carries out operational processes for the described object to be scanned to after connecting; Wherein, described operational processes at least comprises: scan configuration file in described object to be scanned, locate the entry of the configuration defect in described configuration file and the entry of configuration defect is carried out to security configuration reparation; System provided by the invention can scan compound object, and correctly locate the position of mis-arrange in compound object, to compound object, exist the entry of safety defect (being mis-arrange) to carry out security configuration reparation simultaneously, make this compound object meet the standard-required of configuration and the fail safe that has greatly improved the Profile Up of compound object.
Concrete, configuration link block 102 can be configured and be connected with the compound object of band scanning.Wherein, compound object can be: different combination in the network equipment and electronic equipment, the network equipment and system, the network equipment and database, the network equipment, electronic equipment and system, network equipment system and database and the network equipment, electronic equipment, system and database 24, wherein, this configuration link block 102 has different configuration connected modes (embodiment illustrates) below for different compound objects.
Further, as shown in Figure 1, this system also comprises login module 101;
Login module 101, for the identity information of authentication of users input, and enters operation interface according to correct identity information, so that 103 pairs of objects to be scanned of regular job module operate.
Concrete, each user needs to have identity information just can enter operation interface, by regular job module 103, operates.
Wherein, login module 101 is carried out classification setting by user.Concrete, according to user's demand and the transaction cost paid thereof, for example, Yi Ge company has bought this system, and we can, according to the transaction cost of the said firm, be set to the open authority of the said firm; Then each company also can, according to the staff's of intra-company grade, arrange the work authority of each module again.
Further, as shown in Figure 1, this system also comprises repository administration module 104 and system management module 105;
Repository administration module 104, for upgrading, importing and the derivation of the configuration entry in administration configuration storehouse, so that regular job module 103 operates according to configuration entry.
Concrete, in system, there is repository, in this repository, store a lot of configuration files, configuration file is comprised of a plurality of configuration entries.This repository administration module 104 is for the development of the technology of following, the renewal of real-time management configuration entry and expansion etc., and control as required importing and a derivation for configuration entry.
System management module 105, for identity information and the rights of using of leading subscriber, carry out system maintenance and record running log.
Concrete, each uses the user of native system to need identity information and authority, 105 these information of real-time management of system management module.And the renewal of responsible system, normally operation and system operation is carried out log recording, the operation of modules is carried out to log recording etc.
Further, as shown in Figure 2, in this system, configuration link block 102 comprises: network equipment link block, electronic equipment link block and software link block; Network equipment link block is connected (by Telnet or SSH agreement, carry out long-range connection, or carry out this locality connection by equipment Console port) with equipment to be scanned; Electronic equipment link block is connected (by long-range connections of mode such as Telnet, SSH, remote desktop RDP, file-sharing SMB, or connecting by USB mouth is local) with system to be scanned; Software (carrying out long-range connection by TCP, udp port) link block, for carrying out transfer of data with software to be scanned.
In the present embodiment, the concrete finger of the network equipment is the equipment of switch, hub, switch, bridge and router one class; Electronic equipment refers to the equipment of computer, panel computer and mobile terminal one class; Software is computer application software.Concrete, electronic equipment link block can be connected with system to be scanned with electronic equipment to be scanned.
Concrete, network equipment link block is carried out long-range connection by Telnet or SSH agreement, or by equipment Console port and equipment to be scanned, carries out this locality and be connected.Electronic equipment link block is by long-range connections of mode such as Telnet, SSH, remote desktop RDP, file-sharing SMB, or by USB mouth and system to be scanned, carries out this locality and be connected; Software carries out long-range connection by TCP, udp port.
Further, as shown in Figure 2, in this system, object to be scanned comprises configuration file; Regular job module 103 comprises: configuration scan module 201, backup module 204, configuration module 202 and configuration restore module 203; Configuration scan module 201, for configuration file is carried out to security configuration automatic scanning, and output scanning result; Backup module 204, for to backing up with configuration file; Configuration module 202, for according to scanning result, carries out security configuration reparation to the security configuration defect in configuration file; Configuration restore module 203, during for the identification of configuration module 202 improperly-configured, makes configuration file automatically cover the file after configuration module 202 configurations, to complete configuration reparation.
