CN106330884A - Safety management method for realizing alarming, locking and data destruction - Google Patents
Safety management method for realizing alarming, locking and data destruction Download PDFInfo
- Publication number
- CN106330884A CN106330884A CN201610689785.7A CN201610689785A CN106330884A CN 106330884 A CN106330884 A CN 106330884A CN 201610689785 A CN201610689785 A CN 201610689785A CN 106330884 A CN106330884 A CN 106330884A
- Authority
- CN
- China
- Prior art keywords
- module
- configuration file
- policy
- policy enforcement
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
The invention provides a safety management method for realizing alarming, locking and data destruction, and relates to the field of data safety management. The safety management method is composed of a strategy configuration file and a strategy execution module. The strategy execution module s divided into a passive execution module and an active execution module. The integrated PAM architecture in the domestic Linux operating system is adopted, thereby being convenient to transplant, expand and configure. Mainly for a user login operation, the strategy execution module is called according to the strategy configuration file to carry out different response actions. The safety of a computer system is greatly improved, and the complexity of computer safety management is greatly reduced.
Description
Technical field
The present invention relates to data safety management technology, particularly relate to a kind of safety management realizing and reporting to the police, lock fixed sum data is destroyed
Method.
Background technology
At present in the application scenarios with safe and secret requirement, domestic server, desk computer and notebook etc. produce
Would generally integrated data safety management function, the such as software and hardware of restriction movable storage device use in product;Emergency next
Key pin ruins data;What anti-violence was disassembled tears the functions such as machine data destroying open.
But from current application analysis, limit movable storage device and use, be more to manage artificially and add up, soft
Hardware capability is only capable of accomplishing limiting and preventing data leak, and once safeguard procedures are broken, and does not has destruction data etc. higher
Level security measure.One key pin ruins data, is only applicable in emergency circumstances, and needs manual operation, and the restrictive condition that comes into force is more,
Therefore limitation is bigger.What anti-violence was disassembled tears machine data destroying function open, as the term suggests, it is only prevented from being torn open by violent means
Solve computer and directly obtain a kind of preventive means of storage device therein, be merely capable of the feelings that the sensor when tearing machine open is triggered
Activate under condition, auto-destruct data.
The most multiple method is all existing frequently-used data method for protecting.But as it has been described above, the most only
Incipient fault for data security under specific condition can be responded, situation complicated and changeable during routine use can not be met.
Summary of the invention
In order to solve above technical problem, the present invention proposes a kind of bursting tube realizing and reporting to the police, lock fixed sum data is destroyed
Reason method.
This method make use of PAM framework the most integrated in existing home-make Linux operating system, by writing strategy configuration
File, policy enforcement module, it is possible to the logging request for different modes processes.Such as, normal graphical interfaces login, word
Symbol mode entry, SSH Telnet etc., be all managed by different policy configuration file, can coordinate and need for client
Seek the disparate modules of exploitation, reach user's entry stage and perform the purpose of difference management operation.Any of the above side is compensate for this
Some defects in actually used stage in method.This method introduces active operation mechanism in policy enforcement module simultaneously, it is allowed to
Triggering specified requirements when user logs in and notify manager, manager remotely controls the operation that this computer performs to specify.Coordinate
Above frequently-used data function of safety protection and software and hardware management means, it is possible to significantly improve the safety of computer system, and show
Write the complexity reducing computer security management.
The present invention is made up of policy configuration file and policy enforcement module.Policy enforcement module is divided into again and passively performs module
With actively perform module.
Present invention utilizes PAM framework the most integrated in home-make Linux operating system, it is simple to transplant, extend and configure.
Mainly for user login operation, perform module according to policy configuration file regulative strategy, make different response actions.
Policy configuration file:
The login mode of each use PAM authentication mechanism, all can be equipped with a policy configuration file.When user logs in, PAM
Meeting query configuration file, according to the condition specified in configuration file, calls the action that different policy enforcement module completes to specify.
Policy enforcement module:
1) passive policy enforcement module:
According to customer demand and platform hardware designs, in data destroying module, the GPIO that operation CPU controls, destroys to hard disk
Circuit sends destroys signal, then hard disc data can be destroyed;In mail alarm module, can be to the manager's postal pre-set
Part address sends given content, when policy configuration file condition meets, current event is sent to manager;Alarm module is then
It is operable to GPIO, drives sound light alarming circuit to report to the police.Also dependent on hardware designs and safe and secret requirement, straight-forward network
Connection, GPS module, the first-class function of shooting, and coordinate mail alarm module etc. to realize dynamic tracing.
