CN102541986A - File operation monitoring and auditing method - Google Patents
File operation monitoring and auditing method Download PDFInfo
- Publication number
- CN102541986A CN102541986A CN2011103295542A CN201110329554A CN102541986A CN 102541986 A CN102541986 A CN 102541986A CN 2011103295542 A CN2011103295542 A CN 2011103295542A CN 201110329554 A CN201110329554 A CN 201110329554A CN 102541986 A CN102541986 A CN 102541986A
- Authority
- CN
- China
- Prior art keywords
- file
- directory
- catalogue
- strategy
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to the field of computers and particularly discloses a file operation monitoring and auditing method. The file operation monitoring and auditing method includes the following steps of drawing up a file operation monitoring and auditing strategy through a console by a user and transmitting the same to a server; transmitting the strategy to a client side after the server receives the strategy; transmitting the strategy to a directory monitoring module and a file monitoring module which belong to the client side by means of shared memory after the client side receives the strategy; executing relevant directory operation monitoring by the directory monitoring module through the Copy Callback function according to the content of the strategy; executing relevant directory/file operation monitoring by the file monitoring module by registering notification information to the Windows Shell; storing the operation results into a temporary directory by the directory monitoring module and the file monitoring module and compressing the same to upload to the server. By the file operation monitoring and auditing method, complete file operation monitoring and audit recording are realized.
Description
Technical field
The present invention relates to computer realm, be specifically related to a kind of file operation monitor audit method.
Background technology
The file operation monitor audit is an important content of Host Security protection, it be meant can to open, file operations such as read/write, inquiry file information are kept watch on, control, record.File operation information is meant the more detailed logging record that the computer documents operation is provided; Comprise the running time, login user, mode of operation; Source file and purpose file path, wherein mode of operation comprise File Open, modification, establishment, delete, duplicate, move, rename; Directory creating, delete, duplicate, move, rename.File operation monitor audit application is very extensive; Can both bring into play very big purposes in (change of detection system file) aspect attack (recording user behavior) and the defence; Through the realization of computer documents operation supervise and control audit, can ensure for Computer Data Security provides more.
Existing file operation monitoring technique comprises system-level and two aspects of application layer.System-level file operation is monitored mainly to call with modes such as virtual unit articulate through intercepting system and is realized, the exploitation cost is high, possibly can't write down the incident in the application, enough detailed information that also possibly can't provide application and data owner to need.The file operation of application layer monitoring is through modes such as registration notification message, and the exploitation cost is low, can write down such as opening and closing file, reads, deletes and User Activity such as editor, but still can not satisfy actual monitored audit needs.Also there is following problem in file operation monitor audit technology existing in the existing market: the one, and the file operation monitoring content is not comprehensive, can not cover various file operations; The 2nd, the daily record of file operation monitor audit is imperfect.
Summary of the invention
In order to address the above problem, the invention reside in provides a kind of file operation monitor audit method, realizes comprehensive file operation monitoring and complete record of the audit.
For achieving the above object, technical scheme of the present invention is:
A kind of file operation monitor audit method may further comprise the steps:
Steps A: the user formulates file operation monitor audit strategy through control desk, is issued to server;
Step B: after server receives strategy, give client with strategy distribution;
Step C: client is sent catalogue monitoring module and the file monitor module of strategy under it through the shared drive mode after receiving strategy;
Step D: according to tactful content, the catalogue monitoring module is carried out the associative directory operation supervise and control through adopting the mode of CopyCallback call back function; The file monitor module is carried out associative directory/file operation monitoring through adopting the mode to Windows Shell registration notification message;
Step e: catalogue monitoring module and file monitor module leave operating result in the temp directory in, and the operating result compression is uploaded onto the server.
Preferably, said step C further comprises: client also comprises the finger daemon module, is used to obtain disc information, and information is sent to catalogue monitoring module and file monitor module.
Preferably, the directory operation among the said step D is that catalogue is duplicated, directory delete or catalogue move.
Preferably, the directories/files among the said step D is operating as directory creating, document creation, File Open, file modification, file delete, file copy, file movement, file rename or catalogue rename.
Preferably, said step D further comprises: step D1: catalogue monitoring module and file monitor module are notified the file of each comfortable operation through the mode co-ordination of shared drive Data transmission between process; Step D2: the daily record of writing down and preserving various file operations.
Preferably, the operating result in the said step e is the file operation daily record.
Beneficial effect of the present invention is: carry out work at Windows operating system user interface; Can monitor and write down the operation of all application layers, duplicate, rename, open etc. like file, the file operation monitoring comprehensively; The audit log record is complete, and the cost of exploitation is lower.
