CN115348186A - Method, device and storage medium for managing security reference in container environment - Google Patents
Method, device and storage medium for managing security reference in container environment Download PDFInfo
- Publication number
- CN115348186A CN115348186A CN202211272818.XA CN202211272818A CN115348186A CN 115348186 A CN115348186 A CN 115348186A CN 202211272818 A CN202211272818 A CN 202211272818A CN 115348186 A CN115348186 A CN 115348186A
- Authority
- CN
- China
- Prior art keywords
- scanning
- security
- strategy
- control
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 38
- 238000012795 verification Methods 0.000 claims description 22
- 230000000737 periodic effect Effects 0.000 claims description 7
- 238000007726 management method Methods 0.000 abstract description 20
- 238000012545 processing Methods 0.000 abstract description 8
- 238000012423 maintenance Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 8
- 230000002093 peripheral effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to the technical field of data processing, in particular to a management method, equipment and a storage medium of a safety standard in a container environment, wherein the management method comprises the steps of displaying a safety management main interface, wherein the safety management main interface comprises a safety scanning control; after receiving the operation acting on the safety scanning control, displaying a safety scanning display interface; the safety scanning display interface comprises a strategy control; after receiving the operation acting on the strategy control, displaying a safety scanning strategy display interface; the safety scanning strategy display interface comprises a strategy newly-added control; after receiving the operation of acting on the strategy newly-added control, displaying a strategy configuration interface; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; a security scanning policy is generated based on the policy configuration information. The problem of lower maintenance efficiency of container environment can be solved.
Description
Technical Field
The present application relates to the field of software security, and in particular, to a method, device, and storage medium for managing a security reference in a container environment.
Background
With the rapid development of cloud computing and big data, a new technical framework is developed endlessly, and a container environment is generated at the same time. For the container environment, safety is a problem which never disappears, and improving the safety of the container environment is a great importance for the development of the container environment. The safety scanning of the container environment is an essential means for protecting the safety of the container environment.
A conventional security scan comprising: the security scanning capability provided by the CIS and binary tools is used in a manual fashion to perform security scans of the container environment.
However, the CIS and binary tools are used to perform a safety scan on the container environment in a manual manner, which not only needs to know the container environment itself and know the points involved in the safety of the container environment, but also needs to learn about the use of the CIS and binary tools, so that the learning threshold is high, and the maintenance efficiency of the container environment is low.
Disclosure of Invention
The application provides a management method of a safety reference in a container environment, which can solve the problem of low maintenance efficiency of the container environment, and provides the following technical scheme:
in a first aspect, a method for managing a security benchmark in a container environment is provided, including: displaying a security management main interface, wherein the security management main interface comprises a security scanning control; after receiving the operation acting on the safety scanning control, displaying a safety scanning display interface; the safety scanning display interface comprises a strategy control; after receiving the operation acting on the strategy control, displaying a safety scanning strategy display interface; the safety scanning strategy display interface comprises a strategy newly-added control; after receiving the operation of acting on the strategy newly-added control, displaying a strategy configuration interface; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; a security scanning policy is generated based on the policy configuration information.
Optionally, the security scanning control includes a central scanning control corresponding to an internet security center, a vulnerability scanning control corresponding to a container environment vulnerability, and an authority scanning control corresponding to a container environment authority.
Optionally, in a case that the security scanning control is the central scanning control, after receiving an operation applied to the security scanning control, displaying a security scanning display interface, including: after receiving the operation acting on the central scanning control, displaying a central scanning display interface; the central scanning display interface comprises a central scanning configuration file control, a central scanning strategy control and a central scanning report control.
Optionally, before generating the security scanning policy based on the policy configuration information, the method further includes: parameter verification is carried out on the strategy configuration information to obtain a verification result; and in the case that the verification result indicates that the verification of the strategy configuration information fails, displaying the parameters which are indicated by the verification and failed to pass the parameter verification in the strategy configuration area.
Optionally, the security scanning display interface includes a policy display area; the strategy display area comprises an opening state control and a strategy editing control corresponding to the security scanning strategy; the starting state control is used for controlling the starting or closing of the security scanning strategy; under the condition that the security scanning strategy is in a closed state, a strategy editing interface is displayed by receiving operation acting on a strategy editing control; the policy editing interface is used for editing the security scanning policy.