2) proactive mechanisms execution module:
Proactive mechanisms performs module the most in a dormant state, is activated when policy configuration file condition meets, and uses
In receiving the instruction that equipment manager remotely sends, and the operation can specified according to instruction execution.
Above policy enforcement module, is system level program assembly, and user cannot directly revise or destroy.Simultaneously because plan
The slightly restriction of configuration file, even if policy enforcement module is destroyed, user also cannot normally complete login authentication.Cannot be carried out appointing
What operation.
Simultaneously as directly utilized existing PAM framework in system, it is not only register system or the system integration
Service, the application program of all use PAM authentication mechanisms also is able to include in above after writing suitable policy configuration file
In described various security policy manager.
Can effectively prevent the private data caused by the illegal log into thr computer of number of ways from leaking.And the method
Can extend for all application programs based on PAM authentication mechanism.Greatly improve the easy of safe and secret management function
By property and practicality, significantly reduce the difficulty of system-level safe and secret management work simultaneously.
Detailed description of the invention
Below present disclosure is carried out more detailed elaboration:
The present invention is made up of policy configuration file and policy enforcement module.Policy enforcement module is divided into again passive execution module and master
Dynamic execution module.
Present invention utilizes PAM framework the most integrated in home-make Linux operating system, it is simple to transplant, extend and configure.
Mainly for user login operation, perform module according to policy configuration file regulative strategy, make different response actions.
Policy configuration file:
The login mode of each use PAM authentication mechanism, all can be equipped with a policy configuration file.Such as system graphical interfaces is stepped on
Record, character pattern (command mode) logs in, or FTP service, Telnet Telnet or SSH Telnet, all has the most not
Same configuration file.When user logs in, PAM meeting query configuration file, according to the condition specified in configuration file, calls not
Same policy enforcement module completes the action specified.(such as in graphical interfaces login process, input 5 passwords continuously by mistake, then may be used
To lock this account 5 minutes.Wherein code error number of times and locking the number of minutes all can be defined by configuration file.Above
Being only for example, Current standards PAM framework is only capable of whether verifying account allows to log in, lock account, account password process and locking
Interactive function, does not possess and invents described security function herein.)
Policy enforcement module:
1, passive policy enforcement module:
According to customer demand and platform hardware designs, in data destroying module, the GPIO that operation CPU controls, destroys to hard disk
Circuit sends destroys signal, then hard disc data can be destroyed;In mail alarm module, can be to the manager's postal pre-set
Part address sends given content, when policy configuration file condition meets, current event (is inputed by mistake password continuously or uses illegal
The information such as user name) it is sent to manager;Alarm module is then operable to GPIO, drives sound light alarming circuit to report to the police.Also
Can be according to hardware designs and safe and secret requirement, straight-forward network connection, GPS module, the first-class function of shooting, and coordinate mail to report to the police
Modules etc. realize dynamic tracing.
2, proactive mechanisms execution module:
Proactive mechanisms performs module the most in a dormant state, is activated when policy configuration file condition meets, and uses
In receiving the instruction that equipment manager remotely sends, and (sensitive data, startup can be deleted according to the operation that instruction performs to specify
Report to the police or start tracking etc.).
Present invention Xu, according to different platform hardware, writes the policy enforcement module needing to operate hardware, only performs software behaviour
Make policy enforcement module then can in different platform directly transplanting.When implementing configuration, need to compile according to actually used situation
Write policy configuration file, log in channel for different users, trigger condition is set, after meeting condition, can automatically call correspondence
Policy enforcement module perform operation, it is not necessary to more manual interventions, also cannot be intervened by local user.
Claims (3)
1. one kind realizes the method for managing security reported to the police, lock fixed sum data is destroyed, it is characterised in that
Mainly being made up of policy configuration file and policy enforcement module, policy enforcement module is divided into again passive execution module and active
Perform module;
Utilize PAM framework the most integrated in home-make Linux operating system, it is simple to transplant, extend and configure;Mainly for user
Register, performs module according to policy configuration file regulative strategy, makes different response actions.
Method the most according to claim 1, it is characterised in that
Policy configuration file:
The login mode of each use PAM authentication mechanism, all can be equipped with a policy configuration file;When user logs in, PAM
Meeting query configuration file, according to the condition specified in configuration file, calls the action that different policy enforcement module completes to specify.