Description of drawings
Below in conjunction with accompanying drawing and embodiment the present invention is further specified.
Fig. 1 is a file operation monitor audit method flow diagram provided by the invention;
Fig. 2 is a file operation monitor audit method embodiment data flowchart provided by the invention;
Fig. 3 is a catalogue monitoring module processing flow chart among the present invention;
Fig. 4 is a file monitoring module processing flow chart of the present invention.
Embodiment
Like Fig. 1, shown in Figure 2, file operation monitor audit method provided by the invention relates to the server and client side, and the keeper comes management server through control desk, and formulates corresponding strategies; Server is realized management and security monitoring to whole network terminal file through the management of client.Its file monitor audit process mainly may further comprise the steps:
Steps A: the user formulates file operation monitor audit strategy through control desk, is issued to server;
Step B: after server receives strategy, give client with strategy distribution;
Step C: client is sent catalogue monitoring module and the file monitor module of strategy under it through the shared drive mode after receiving strategy;
Client also comprises the finger daemon module, is used to obtain disc information, and information is sent to catalogue monitoring module and file monitor module.
Step D: according to tactful content, the catalogue monitoring module is through adopting the mode of CopyCallback call back function, carries out that catalogue is duplicated, directory delete or catalogue mobile monitor; The file monitor module is carried out directory creating, document creation, File Open, file modification, file delete, file copy, file movement, file rename or catalogue rename monitoring through adopting the mode to Windows Shell registration notification message;
Catalogue monitoring module and file monitor module are notified the file of each comfortable operation through the mode co-ordination of shared drive Data transmission between process, write down and preserve the daily record of various file operations.
Step e: catalogue monitoring module and file monitor module leave operating results such as file operation daily record and backup file in the temp directory in, and the operating result compression is uploaded onto the server.
Introduce in the face of the function and the realization of two nucleus modules among the present invention down.
1, catalogue monitoring module
The catalogue monitoring module through hook interception catalogue duplicate, catalogue moves and the operation of directory delete; And the rename of the establishment of catalogue and catalogue is monitored by the file monitor module; The data that reduce shared drive are imported into, thereby reduce the module coupling, increase record accuracy.
The method of catalogue monitoring module through the CopyCallback call back function, realized to catalogue duplicate, the monitoring of directory delete and catalogue move operation.Be illustrated in figure 3 as catalogue monitoring module process flow diagram, copy as its monitoring flow process of example explanation with catalogue below:
The first step: at first preserve running time, directory name in shared drive.
Second step: all catalogues and file under the traversal catalogue, and be recorded as replicate run.
The 3rd step: the upload operation daily record is to server and preservation.
2, file monitor module
The file monitor module has realized the monitoring to directory creating, document creation, File Open, file modification, file delete, file copy, file movement, file rename and catalogue rename operation through the method to Windows Shell registration notification message.The groundwork principle is following:
(1) through method to Windows Shell registration notification message, load SHELL32.DLL, obtain message registration function SHChangeNotifyRegister address.
(2) obtain message file path function SHGetSpecialFolderLocation, registration type is that CSIDL_DRIVES represents this locality and mobile disk, the CSIDL_NETWORK network disk.(lay special stress on " network mapping driver " is CSIDL_DRIVES).
(3) registration local disk success.(if registration is unsuccessful, and dormancy is waited for two seconds, registration again, continuous three times).
Major function:
A. document creation, message directly responds, and type of message is SHCNE_CREATE.
B. deletion, message directly responds, and type of message is SHCNE_DELETE.
C. rename, message directly responds, and type of message is SHCNE_RENAMEITEM.
D. file movement monitoring, with there being message directly to respond under the Logical Disk, type of message is SHCNE_RENAMEITEM; File movement under the different dish, identical file name (Different Logic dish) produces and produces deletion message (in 2 seconds) after the newly-built message immediately, thinks the file movement operation.
E. file copy monitoring, the message of generation is document creation message, confirms it is file modification operation or file creation operation through the contrast of creation-time, modification time and current system time.
F. file modification monitoring changes through file shortcut corresponding file modification time under " UserDir " catalogue, confirms whether certain file has retouching operation.
G. File Open monitoring through the variation of file shortcut under " UserDir " catalogue, confirms whether certain file has opening operation.
Shown in Figure 4 is the process flow diagram of file monitor module, is its monitoring flow process of example explanation below with the document creation:
The first step: whether file path is catalogue, and whether the running time is less than the ticket reserving time.
Second step: if first step result is for being, this time to operate be not file creation operation in expression so.
The 3rd step:, judge whether filename is identical if first step result reaches filename for not from shear plate.