Optionally, after generating the security scanning policy based on the policy configuration information, the method further includes: creating a scanning task based on a security scanning strategy; carrying out safety scanning on the container environment through a scanning task to obtain a scanning result; and generating a scanning report based on the scanning result, and saving the scanning report.
Optionally, the policy configuration information includes a reserved number of scan reports; in the case where the number of saved scan reports exceeds the reserved number, the designated scan report is deleted.
Optionally, the policy configuration information includes a scanning period; the scanning period is used for indicating the period of execution of the scanning task; creating a scanning task based on a security scanning policy, comprising: creating a periodic scanning task based on the scanning period; the periodic scanning task generates a single scanning task according to a scanning period.
In a second aspect, an electronic device is provided, which includes a memory, a controller, and a computer program stored on the memory and executable on the controller, and the controller implements the steps of the method for managing the security references in the container environment when executing the computer program.
In a third aspect, a computer-readable storage medium is provided, in which a program is stored, and the program is configured to, when executed by a processor, implement the method for managing a security benchmark in a container environment provided in the first aspect.
The beneficial effects of this application include at least: displaying a security management main interface, wherein the security management main interface comprises a security scanning control; after receiving the operation acting on the safety scanning control, displaying a safety scanning display interface; the safety scanning display interface comprises a strategy control; after receiving the operation acting on the strategy control, displaying a safety scanning strategy display interface; the safety scanning strategy display interface comprises a strategy newly-added control; after receiving the operation of acting on the strategy newly-added control, displaying a strategy configuration interface; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; a security scanning policy is generated based on the policy configuration information. The problem of lower maintenance efficiency of container environment can be solved. Displaying a strategy configuration interface after receiving an operation acting on a strategy newly-added control; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; generating a security scanning policy based on the policy configuration information; the CIS and the binary tool do not need to be used in a manual mode to safely scan the container environment, so that the learning threshold of safety scanning is reduced, and the maintenance efficiency of the container environment is improved.
In addition, the security scanning control comprises a center scanning control corresponding to an internet security center, a vulnerability scanning control corresponding to a container environment vulnerability and an authority scanning control corresponding to a container environment authority, and the container environment is safely scanned at multiple angles by setting scanning strategies aiming at the internet security center, the authority and the vulnerability of the container environment, so that the security of the container environment is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments or the technical solutions in the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic illustration of management of a security benchmark in a container environment provided by one embodiment of the present application;
FIG. 2 is a schematic diagram of a configuration file presentation interface provided by one embodiment of the present application;
FIG. 3 is a schematic diagram of a vulnerability scanning presentation interface according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a newly added center scanning strategy according to an embodiment of the present application;
FIG. 5 is a schematic diagram of parameter checking provided by an embodiment of the present application;
FIG. 6 is a diagram illustrating the creation of a scan job provided by one embodiment of the present application;
FIG. 7 is a schematic diagram of a central scan report presentation interface provided by one embodiment of the present application;
FIG. 8 is a block diagram of an apparatus for managing security references in a container environment according to an embodiment of the present application;
fig. 9 is a block diagram of an electronic device provided by an embodiment of the application.
Detailed Description
The technical solutions of the present application will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are only some embodiments of the present application, but not all embodiments. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In this application, where the context does not dictate to the contrary, the use of directional terms such as "upper, lower, top, bottom" generally refers to the orientation as shown in the drawings, or to the component itself in a vertical, perpendicular, or gravitational orientation; likewise, for ease of understanding and description, "inner and outer" refer to the inner and outer relative to the profile of the components themselves, but the above directional words are not intended to limit the application.
First, a number of terms referred to in the present application will be described.
Container environment (Kubernetes, K8 s): the system is an open source system for automatically deploying, expanding, managing and containerizing applications.
User-defined Resource (CRD): the method is a mode which enables a user to customize new resources and is used for expanding the functions of the container environment.
Custom Resources (CR): refers to the entity resource that runs in the container environment after the user defines the resource.
Cycle Schedule (Cron Schedule): for configuring to perform already planned work at the appointed time.
Policy control Manager (securitron Controller Manager): the method is used for encapsulating, deploying and managing the application of the container environment and is used for expanding the functions of the container environment.