Concrete, configuration scan module 201 scans for the configuration file to compound object.Scanning result comprises: configuration file is errorless and configuration file is wrong.When configuration file is wrong, configures scan module 201 and can specifically mark wrong configuration entry.The object that configuration file in 204 pairs of compound objects of backup module backs up is, when configuration module 202 does not carry out correct reparation to the wrong configuration entry in configuration file, can make original wrong configuration entry again cover the configuration entry after reparation, to revert to reset condition, facilitate 202 pairs of these wrong configuration files of subsequent configuration module to carry out correct reparation.
Further, as shown in Figure 2, in this system, configuration module 202 comprises: automatic configuration module 206 and manual configuration module 207; Automatically configuration module 206, for according to scanning result, carries out automatic safe configuration to the security configuration defect in configuration file and repairs; Manual configuration module 207, for according to the control command of user's input, carries out security configuration reparation to the security configuration defect in configuration file.
Concrete, configuration module 206, when it receives after the Output rusults of the vicious configuration entry that configures scan module 201 transmissions, carries out security configuration reparation to wrong configuration entry automatically automatically.Thereby avoided user's manual operation, saved user's labour, brought great convenience also to the user that can not operate simultaneously.
Concrete: the Output rusults of configuration scan module 201, can be by wrong configuration entry itemize at automatic configuration interface, after can selecting each entry of needs configuration by check box, the entry of choosing is configured automatically, also can select a key configuration automatically to configure all error configurations entries.
And manual configuration module 207, when it receives after the Output rusults of the vicious configuration entry that configures scan module 201 transmissions, is left intact, until it receives after user's control command, wrong configuration entry is carried out to security configuration reparation.
Further, as shown in Figure 2, in this system, regular job module 103 also comprises report generation module 205; Report generation module 205, for after configuration scan module 201 and/or configuration module 202 end, generating report forms; Wherein, the content of form can comprise one or more in following information: configuration scanning result, security configuration defect are enumerated, configured security risk grade corresponding to defect, automatically configure entry, manual configuration bar and the configuration comparative information before and after completing.
Concrete, after configuration scan module 201 ends of scan, meeting output scanning result, now, can, by report generation module 205, to this scanning result generating report forms, check and carry in order to print for the convenience of the user.And now the corresponding result of form can comprise with lower one or more: security risk grade corresponding to defect enumerated, configured to configuration scanning result, security configuration defect.
In like manner, configuration module 202 is configured after reparation, can export reparation result equally, now, can to this, repair result generating report forms by report generation module 205 equally, in order to print for the convenience of the user, checks and carries.And now the corresponding result of form can comprise with lower one or more: automatically configure entry, manual configuration bar and the configuration comparative information before and after completing.
Further, as shown in Figure 3, in this system, configuration file comprises a plurality of configuration entries; Repository administration module 104 comprises repository upgrading module 301, repository imports module 302 and repository is derived module 303; Repository upgrading module 301, for upgrading and expand the configuration entry of repository; Repository imports module 302, for configuration entry is imported; Repository is derived module 303, for configuration entry is derived.
Concrete, repository upgrading module 301 in time to the configuration entry of repository upgrade, renewal and expansion etc.For example: the configuration entry of Delete Expired, increase new configuration entry, adjust the order of original configuration entry etc.
Repository imports module 302 and repository is derived module 303, for configuration entry being imported and derived in needs.For example, when user need to check or change a certain configuration entry, need to derive this entry, needing to derive module 303 by repository derives corresponding configuration entry.Again for example, need to upgrade to the configuration entry in this repository, increase new configuration entry, need repository to import module 302 and import new configuration entry.Comprehensively, repository importing module 302 and repository are derived module 303 and are played the effect that repository is safeguarded.