The 4th step: if identical then this is operating as file copy operation.If inequality, obtain the deletion action of file of the same name.Judge then whether deletion action was arranged in 2 seconds.
The 5th step: if deletion action is arranged, then being file movement (different dish), if there is not deletion action, then is document creation.
The 6th step: the recording operation and the processing of reducing, the document creation monitoring finishes.
The foregoing description is a preferred implementation of the present invention; But embodiment of the present invention is not limited by the examples; Other any do not deviate from change, the modification done under spirit of the present invention and the principle, substitutes, combination, simplify; All should be the substitute mode of equivalence, be included within protection scope of the present invention.
Claims (6)
1. a file operation monitor audit method is characterized in that, may further comprise the steps:
Steps A: the user formulates file operation monitor audit strategy through control desk, is issued to server;
Step B: after server receives strategy, give client with strategy distribution;
Step C: client is sent catalogue monitoring module and the file monitor module of strategy under it through the shared drive mode after receiving strategy;
Step D: according to tactful content, the catalogue monitoring module is carried out the associative directory operation supervise and control through adopting the mode of CopyCallback call back function; The file monitor module is carried out associative directory/file operation monitoring through adopting the mode to Windows Shell registration notification message;
Step e: catalogue monitoring module and file monitor module leave operating result in the temp directory in, and the operating result compression is uploaded onto the server.
2. a kind of file operation monitor audit method according to claim 1; It is characterized in that: said step C further comprises: client also comprises the finger daemon module; Be used to obtain disc information, and information is sent to catalogue monitoring module and file monitor module.
3. a kind of file operation monitor audit method according to claim 1 is characterized in that: the directory operation among the said step D is that catalogue is duplicated, directory delete or catalogue move.
4. a kind of file operation monitor audit method according to claim 1, it is characterized in that: the directories/files among the said step D is operating as directory creating, document creation, File Open, file modification, file delete, file copy, file movement, file rename or catalogue rename.
5. a kind of file operation monitor audit method according to claim 1, it is characterized in that: said step D further comprises:
Step D1: catalogue monitoring module and file monitor module are notified the file of each comfortable operation through the mode co-ordination of shared drive Data transmission between process;
Step D2: the daily record of writing down and preserving various file operations.
6. a kind of file operation monitor audit method according to claim 1, it is characterized in that: the operating result in the said step e is the file operation daily record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103295542A CN102541986A (en) | 2011-10-27 | 2011-10-27 | File operation monitoring and auditing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103295542A CN102541986A (en) | 2011-10-27 | 2011-10-27 | File operation monitoring and auditing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102541986A true CN102541986A (en) | 2012-07-04 |
Family
ID=46348889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011103295542A Pending CN102541986A (en) | 2011-10-27 | 2011-10-27 | File operation monitoring and auditing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102541986A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095418A (en) * | 2015-07-13 | 2015-11-25 | 浪潮(北京)电子信息产业有限公司 | Method and apparatus for processing write request |
| CN106227810A (en) * | 2016-07-22 | 2016-12-14 | 深圳市先河系统技术有限公司 | A kind of file monitor method and server |
| CN107730199A (en) * | 2017-09-26 | 2018-02-23 | 深圳市卓帆技术有限公司 | A kind of method and system of careful topic track record |
| CN109614300A (en) * | 2018-11-09 | 2019-04-12 | 南京富士通南大软件技术有限公司 | A kind of file operation in the WPD based on ETW monitors method |
| CN111159126A (en) * | 2019-12-31 | 2020-05-15 | 北京天融信网络安全技术有限公司 | Auditing method and device for file compression operation, electronic equipment and storage medium |
| CN112035832A (en) * | 2020-08-21 | 2020-12-04 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN113688419A (en) * | 2021-07-22 | 2021-11-23 | 成都鲁易科技有限公司 | Data protection method and device, storage medium and computer equipment |
| CN114512151A (en) * | 2021-12-28 | 2022-05-17 | 奇安信科技集团股份有限公司 | Method and system for auditing and controlling optical disc recording |