Internet Security Center (Center for Internet Security, CIS): is a free security defense solution for the internet provided by a non-profit organization.
Internet security center Benchmark configuration (CIS Benchmark profile): is configuration information about the internet security center reference.
Internet security center reference resources (CIS Benchmark): is a globally recognized consensus-driven best practice set aimed at helping security practitioners enforce and manage their cyber-security defenses.
Vulnerability scanning tool resource (Kubehunter): is an open source tool for penetration testing in a container environment.
Authority scan tool resource (Kubeaudit): the method is an auditing tool for cluster security in a container environment, and the tool realizes the functions based on a command line.
Resource observer (KubeWatch): is a custom resource monitoring viewer in the container environment that monitors for changes to specified custom resources and publishes these changes in the form of notifications to available channels.
The following describes in detail a method for managing security references in a container environment according to the present application.
As shown in fig. 1, an embodiment of the present application provides a method for managing security references in a container environment, where implementation of the method may rely on a computer program, and the computer program may be run on a computer device such as a smart phone, a tablet computer, a personal computer, or run on a server, and the embodiment does not limit an operation subject of the method. The method at least comprises the following steps:
The safety scanning control is used for displaying a safety scanning display interface after receiving the operation acting on the safety scanning control.
102, after receiving an operation acting on a safety scanning control, displaying a safety scanning display interface; the security scan presentation interface includes a policy control.
In this embodiment, the security scanning control includes a central scanning control corresponding to an internet security center in a container environment, a vulnerability scanning control corresponding to a vulnerability of the container environment, and an authority scanning control corresponding to an authority of the container environment.
Correspondingly, the security scanning display interface comprises a center scanning display interface corresponding to the internet security center, a vulnerability scanning display interface corresponding to the container environment vulnerability and an authority scanning display interface corresponding to the container environment authority.
The strategy control comprises a vulnerability scanning strategy control in a vulnerability scanning display interface, an authority scanning strategy control in an authority scanning display interface and a central scanning strategy control in a central scanning display interface.
In this embodiment, the policy control is configured to display the policy presentation interface after receiving an operation that acts on the policy control.
Meanwhile, the safety scanning display interface also comprises a report control, and correspondingly, the scanning report control comprises a vulnerability scanning report control in the hole scanning display interface, an authority scanning report control in the authority scanning display interface and a central scanning report control in the central scanning display interface.
In this embodiment, the report control is configured to display a security scan report display interface after receiving an operation acting on the report control.
In addition, the central scanning display interface also comprises a configuration file control. The configuration file control is used for displaying a configuration file display interface after receiving the operation acting on the configuration file control.
Referring to FIG. 2, the "K8S-CIS Scan" control in the figure, i.e., the center scan control. The "CIS profile" control in the figure, i.e., the profile control. And after receiving the operation of acting on the CIS configuration file control, displaying a configuration file display interface. The configuration file display interface comprises a newly added configuration file control and a configuration file display area. The configuration file display area comprises a display area of a file name, a file description and a general use case.
The new configuration file can be created by adding a configuration file control, the configuration file comprises a file template, a file name, a file description, a skip case, a selection case and the like, and specific contents of the configuration file are not limited herein.
And different configuration files are provided with corresponding configuration editing controls and configuration deleting controls. The configuration editing control is used for editing the specific content of the configuration file, and the configuration deleting control is used for deleting the corresponding configuration file.
103, after receiving the operation acting on the strategy control, displaying a strategy display interface; the strategy display interface comprises a strategy adding control.
And the newly added strategy control is used for newly establishing a security scanning strategy.
Specifically, the security scanning display interface includes a policy display area, the policy display area includes an open state control and a policy editing control corresponding to the security scanning policy, and the open state control is used to control the corresponding security scanning policy to be opened or closed.
The security scan policy may be edited in the event that the security scan policy is in an off state.
Specifically, the editing of the security scanning policy includes: displaying a strategy editing interface by receiving an operation acting on a strategy editing control; the strategy editing interface is used for editing the security scanning strategy; receiving edit information of a security scanning strategy through a strategy edit interface; and editing the security scanning strategy through editing information.
Such as: referring to fig. 3, taking the security scanning policy as the vulnerability scanning policy as an example, when the vulnerability scanning policy is in the closed state, the vulnerability scanning policy is edited by receiving an operation acting on an "editing" control in the graph, that is, a policy editing control.