Method the most according to claim 2, it is characterised in that
Wherein
Policy enforcement module:
1) passive policy enforcement module:
According to customer demand and platform hardware designs, in data destroying module, the GPIO that operation CPU controls, destroys to hard disk
Circuit sends destroys signal, then hard disc data can be destroyed;In mail alarm module, can be to the manager's postal pre-set
Part address sends given content, when policy configuration file condition meets, current event is sent to manager;Alarm module is then
It is operable to GPIO, drives sound light alarming circuit to report to the police;Also dependent on hardware designs and safe and secret requirement, straight-forward network
Connection, GPS module, camera function, and coordinate mail alarm module to realize dynamic tracing;
2) proactive mechanisms execution module:
Proactive mechanisms performs module the most in a dormant state, is activated when policy configuration file condition meets, and uses
In receiving the instruction that equipment manager remotely sends, and the operation can specified according to instruction execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610689785.7A CN106330884A (en) | 2016-08-19 | 2016-08-19 | Safety management method for realizing alarming, locking and data destruction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610689785.7A CN106330884A (en) | 2016-08-19 | 2016-08-19 | Safety management method for realizing alarming, locking and data destruction |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106330884A true CN106330884A (en) | 2017-01-11 |
Family
ID=57744316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610689785.7A Pending CN106330884A (en) | 2016-08-19 | 2016-08-19 | Safety management method for realizing alarming, locking and data destruction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106330884A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090044250A1 (en) * | 2007-08-08 | 2009-02-12 | Memory Experts International Inc. | Embedded Self-Contained Security Commands |
| CN101917423A (en) * | 2010-08-05 | 2010-12-15 | 上海酷族信息技术有限公司 | Operating method for safety protection of database |
| CN102739868A (en) * | 2012-06-18 | 2012-10-17 | 奇智软件(北京)有限公司 | Mobile terminal loss processing method and system |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
| CN104268469A (en) * | 2014-09-26 | 2015-01-07 | 深圳北控信息发展有限公司 | Mobile terminal and information security protection method and device thereof |
-
2016
- 2016-08-19 CN CN201610689785.7A patent/CN106330884A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090044250A1 (en) * | 2007-08-08 | 2009-02-12 | Memory Experts International Inc. | Embedded Self-Contained Security Commands |
| CN101917423A (en) * | 2010-08-05 | 2010-12-15 | 上海酷族信息技术有限公司 | Operating method for safety protection of database |
| CN102739868A (en) * | 2012-06-18 | 2012-10-17 | 奇智软件(北京)有限公司 | Mobile terminal loss processing method and system |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
| CN104268469A (en) * | 2014-09-26 | 2015-01-07 | 深圳北控信息发展有限公司 | Mobile terminal and information security protection method and device thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10516533B2 (en) | Password triggered trusted encryption key deletion | |
| CN100568212C (en) | Shielding system and partition method | |
| JP5350528B2 (en) | System and method for providing platform with additional security through location-based data | |
| CN106295355B (en) | A kind of active safety support method towards Linux server | |
| US20110239306A1 (en) | Data leak protection application | |
| EP0449242A2 (en) | Method and structure for providing computer security and virus prevention | |
| KR970006392B1 (en) | Trusted personal computer system with identification | |
| GB2458568A (en) | System for enforcing security policies on electronic files | |
| CN102948114A (en) | Single-use authentication methods for accessing encrypted data | |
| CN112417391B (en) | Information data security processing method, device, equipment and storage medium | |
| CN112615842B (en) | Network security implementation system and method based on big data platform | |
| JP5319830B2 (en) | Data protection method and computer apparatus | |
| EP3623978B1 (en) | Computer having isolated user computing unit | |
| CN104361298B (en) | The method and apparatus of Information Security | |
| US7167958B2 (en) | Second storage system equipped with security system and a method of controlling the second storage system | |
| CN109583169B (en) | Security authentication method | |
| CN106330884A (en) | Safety management method for realizing alarming, locking and data destruction | |
| CN106778231A (en) | A kind of application security management method realized in Android system | |
| JP2010198062A (en) | Log collection system, information processor, log collection method, and program | |
| US9009454B2 (en) | Secure operating system loader | |
| Lehrfeld | Preventing the insider–blocking USB write capabilities to prevent IP theft | |
| Kim et al. | Linux based unauthorized process control | |
| CN113449296B (en) | System, method, device and medium for data security protection | |
| KR20070040449A (en) | Apparatus and method of security for computer | |
| CN117009957A (en) | Clipboard data safety isolation method based on linux or credit terminal environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |
|
| RJ01 | Rejection of invention patent application after publication |