Further, in this system, configuration file comprises security configuration baseline; Wherein, security configuration baseline comprises a plurality of configuration entries; Configure scan module 201 for automatically identifying and read the security configuration baseline of configuration file, and compare one by one with the security configuration baseline that prestores corresponding in repository; To be defined as security configuration defect with the inconsistent configuration entry of security configuration baseline, the scanning result of output safety configuration simultaneously.
Concrete, in compound object to be scanned, configuration file comprises security configuration baseline, this security configuration baseline comprises a plurality of configuration entries; Configuration scan module 201 is by the security configuration baseline (order that contains equally concrete configuration entry in the security configuration baseline in compound object to be scanned (order that contains concrete configuration entry) and repository, and be the same with the order that contrasts the configuration entry in object) contrast, by in module to be scanned, after contrast, different configuration entry is defined as security configuration defect, the row labels of going forward side by side, simultaneously defeated scanning result.
Further, as shown in Figure 4, in this system, system management module 105 comprises authorization control module 401, user management module 402, system maintaining module 403, system journal module 404 and Operation Log module 405; Authorization control module 401, for according to first order user's identity information, is first order user assignment administration authority; User management module 402, for according to first order user's the user's of subordinate identity information, is subordinate's user assignment administration authority, and the user's of Bing Dui subordinate identity information manages; System maintaining module 403, in time whole system being upgraded, in order to system is safeguarded; System journal module 404, for carrying out log recording to the operation of system; Operation Log module 405, for carrying out log recording to the operation of all modules.
Concrete, first order user can Wei Yige company, Yi Ge team or individual; If first order user Wei Yige company, first order user's the user of subordinate can be for the staff in company, concrete, can also carry out other division of level according to these staff's work position.If first order user Wei Yige team, first order user's the user of subordinate can be the personnel in team, can also carry out other division of level according to these personnel's work division equally; If first order user is individual, this first order user does not have the power that the user of subordinate or the user of its subordinate are its sign language user of service.
User management module 402, also manages for the identity information to user, such as the identity information to user upgrade, deletion, interpolation and preservation etc.
System maintaining module 403, for in time whole system being upgraded, the start of management system, shutdown and normal operation etc., move when incorrect when system, in time system repaired and the indication that gives a warning (it can be that auditory tone cues can be also text prompt that warning is indicated); System journal module 404, for the running status of the start of system, shutdown and the system failure etc. is carried out to log recording, so that user can check its running status at any time; Operation Log module 405, for the operation of all modules is carried out to log recording, so that user can check its running status at any time, and when module operation is gone wrong, user also can find the module ging wrong in time.
The flow process that the present invention is based on the automatic configuration management system work of above-mentioned a kind of network security is as follows, as shown in Figure 5:
1001: open the automatic configuration management system of network address, the main frame at this system place should have usage license mandate, the main frame at this system place should be able to reach configuration object is long-range simultaneously;
1002: by system login module, carry out login behavior control, user uses corresponding username and password login system according to the role of self, and the user of different role can use different functional modules.As: administrator is only with operating system login module, repository administration module and system management module; Operator is only with operation regular job module and configuration link block.
1003: by configuration link block, carry out the long-range connection of equipment, system and software, main connected mode has Telnet, SSH, remote desktop to be connected with the long-range mode such as share.Concrete connection procedure is: the long-range administrator username and password that needs the main frame of configuration and the network equipment → input administrator username and password to carry out Telnet → further input corresponding software (as database, middleware etc.) that is connected to is connected → confirms and can be configured operation.
1004: after configuration successful connection, by configuration scan module 201, equipment, system and software are carried out to security configuration automatic scanning, concrete grammar is the crucial entry of automatically identifying and reading in configuration file, and compare one by one with security configuration baseline corresponding in repository, to be security configuration defect with the inconsistent configuration definition of baseline, the scanning result of output safety configuration simultaneously.
1005: check the result of security configuration scanning output, be confirmed whether security configuration defect.
1006: for the result that has configuration defect, can select automatic configuration module 202 or be subject to configuration module 202 to carry out security configuration reparation.Automatically configuration module 202 is to carry out the automatic configuration operation of a key to all configuration defects; And manual configuration module 202 is to choose for a certain item or a few item wherein according to user's self demand, then can carries out automatic configuration operation or manually input relevant configuration order.