104, after receiving the operation of acting on the strategy newly-added control, displaying a strategy configuration interface; the policy configuration interface includes a policy configuration area.
The policy configuration area is used for receiving policy configuration information. The policy configuration information refers to configuration information of the security scanning policy.
And 106, generating a security scanning policy based on the policy configuration information.
In this embodiment, the policy configuration area further includes a policy generation control, and generates the security scanning policy after receiving an operation acting on the policy generation control.
Such as: referring to fig. 4, taking the newly added center scanning policy as an example, the "determination" control in the figure, i.e., the policy generation control. After receiving the policy configuration information, an operation acting on the "determine" control is received, generating a new central scanning policy.
In this embodiment, since there may be an error in the policy configuration information, and the security scan may not be performed if there is an error in the policy configuration information, before generating the security scan policy based on the policy configuration information, it is also necessary to perform parameter verification on the policy configuration information.
Specifically, before generating the security scanning policy based on the policy configuration information, the method further includes: parameter verification is carried out on the strategy configuration information to obtain a verification result; and in the case that the verification result indicates that the policy configuration information is not verified, displaying the parameters which are indicated by verification and are not verified in the policy configuration area.
Such as: referring to fig. 5, the policy configuration information is subjected to parameter verification, and in the case that the policy configuration information fails the parameter verification, a parameter indicated by the verification and failing to pass the parameter verification is displayed in the policy configuration area. And generating a security scanning strategy under the condition that the strategy configuration information passes the parameter verification.
Further, after editing the security scan policy, the method further includes: and carrying out parameter verification on the editing information of the security scanning strategy.
Such as: referring to fig. 5, in a case where the security scanning policy is in an off state, the security scanning policy is edited, the edit information of the security scanning policy is parameter-checked, in a case where the edit information passes the parameter check, the edited security scanning policy is generated, and the edited security scanning policy is displayed in the security scanning policy display interface through data synchronization. The data synchronization may be processed by a resource observer (KubeWatch), and details about a specific implementation of the resource observer are not described herein.
In this embodiment, after the security scanning policy is generated, in order to implement security scanning on the container environment, a scanning task needs to be created based on the security scanning policy.
Specifically, after generating the security scanning policy based on the policy configuration information, the method further includes: creating a scanning task based on a security scanning strategy; and carrying out safety scanning on the container environment through the scanning task to obtain a scanning result.
The creating of the scanning task based on the security scanning policy is to monitor a creating condition of a Custom Resource (CR) through a policy control Manager (secure Controller Manager), and after the policy control Manager monitors the creating of the Custom Resource, the policy control Manager detects the Custom Resource to obtain policy configuration information.
In this embodiment, the customized resource corresponding to the internet security center scanning is a reference resource (CIS Benchmark) of the internet security center, that is, a security scanning policy corresponding to the internet security center, the customized resource corresponding to the vulnerability scanning is a vulnerability scanning tool resource (Kubehunter), that is, a security scanning policy corresponding to a container environment vulnerability, and the customized resource corresponding to the permission scanning is a permission scanning tool resource (Kubeaudit), that is, a security scanning policy corresponding to a container environment permission.
Referring to fig. 6, the policy control manager monitors the creation condition of the internet security center reference resource, the vulnerability scanning tool resource, and the permission scanning tool resource, and after any one custom resource, that is, any one security scanning policy, is created, the policy control manager obtains policy configuration information corresponding to the security scanning policy, and creates a scanning task based on the policy configuration information.
In this embodiment, the policy configuration information further includes a scanning period, where the scanning period is used to indicate a period for executing the scanning task, and the creating the scanning task based on the security scanning policy includes: creating a periodic scanning task based on the scanning period; the periodic scanning task generates a single scanning task according to the scanning period.
Such as: if the scanning period is the safe scanning at the morning zero point every day, the periodic scanning task generates a single scanning task at the morning zero point tomorrow, and the single scanning task is automatically deleted after the single scanning task is completed.
In the present embodiment, the scanning period is realized by setting a parameter of a period Schedule (Cron Schedule).
After the creation of the scanning task is completed, the scanning task is executed, and a scanning result is obtained.