| CN114564632A (en) * | 2022-02-18 | 2022-05-31 | 北京圣博润高新技术股份有限公司 | Document operation behavior auditing method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080060051A1 (en) * | 2005-12-29 | 2008-03-06 | Blue Jungle | Techniques and System to Monitor and Log Access of Information Based on System and User Context Using Policies |
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| CN101604268A (en) * | 2009-07-13 | 2009-12-16 | 浪潮电子信息产业股份有限公司 | A kind of method for filtering monitored directory change events |
-
2011
- 2011-10-27 CN CN2011103295542A patent/CN102541986A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080060051A1 (en) * | 2005-12-29 | 2008-03-06 | Blue Jungle | Techniques and System to Monitor and Log Access of Information Based on System and User Context Using Policies |
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| CN101604268A (en) * | 2009-07-13 | 2009-12-16 | 浪潮电子信息产业股份有限公司 | A kind of method for filtering monitored directory change events |
Non-Patent Citations (2)
| Title |
|---|
| 李超等: "一种新的高效主机监控审计系统", 《计算机应用研究》, no. 8, 1 August 2006 (2006-08-01), pages 97 - 99 * |
| 杨少鹏等: "Win7用户模式文件审计的研究与实现", 《第十三届中国科协年会第1分会场-中国智慧城市论坛论文集》, 21 September 2011 (2011-09-21), pages 1 - 7 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095418B (en) * | 2015-07-13 | 2018-07-27 | 浪潮(北京)电子信息产业有限公司 | A kind of method and apparatus of processing write requests |
| CN105095418A (en) * | 2015-07-13 | 2015-11-25 | 浪潮(北京)电子信息产业有限公司 | Method and apparatus for processing write request |
| CN106227810A (en) * | 2016-07-22 | 2016-12-14 | 深圳市先河系统技术有限公司 | A kind of file monitor method and server |
| CN107730199A (en) * | 2017-09-26 | 2018-02-23 | 深圳市卓帆技术有限公司 | A kind of method and system of careful topic track record |
| CN109614300A (en) * | 2018-11-09 | 2019-04-12 | 南京富士通南大软件技术有限公司 | A kind of file operation in the WPD based on ETW monitors method |
| CN111159126B (en) * | 2019-12-31 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Audit method and device for file compression operation, electronic equipment and storage medium |
| CN111159126A (en) * | 2019-12-31 | 2020-05-15 | 北京天融信网络安全技术有限公司 | Auditing method and device for file compression operation, electronic equipment and storage medium |
| CN112035832A (en) * | 2020-08-21 | 2020-12-04 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN112035832B (en) * | 2020-08-21 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN113688419B (en) * | 2021-07-22 | 2023-05-19 | 成都鲁易科技有限公司 | Data protection method and device, storage medium and computer equipment |
| CN113688419A (en) * | 2021-07-22 | 2021-11-23 | 成都鲁易科技有限公司 | Data protection method and device, storage medium and computer equipment |
| CN114512151A (en) * | 2021-12-28 | 2022-05-17 | 奇安信科技集团股份有限公司 | Method and system for auditing and controlling optical disc recording |
| CN114512151B (en) * | 2021-12-28 | 2024-03-22 | 奇安信科技集团股份有限公司 | Method and system for auditing, managing and controlling optical disk writing |
| CN114564632A (en) * | 2022-02-18 | 2022-05-31 | 北京圣博润高新技术股份有限公司 | Document operation behavior auditing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102541986A (en) | File operation monitoring and auditing method | |
| US11042446B2 (en) | Application-level live synchronization across computing platforms such as cloud platforms | |
| US20210026982A1 (en) | Sensitive data extrapolation system | |
| US11463264B2 (en) | Use of data block signatures for monitoring in an information management system | |
| US20190109870A1 (en) | Ransomware detection and intelligent restore | |
| US9785518B2 (en) | Multi-threaded transaction log for primary and restore/intelligence | |
| US9262281B2 (en) | Consolidating analytics metadata | |
| US7660800B2 (en) | Systems and methods for classifying and transferring information in a storage network | |
| US7822749B2 (en) | Systems and methods for classifying and transferring information in a storage network | |
| US20070094312A1 (en) | Method for managing real-time data history of a file system | |
| US20070271428A1 (en) | Method and apparatus of continuous data backup and access using virtual machines | |
| CN102402471A (en) | Method and system for backing up data in real time based on snapshot function of memory array | |
| JP5798258B2 (en) | Content selection for storage hierarchy | |
| US12019687B2 (en) | Mobile control application for managing an information management system | |
| US20220179986A1 (en) | Methods for managing user permissions | |
| JP2009543238A (en) | Apparatus and method for managing and storing information and metadata | |
| Agrawal et al. | SD-HDFS: Secure deletion in hadoop distributed file system | |
| KR102089710B1 (en) | Continous data mangement system and method | |
| AU2006318338B2 (en) | Systems and methods for data management | |
| Coyne et al. | IBM Tivoli Storage Manager as a Data Protection Solution | |
| Kabay et al. | Data Backups and Archives | |
| Kitamura et al. | Research and Development Directions for Future Storage Solutions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120704 |