1007: after executing automatic/hand configuration, need the configuration of confirmation equipment, system and software whether correct, whether have abnormal conditions.
1008: if identify improperly-configured, can use configuration restore module 203, this module had just backed up the configuration file of equipment under test or software before carrying out automatic/hand configuration operation, as there is the situation of improperly-configured, only need to click configuration restore option, early stage, the configuration file of backup will cover automatically, completed configuration restore work.?
In addition, after executing configuration scan operation and automatic/hand configuration operation, can utilize report generation module 205 to carry out generating report forms, the content of form can contain: configuration scanning result, security configuration defect enumerate, configure security risk grade corresponding to defect, automatic/hand configuration entry, configure the information such as front and back contrast.
The all operations of the automatic configuration management system of network security all can be carried out log recording by system journal module and Operation Log module, and the query analysis that carries out that can be to log recording.
1009: after having carried out all operations, can end task, task operating before can be recorded in task list, facilitate the later stage to check and repetitive operation.
System provided by the invention can scan compound object, and correctly locate the position of mis-arrange in compound object, to compound object, exist the entry of safety defect (being mis-arrange) to carry out security configuration reparation simultaneously, make this compound object meet configuration.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or a plurality of modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. the automatic configuration management system of network security, is characterized in that, comprising:
Configuration link block, for being connected with object to be scanned; Wherein, described object to be scanned comprises two kinds and above combination in following object: the network equipment, electronic equipment, system and database;
Regular job module, carries out operational processes for the described object to be scanned to after connecting; Wherein, described operational processes at least comprises: scan configuration file in described object to be scanned, locate the entry of the configuration defect in described configuration file and the entry of described configuration defect is carried out to security configuration reparation.
2. system according to claim 1, is characterized in that, also comprises login module;
Described login module, for the identity information of authentication of users input, and enters operation interface according to correct described identity information, so that described regular job module operates described object to be scanned.
3. system according to claim 1, is characterized in that, also comprises repository administration module and system management module;
Described repository administration module, for upgrading, importing and the derivation of the configuration entry in administration configuration storehouse, so that described regular job module operates according to described configuration entry;
Described system management module, for identity information and the rights of using of leading subscriber, carry out system maintenance and record running log.
4. system according to claim 1, is characterized in that, described configuration link block comprises: network equipment link block, electronic equipment link block and software link block;
Described network equipment link block is connected with equipment to be scanned;
Described electronic equipment link block is connected with system to be scanned;
Described software link block, for carrying out transfer of data with software to be scanned.
5. system according to claim 4, is characterized in that, described object to be scanned comprises configuration file; Described regular job module comprises: configuration scan module, backup module, configuration module and configuration restore module;
Described configuration scan module, for described configuration file is carried out to security configuration automatic scanning, and output scanning result;
Described backup module, for to backing up with described configuration file;
Described configuration module, for according to described scanning result, carries out security configuration reparation to the security configuration defect in described configuration file;
Described configuration restore module, during for the identification of described configuration module improperly-configured, makes described configuration file automatically cover the file after configuration module configuration, to complete configuration reparation.
6. system according to claim 5, is characterized in that, described configuration module comprises: automatic configuration module and manual configuration module;
Described automatic configuration module, for according to described scanning result, carries out automatic safe configuration to the security configuration defect in described configuration file and repairs;
Described manual configuration module, for according to the control command of user's input, carries out security configuration reparation to the security configuration defect in described configuration file.
7. system according to claim 6, is characterized in that, described regular job module also comprises report generation module;
Described report generation module, for after described configuration scan module and/or described configuration module finish, generating report forms; Wherein, the content of described form can comprise one or more in following information: configuration scanning result, security configuration defect are enumerated, configured security risk grade corresponding to defect, automatically configure entry, manual configuration bar and the configuration comparative information before and after completing.