In order to enable the user to clearly understand the scanning result, after the scanning result is obtained, a scanning report needs to be generated based on the scanning result, saved, and downloaded for the user.
The scanning report comprises basic information and scanning item information, wherein the basic information comprises a report name, a configuration file name, a scanning cluster, an Internet security center version, inspection time, total scanning item number, actual scanning item number, passing item number, failing item number, skipping item number and the like.
Such as: referring to fig. 7, taking a central scanning report display interface corresponding to internet security center scanning as an example, a "CIS scanning report" control in the drawing, that is, a central scanning report control, displays the central scanning report display interface after receiving an operation acting on the central scanning report control, where the central scanning report display interface is used for displaying a central scanning report. The central scan report presentation interface shown in fig. 7 includes a "download" control, i.e., a central scan report download control. Specifically, after receiving the operation acting on the central scanning report downloading control, the scanning report corresponding to the central scanning report downloading control is downloaded, and the corresponding scanning report is packed and compressed and then transmitted to the local or remote end.
In addition, in this embodiment, the number of scan reports displayed in the scan report display page is limited, and when the number of scan reports exceeds the number limit, the scan report having the longest storage time is deleted.
Specifically, the policy configuration information further includes a reserved number of scan reports; in the case where the number of saved scan reports exceeds the reserved number, the designated scan report is deleted.
The designated scan report may be the scan report with the longest retention time, or may be the scan report with the shortest retention time, and the determination of the designated scan report is not limited herein.
In summary, the method for managing a security standard in a container environment provided by this embodiment includes: displaying a security management main interface, wherein the security management main interface comprises a security scanning control; after receiving the operation acting on the safety scanning control, displaying a safety scanning display interface; the safety scanning display interface comprises a strategy control; after receiving the operation acting on the strategy control, displaying a safety scanning strategy display interface; the safety scanning strategy display interface comprises a strategy newly-added control; after receiving the operation of acting on the strategy newly-added control, displaying a strategy configuration interface; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; a security scan policy is generated based on the policy configuration information. The problem of lower maintenance efficiency of container environment can be solved. Displaying a strategy configuration interface after receiving an operation acting on a strategy newly-added control; the strategy configuration interface comprises a strategy configuration area; receiving policy configuration information through a policy configuration area; generating a security scanning policy based on the policy configuration information; the CIS and the binary tool do not need to be used in a manual mode to safely scan the container environment, so that the learning threshold of safety scanning is reduced, and the maintenance efficiency of the container environment is improved.
In addition, the security scanning control comprises a center scanning control corresponding to an internet security center, a vulnerability scanning control corresponding to a container environment vulnerability and an authority scanning control corresponding to a container environment authority, and the container environment is safely scanned at multiple angles by setting scanning strategies aiming at the internet security center, the authority and the vulnerability of the container environment, so that the security of the container environment is improved.
This embodiment provides a device for managing security standards in a container environment, as shown in fig. 8. The device comprises at least the following modules: a first display module 810, a second display module 820, a third display module 830, a fourth display module 840, an information receiving module 850, and a policy generation module 860.
The first display module 810 is configured to display a security management main interface, where the security management main interface includes a security scanning control.
A second display module 820, configured to display a security scanning display interface after receiving an operation acting on the security scanning control; the security scan presentation interface includes a policy control.
A third display module 830, configured to display a security scanning policy display interface after receiving an operation acting on the policy control; the security scanning strategy display interface comprises a strategy adding control.
The fourth display module 840 is configured to display a policy configuration interface after receiving an operation acting on a policy newly-added control; the policy configuration interface includes a policy configuration area.
An information receiving module 850, configured to receive the policy configuration information through the policy configuration area.
A policy generation module 860 for generating a security scan policy based on the policy configuration information.
Reference is made in relevant detail to the above method and apparatus embodiments.
It should be noted that: in the above embodiment, when the management device of the safety standard in the container environment manages the safety standard in the container environment, only the division of the above functional modules is taken as an example, and in practical applications, the functions may be distributed to different functional modules as needed, that is, the internal structure of the management device of the safety standard in the container environment may be divided into different functional modules to complete all or part of the functions described above. In addition, the management apparatus for a security standard in a container environment provided in the foregoing embodiment and the management method embodiment for a security standard in a container environment belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiment, and are not described again here.
The present embodiment provides an electronic apparatus as shown in fig. 9. The electronic device includes at least a processor 910 and a memory 920.
Processor 910 may include one or more processing cores, such as: 4 core processors, 8 core processors, etc. The processor 910 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). Processor 910 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 910 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 910 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
The memory 920 may include one or more computer-readable storage media, which may be non-transitory. Memory 920 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 920 is used to store at least one instruction for execution by processor 910 to implement a method for managing security benchmarks in a container environment as provided by method embodiments herein.
In some embodiments, the electronic device may further include: a peripheral interface and at least one peripheral. The processor 910, memory 920 and peripheral interfaces may be connected by bus or signal lines. Each peripheral may be connected to the peripheral interface by a bus, signal line, or circuit board. Illustratively, peripheral devices include, but are not limited to: radio frequency circuit, touch display screen, audio circuit, power supply, etc.
Of course, the electronic device may include fewer or more components, which is not limited by the embodiment.
Optionally, the present application further provides a computer-readable storage medium, in which a program is stored, and the program is loaded and executed by a processor to implement the method for managing security references in a container environment according to the above method embodiment.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It is to be understood that the above-described embodiments are only a few, but not all, of the embodiments described herein. Based on the embodiments in the present application, those skilled in the art may make other changes or modifications without creative efforts, and all should fall within the protection scope of the present application.
Claims (10)
1. A method for managing security benchmarks in a containment environment, said method comprising:
displaying a security management main interface, wherein the security management main interface comprises a security scanning control;
after receiving the operation acting on the safety scanning control, displaying a safety scanning display interface; the security scanning display interface comprises a policy control;
after receiving the operation acting on the strategy control, displaying a strategy display interface; the strategy display interface comprises a strategy newly-added control;
after receiving the operation acting on the strategy newly-added control, displaying a strategy configuration interface; the strategy configuration interface comprises a strategy configuration area;
receiving policy configuration information through the policy configuration area;
generating a security scanning policy based on the policy configuration information.
2. The method according to claim 1, wherein the security scanning controls include a central scanning control corresponding to an internet security center, a vulnerability scanning control corresponding to a container environment vulnerability, and an authority scanning control corresponding to a container environment authority.
3. The method of claim 2, wherein in a case that the security scanning control is the central scanning control, displaying a security scanning presentation interface after receiving an operation on the security scanning control comprises:
after receiving the operation acting on the central scanning control, displaying a central scanning display interface; the central scanning display interface comprises a central scanning configuration file control, a central scanning strategy control and a central scanning report control.
4. The method of claim 1, wherein before generating the security scanning policy based on the policy configuration information, further comprising:
performing parameter verification on the strategy configuration information to obtain a verification result;
and displaying the parameters which are indicated by verification and failed in parameter verification in the strategy configuration area under the condition that the verification result indicates that the strategy configuration information is not verified.
5. The method of claim 1, wherein the security scan presentation interface comprises a policy presentation area; the strategy display area comprises an opening state control and a strategy editing control corresponding to the security scanning strategy; the opening state control is used for controlling the security scanning strategy to be opened or closed;
under the condition that the security scanning strategy is in a closed state, a strategy editing interface is displayed by receiving operation acting on the strategy editing control; the policy editing interface is used for editing the security scanning policy.
6. The method of claim 1, wherein after generating the security scanning policy based on the policy configuration information, further comprising:
creating a scanning task based on the security scanning policy;
carrying out safety scanning on the container environment through the scanning task to obtain a scanning result;
and generating a scanning report based on the scanning result, and saving the scanning report.
7. The method of claim 6, wherein the policy configuration information comprises a reserved number of the scan reports;
in the case where the number of saved scan reports exceeds the reserved number, the designated scan report is deleted.
8. The method of claim 6, wherein the policy configuration information comprises a scan period; the scanning period is used for indicating the period of executing the scanning task; the creating a scanning task based on the security scanning policy comprises:
creating a periodic scanning task based on the scanning period; and the periodic scanning task generates a single scanning task according to the scanning period.
9. An electronic device, characterized in that the electronic device comprises: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invoking the instructions in the memory to cause the electronic device to perform the steps of the method for managing a security benchmark in a container environment according to any one of claims 1 to 8.
10. A computer-readable storage medium having stored thereon instructions for implementing, when executed by a processor, the steps of a method for managing a security benchmark in a container environment according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211272818.XA CN115348186A (en) | 2022-10-18 | 2022-10-18 | Method, device and storage medium for managing security reference in container environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211272818.XA CN115348186A (en) | 2022-10-18 | 2022-10-18 | Method, device and storage medium for managing security reference in container environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115348186A true CN115348186A (en) | 2022-11-15 |
Family
ID=83957626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211272818.XA Pending CN115348186A (en) | 2022-10-18 | 2022-10-18 | Method, device and storage medium for managing security reference in container environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115348186A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075347A (en) * | 2010-11-18 | 2011-05-25 | 北京神州绿盟信息安全科技股份有限公司 | Security configuration checking equipment and method, and network system adopting equipment |
| CN103150503A (en) * | 2011-12-07 | 2013-06-12 | 腾讯科技(深圳)有限公司 | Trojan scanning method and Trojan scanning device |
| CN113849808A (en) * | 2021-08-19 | 2021-12-28 | 苏州浪潮智能科技有限公司 | Container safety management method, system, terminal and storage medium |
| US20220245258A1 (en) * | 2021-01-30 | 2022-08-04 | Hewlett Packard Enterprise Development Lp | Vulnerability scanning |
-
2022
- 2022-10-18 CN CN202211272818.XA patent/CN115348186A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075347A (en) * | 2010-11-18 | 2011-05-25 | 北京神州绿盟信息安全科技股份有限公司 | Security configuration checking equipment and method, and network system adopting equipment |
| CN103150503A (en) * | 2011-12-07 | 2013-06-12 | 腾讯科技(深圳)有限公司 | Trojan scanning method and Trojan scanning device |
| US20220245258A1 (en) * | 2021-01-30 | 2022-08-04 | Hewlett Packard Enterprise Development Lp | Vulnerability scanning |
| CN113849808A (en) * | 2021-08-19 | 2021-12-28 | 苏州浪潮智能科技有限公司 | Container safety management method, system, terminal and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| WLJSLMZ: "如何配置Nessus漏洞扫描策略", 《HTTPS://BLOG.CSDN.NET/WEIXIN_43025343/ARTICLE/DETAILS/122031878》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6045134B2 (en) | Parallel workload simulation for application performance testing | |
| US20160259315A1 (en) | Field device commissioning system and method | |
| CN111580926A (en) | Model publishing method, model deploying method, model publishing device, model deploying device, model publishing equipment and storage medium | |
| CN109032590B (en) | Configuration method, device, terminal and storage medium of visual development environment | |
| US20160253256A1 (en) | Code usage map | |
| US11461706B2 (en) | System to facilitate predictive analytic algorithm deployment in an enterprise | |
| CN109144511B (en) | Method and system for automatically generating numerical simulation graphical user interface | |
| US20210011743A1 (en) | Method and system of instantiating persona based user interface notifications | |
| CN109976723B (en) | Algorithm development platform, algorithm development method and computer readable storage medium | |
| CN114912897A (en) | Workflow execution method, workflow arrangement method and electronic equipment | |
| CN111124591B (en) | Mirror image transmission method and device, electronic equipment and storage medium | |
| CN111414348A (en) | Method and device for modifying database instance parameters | |
| CN108287720A (en) | software compilation method, device, equipment and storage medium | |
| CN115348186A (en) | Method, device and storage medium for managing security reference in container environment | |
| US20140310070A1 (en) | Coordinated business rules management and mixed integer programming | |
| Kunz et al. | Finding risk patterns in cloud system models | |
| CN115827051A (en) | Software integration management system, method and server | |
| JP3226590U (en) | System and information processing device | |
| CN110458462B (en) | ERP system change management method and platform | |
| CN114077437A (en) | Integrated management method, device and system for artificial intelligence application | |
| CN112564979A (en) | Execution method and device for construction task, computer equipment and storage medium | |
| CN110736920A (en) | card testing method and system based on engineering management test script | |
| KR102355791B1 (en) | Tools to define requirements specification for the screen developing a software, web based service and mobile platform service | |
| CN116501449B (en) | Method and system for managing container files in cloud primary environment | |
| CN112765943B (en) | Data management method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221115 |
|
| RJ01 | Rejection of invention patent application after publication |