8. system according to claim 7, is characterized in that, described configuration file comprises a plurality of configuration entries; Described repository administration module comprises repository upgrading module, repository imports module and repository is derived module;
Described repository upgrading module, for upgrading and expand the described configuration entry of repository;
Described repository imports module, for described configuration entry is imported;
Described repository is derived module, for described configuration entry is derived.
9. system according to claim 8, is characterized in that, described configuration file comprises security configuration baseline; Wherein, described security configuration baseline comprises a plurality of described configuration entries;
Described configuration scan module is used for automatically identifying and read the security configuration baseline of described configuration file, and compares one by one with the security configuration baseline that prestores corresponding in repository; To be defined as security configuration defect with the inconsistent configuration entry of described security configuration baseline, the scanning result of output safety configuration simultaneously.
10. system according to claim 9, is characterized in that, described system management module comprises authorization control module, user management module, system maintaining module, system journal module and Operation Log module;
Described authorization control module, for according to first order user's identity information, is described first order user assignment administration authority;
Described user management module, for according to described first order user's the user's of subordinate identity information, is described subordinate user assignment administration authority, and the described user's of subordinate identity information is managed;
Described system maintaining module, in time whole system being upgraded, in order to system is safeguarded;
Described system journal module, for carrying out log recording to the operation of system;
Described Operation Log module, for carrying out log recording to the operation of all modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410387150.2A CN104135483B (en) | 2014-06-13 | 2014-08-05 | A kind of network security automatically configures management system |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410260506 | 2014-06-13 | ||
| CN201410260506.6 | 2014-06-13 | ||
| CN2014102605066 | 2014-06-13 | ||
| CN201410387150.2A CN104135483B (en) | 2014-06-13 | 2014-08-05 | A kind of network security automatically configures management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104135483A true CN104135483A (en) | 2014-11-05 |
| CN104135483B CN104135483B (en) | 2018-05-18 |
Family
ID=51808005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410387150.2A Active CN104135483B (en) | 2014-06-13 | 2014-08-05 | A kind of network security automatically configures management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104135483B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897489A (en) * | 2016-06-21 | 2016-08-24 | 浪潮(北京)电子信息产业有限公司 | Automatic compliance configuration method and device for cloud data centre server |
| CN107204969A (en) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | Eliminate the method and system of the leak on data network |
| CN107204869A (en) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | Eliminate the method and system of the leak of intelligent apparatus |
| CN107403100A (en) * | 2017-08-08 | 2017-11-28 | 四川长虹电器股份有限公司 | Baseline configuration automated detection system and method |
| CN107423345A (en) * | 2017-05-16 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of configuration file management method, equipment and system |
| CN108833358A (en) * | 2018-05-22 | 2018-11-16 | 郑州云海信息技术有限公司 | A kind of management method and system of security baseline |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536485A (en) * | 2003-04-11 | 2004-10-13 | ������ͨ�Ƽ��������ι�˾ | Data maintenance, backup and recovery system and its method |
| CN101106480A (en) * | 2007-06-27 | 2008-01-16 | 杭州华三通信技术有限公司 | Configuration backup method, system and configuration file server and managed devices |
| CN101605134A (en) * | 2009-06-30 | 2009-12-16 | 成都市华为赛门铁克科技有限公司 | Network security scan method, Apparatus and system |
| CN102436402A (en) * | 2011-03-29 | 2012-05-02 | 奇智软件(北京)有限公司 | Module repairing method in software and software equipment |
| CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
| CN103049343A (en) * | 2011-10-14 | 2013-04-17 | 腾讯科技(深圳)有限公司 | Method and device for restoring operating system blue screen |
| CN103632098A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for repairing bugs |
-
2014
- 2014-08-05 CN CN201410387150.2A patent/CN104135483B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536485A (en) * | 2003-04-11 | 2004-10-13 | ������ͨ�Ƽ��������ι�˾ | Data maintenance, backup and recovery system and its method |
| CN101106480A (en) * | 2007-06-27 | 2008-01-16 | 杭州华三通信技术有限公司 | Configuration backup method, system and configuration file server and managed devices |
| CN101605134A (en) * | 2009-06-30 | 2009-12-16 | 成都市华为赛门铁克科技有限公司 | Network security scan method, Apparatus and system |
| CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
| CN102436402A (en) * | 2011-03-29 | 2012-05-02 | 奇智软件(北京)有限公司 | Module repairing method in software and software equipment |
| CN103049343A (en) * | 2011-10-14 | 2013-04-17 | 腾讯科技(深圳)有限公司 | Method and device for restoring operating system blue screen |
| CN103632098A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for repairing bugs |
Non-Patent Citations (2)
| Title |
|---|
| ITIANYUAN: "蓝盾漏洞扫描器技术白皮书", 《百度文库》 * |
| YUHUA QI,ET AL.: "Using automated program repair for evaluating the effectiveness of fault localization techniques", 《PROCEEDINGS OF THE 2013 INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS.ACM》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107204969A (en) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | Eliminate the method and system of the leak on data network |
| CN107204869A (en) * | 2016-03-18 | 2017-09-26 | 卡巴斯基实验室股份制公司 | Eliminate the method and system of the leak of intelligent apparatus |
| CN107204969B (en) * | 2016-03-18 | 2020-07-17 | 卡巴斯基实验室股份制公司 | Method and system for eliminating vulnerabilities on data networks |
| CN107204869B (en) * | 2016-03-18 | 2020-07-17 | 卡巴斯基实验室股份制公司 | Method and system for eliminating vulnerability of intelligent device |
| CN105897489A (en) * | 2016-06-21 | 2016-08-24 | 浪潮(北京)电子信息产业有限公司 | Automatic compliance configuration method and device for cloud data centre server |
| CN107423345A (en) * | 2017-05-16 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of configuration file management method, equipment and system |
| CN107403100A (en) * | 2017-08-08 | 2017-11-28 | 四川长虹电器股份有限公司 | Baseline configuration automated detection system and method |
| CN108833358A (en) * | 2018-05-22 | 2018-11-16 | 郑州云海信息技术有限公司 | A kind of management method and system of security baseline |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104135483B (en) | 2018-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8726393B2 (en) | Cyber security analyzer | |
| CN104135483A (en) | Automatic configuration management system for network security | |
| US20190342341A1 (en) | Information technology governance and controls methods and apparatuses | |
| US20140317681A1 (en) | Cloud forensics | |
| US10462148B2 (en) | Dynamic data masking for mainframe application | |
| US20070198610A1 (en) | System and method for backing up a database | |
| CN101447113A (en) | Method for building Internet browser-based self-service client terminals | |
| KR101649909B1 (en) | Method and apparatus for virtual machine vulnerability analysis and recovery | |
| CN110971464A (en) | Operation and maintenance automatic system suitable for disaster recovery center | |
| CN116155531A (en) | Method and device for network equipment security management based on SOAR and electronic equipment | |
| CN110768963B (en) | Trusted security management platform with distributed architecture | |
| CN115941743A (en) | Method and system for identity authentication and data backup | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| CN114745203A (en) | Method and device for monitoring full life cycle of user account | |
| CN109257213B (en) | Method and device for judging computer terminal access verification failure | |
| KR102192232B1 (en) | System for providing verification and guide line of cyber security based on block chain | |
| CN111614620A (en) | Database access control method, system and storage medium | |
| Cornelius et al. | Recommended practice: Creating cyber forensics plans for control systems | |
| US20240089283A1 (en) | System and method for centralized cybersecurity configuration compliance management | |
| Moric et al. | ENTERPRISE TOOLS FOR DATA FORENSICS. | |
| US20100211734A1 (en) | Maintaining method for external controller-based storage apparatus and maintenance system for storage apparatus | |
| Boyens et al. | Validating the Integrity of Computing Devices | |
| US11368377B2 (en) | Closed loop monitoring based privileged access control | |
| CN108268796A (en) | A kind of outline management method and device based on offline cryptogram | |
| Osaji | Framework Compliance Assessment Report Version 1.0 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |