CN107634968A - Tamper recovery method and system based on Rsync - Google Patents

Tamper recovery method and system based on Rsync Download PDF

Info

Publication number
CN107634968A
CN107634968A CN201710975111.8A CN201710975111A CN107634968A CN 107634968 A CN107634968 A CN 107634968A CN 201710975111 A CN201710975111 A CN 201710975111A CN 107634968 A CN107634968 A CN 107634968A
Authority
CN
China
Prior art keywords
file
rsync
monitoring client
daily record
object run
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710975111.8A
Other languages
Chinese (zh)
Inventor
郑云超
范渊
莫金友
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710975111.8A priority Critical patent/CN107634968A/en
Publication of CN107634968A publication Critical patent/CN107634968A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a kind of tamper recovery method and system based on Rsync, it is related to the technical field of network security, including monitoring client monitors object run event, wherein, object run event is the event that file in operating system to be monitored is performed associative operation;Monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, file, which distorts daily record, includes at least one of:By the title of modification file, to the process modified by modification file, the parent process of process;Monitoring client distorts daily record generation Rsync instructions based on file, so that backup end is instructed to being recovered by modification file according to Rsync, the present invention, which alleviates, when recovering to mass data, recovers less efficient technical problem present in prior art.

Description

Tamper recovery method and system based on Rsync
Technical field
The present invention relates to the technical field of network security, more particularly, to a kind of tamper recovery method based on Rsync and System.
Background technology
Rsync be it is a increase income, quickly, multi-functional, the Local or Remote data that full dose and increment can be achieved are same Walk the instrument of backup.
In the prior art, the anti-tamper scheme based on Rsync includes following two:1st, automatic regular polling enters to protecting with path The regular full dose of row is synchronous;2nd, Protection path end file is monitored using this kind of file monitor programs of inotify, if protection Track end file changes then pulls file from backup end.In the prior art, anti-tamper scheme is monitored based on driving layer file to refer to, The process white list of file can be changed by first specifying, by driving layer monitoring file to change event, then to white list outside enter Cheng Jinhang is blocked, and is belonged to and is distorted preceding prevention.
Rsync directly performs to Protection path synchronously has problems with:For more comprising quantity of documents, or Documents Comparison Big Folder synchronizing, elapsed time are long.For example 100G website synchronizations single file may be taken more than 10 minutes, Need to carry out protected file overall file comparison and effect before Rsync synchronizations, need synchronous file to position, So as to which the resume speed that causes to tamper with a document is excessively slow, cause wrong file long-term existence in by Protection path.
By this kind of monitoring programmes for listening only to file modification event of inotify, file modification event is listened to every time, then Trigger one subsynchronous, problems be present:Rsync, can be first by the file synchronization of distal end to local during synchronous documents In temporary file, after completion to be synchronized, then by the local file changed of temporary file covering, after the completion of covering, it can delete Temporary file.Synchronous documents each time, will all new synchronous event be produced, this can be to monitoring programme according into serious interference, very To synchronous endless loop occurs.Drive the monitoring of layer file to be blocked according to white list anti-tamper to realize, problems be present: There is potential safety hazard in the program, white list process may be utilized by attacker, after causing file to be tampered, can not recover, The situation occurred in user's use.
The content of the invention
In view of this, it is an object of the invention to provide a kind of tamper recovery method and system based on Rsync, to alleviate Present in prior art when recovering to mass data, recover less efficient technical problem.
In a first aspect, the embodiments of the invention provide a kind of tamper recovery method based on Rsync, including:Monitoring client is supervised Object run event is listened, wherein, the object run event is that the file in operating system to be monitored is performed associative operation Event;The monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, the file Distorting daily record includes at least one of:By the title of modification file, to the process modified by modification file, institute State the parent process of process;The monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to Rsync instructions are recovered to described by modification file.
Further, the monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to institute Rsync instructions are stated to carry out recovery to described by modification file and include:Target journaling is filtrated to get in the file distorts daily record, Wherein, at least one of is included in the target journaling:The title for the file destination changed, the file destination is carried out The target process of modification, the parent process of the target process, the parent process of the target process are not the protections of the monitoring client Program;The Rsync instructions are generated based on the target journaling.
Further, generating the Rsync instructions based on the target journaling includes:Institute is extracted in the target journaling State the title of file destination;The Rsync is generated according to the title of the file destination and the action type of the file destination Instruction, wherein, the action type includes at least one of:It is newly-increased, delete, modification and renaming.
Further, monitoring client is monitored object run event and included:The monitoring client is monitored Protection path, with prison Listen whether the file under the Protection path is changed, wherein, changed if listened to, it is determined that listen to institute State object run event.
Further, the monitoring client is monitored object run event and also included:The monitoring client is monitored by Hook Function The object run event, wherein, the Hook Function is addition in advance in the file system filter driver of the operating system Application layer function.
Second aspect, the embodiment of the present invention also provide a kind of tamper recovery system based on Rsync, including:Center-side, prison End and backup end are controlled, wherein, the center-side, the monitoring client and the backup end connect two-by-two;The center-side is used to divide It is other to the monitoring client and it is described backup end carry out relevant configuration;The monitoring client is used to monitor object run event, wherein, institute State the event that object run event is performed associative operation for the file in operating system to be monitored;And based on the institute listened to Object run event is stated, file is obtained and distorts daily record, wherein, the file, which distorts daily record, includes at least one of:Repaiied Change the title of file, to the process modified by modification file, the parent process of the process;And based on the file Distort daily record generation Rsync instructions;The backup end is used for according to Rsync instructions to described extensive by the progress of modification file It is multiple.
Further, the monitoring client includes:Module is monitored in driving, and daily record is distorted for obtaining the file;Daily record obtains Modulus block, for being filtrated to get target journaling in distorting daily record in the file, wherein, included below extremely in the target journaling It is one of few:The title for the file destination changed, the target process modified to the file destination, the target process Parent process, the parent process of the target process are not the defence programs of the monitoring client;File access pattern module, for based on described Target journaling generation Rsync instructions.
Further, the file access pattern module is additionally operable to:The name of the file destination is extracted in the target journaling Claim;The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described Action type includes at least one of:It is newly-increased, delete, modification and renaming.
Further, the driving monitoring module acquisition file, which distorts daily record, includes:Module pair is monitored in the driving Whether Protection path is monitored, changed with the file monitored under the Protection path, wherein, if listening to generation Change, it is determined that listen to the object run event.
Further, the driving monitoring module acquisition file, which distorts daily record, also includes:Module is monitored in the driving The object run event is monitored by Hook Function, wherein, the Hook Function is addition in advance in the operating system The function of the application layer of file system filter driver.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery Art effect.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of schematic diagram of tamper recovery system based on Rsync according to embodiments of the present invention;
Fig. 2 is a kind of schematic diagram of monitoring client according to embodiments of the present invention;
Fig. 3 is a kind of log acquisition module according to embodiments of the present invention and showing for communication process between module is monitored in driving It is intended to;
Fig. 4 is a kind of flow chart of tamper recovery method based on Rsync according to embodiments of the present invention;
Fig. 5 is a kind of schematic diagram configured to backup end according to embodiments of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Embodiment one:
According to embodiments of the present invention, there is provided a kind of embodiment of the tamper recovery system based on Rsync.
Fig. 1 is a kind of schematic diagram of tamper recovery system based on Rsync according to embodiments of the present invention, as shown in figure 1, The system includes:Center-side 10, monitoring client 20 and backup end 30, wherein, the center-side 10, the monitoring client 20 and described standby Part end 30 connects two-by-two.
The center-side 10 is used to carry out relevant configuration to the monitoring client and the backup end respectively;As shown in figure 1, bag The setting to monitoring client tamper recovery rule is included, and to backing up the configuration of end Rsync service ends.
The monitoring client 20 is used to monitor object run event, wherein, the object run event is operation to be monitored File in system is performed the event of associative operation;And based on the object run event listened to, obtain file and distort Daily record, wherein, the file, which distorts daily record, includes at least one of:By the title of modification file, text is changed to described The process that part is modified, the parent process of the process;And daily record generation Rsync instructions are distorted based on the file;
The backup end 30 is used to described by modification file be recovered according to Rsync instructions.
Specifically, in embodiments of the present invention, including center-side 10, monitoring client 20 and backup end 30, as shown in figure 1, in Heart end 10, monitoring client 20 and backup end 30 connect two-by-two, wherein, use C/S frameworks between center-side 10 and backup end 30.In and Heart end 10 and monitoring client 20, and center-side 10 and backup end 30 are communicated by using SSL http protocol, the number of communication It is encrypted and decrypted according to using RC4 methods.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery Art effect.
In embodiments of the present invention, center-side 10 includes monitoring client management module, backs up end management module, and monitoring client is distorted Recover rule setting module, back up end backup services configuration module.
Wherein, monitoring client management module is used for configuration monitoring end 20, and the configuration information that will be configured to monitoring client 20 It is stored in database;Backup end management module is used for configuration backup end 30, and matches somebody with somebody confidence by what is configured to backup end 30 Breath is stored in database;Monitoring client tamper recovery rule setting module is used to configure storing path, backup path, and will preserve Path and backup path are stored in database, and are issued to monitoring client 20 by center-side 10 so that monitoring client 20 read it is above-mentioned Information, and notify to drive layer and application layer renewal Protection path;Backup end backup services configuration module is used to configure Rsync services Hold the information such as the installation path at backup end, backup port, backup path.Above-mentioned backup information is issued to backup by center-side End, information is read at backup end, and updates the relevant configuration of Rsync service ends.
In an optional embodiment, as shown in Fig. 2 monitoring client 20 includes:Module 21, log acquisition are monitored in driving Module 22 and file access pattern module 23.
Wherein, module is monitored in driving, and daily record is distorted for obtaining the file;Alternatively, the driving is monitored module and led to Cross Hook Function and monitor the object run event, wherein, the Hook Function is addition in advance in the text of the operating system The function of the application layer of part system filtration drive.
The driving monitoring module, which obtains the file, which distorts daily record, includes:The driving monitors module and Protection path is entered Whether row is monitored, changed with the file monitored under the Protection path, wherein, changed if listened to, It is determined that listen to the object run event.
In embodiments of the present invention, application of the module 21 by the file system filter driver in operating system is monitored in driving Layer addition Hook Function, Hook Function is triggered when the file in operating system has any operation behavior;Hook Function is obtaining , can be by corresponding file after the parent process of the act of revision of file, the process fullpath for changing file and the modification process Distort daily record and be sent to log acquisition module 22.
Log acquisition module, for being filtrated to get target journaling in distorting daily record in the file, wherein, the target day At least one of is included in will:The title for the file destination changed, the target process modified to the file destination, The parent process of the target process, the parent process of the target process are not the defence programs of the monitoring client;
In embodiments of the present invention, log acquisition module, communicate, receiving for monitoring module with driving by pipeline After the file of driving layer distorts daily record, it is Rsync under monitoring client installation path to filter out modification file process fullpath first It is then that the daily record after filtering is real-time and process father path is the daily record (that is, target journaling) of the affiliated process of file access pattern module It is transmitted to file access pattern module.
File access pattern module, for based on target journaling generation Rsync instructions.
In embodiments of the present invention, as shown in Figure 3 is to be communicated between log acquisition module and driving monitoring module The schematic diagram of journey, as shown in Figure 3.Driving monitors module and creates socket first by netlink_kernel_creat (), and Indicate receiver function;Then, log acquisition module creates socket by user space processes, and process ID is sent into kernel Space;Finally, driving monitors module and receives user space processes ID by receiver function.Now, module and day are monitored in driving Will acquisition module can realizes communication.
In another optional embodiment of the embodiment of the present invention, the file access pattern module is additionally operable to:Described The title of the file destination is extracted in target journaling;According to the title of the file destination and the operation class of the file destination Type generates the Rsync instructions, wherein, the action type includes at least one of:It is newly-increased, delete, modification and renaming.
In embodiments of the present invention, file access pattern module is distorted from file extracts the file destination changed in daily record Title, Rsync orders are individually created according to the action type of the file name of file destination and file destination.
The action type of file destination includes newly-increased, deletion, modification and renaming.When action type is newly-increased and modification class During type, only with the synchronous file destinations that are currently increased newly and change of Rsync, when action type is deletes with renaming type, Only pressed from both sides with the topmost paper of the Rsync file destinations for synchronously currently being increased newly and being changed.
Embodiment two:
According to embodiments of the present invention, there is provided a kind of embodiment of the tamper recovery method based on Rsync.
Fig. 4 is a kind of flow chart of tamper recovery method based on Rsync according to embodiments of the present invention, as shown in figure 4, This method comprises the following steps:
Step S102, monitoring client monitor object run event, wherein, the object run event is operation system to be monitored File in system is performed the event of associative operation;
Step S104, the monitoring client distort daily record based on the object run event listened to, acquisition file, its In, the file, which distorts daily record, includes at least one of:By the title of modification file, repaiied to described by modification file The process changed, the parent process of the process;
Step S106, the monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to institute Rsync instructions are stated to described by modification file to be recovered.
It should be noted that the monitoring client and backup end described in the embodiment of the present invention in above-described embodiment one with being retouched The monitoring client stated is identical with backup end, and here is omitted.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery Art effect.
In an optional embodiment of the embodiment of the present invention, the monitoring client distorts daily record generation based on the file Rsync is instructed, and carries out recovering to include following process by modification file to described so that backup end instructs according to the Rsync:
Be filtrated to get target journaling in the file distorts daily record, wherein, in the target journaling comprising it is following at least One of:The title for the file destination changed, the target process modified to the file destination, the father of the target process Process, the parent process of the target process are not the defence programs of the monitoring client;
The Rsync instructions are generated based on the target journaling.
In embodiments of the present invention, the log acquisition module in monitoring client is monitored module with driving by pipeline and communicated, Receive driving layer file distort daily record after, it is under monitoring client installation path to filter out modification file process fullpath first Rsync and process father path are the daily record (that is, target journaling) of the affiliated process of file access pattern module, then by the daily record after filtering The file access pattern module of monitoring client is transmitted in real time.So that file access pattern module is based on the target journaling and generates the Rsync Instruction.
In an optional embodiment of the embodiment of the present invention, the Rsync instructions are generated based on the target journaling Including following process:
The title of the file destination is extracted in the target journaling;
The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, The action type includes at least one of:It is newly-increased, delete, modification and renaming.
In embodiments of the present invention, file access pattern module is distorted from file extracts the file destination changed in daily record Title, Rsync orders are individually created according to the action type of the file name of file destination and file destination.
The action type of file destination includes newly-increased, deletion, modification and renaming.When action type is newly-increased and modification class During type, only with the synchronous file destinations that are currently increased newly and change of Rsync, when action type is deletes with renaming type, Only pressed from both sides with the topmost paper of the Rsync files for synchronously currently being increased newly and being changed.
In an optional embodiment of the embodiment of the present invention, monitoring client, which monitors object run event, includes following mistake Journey:
Whether the monitoring client is monitored Protection path, become with the file monitored under the Protection path Change,
Wherein, changed if listened to, it is determined that listen to the object run event.
Wherein, the monitoring client is monitored object run event and also included:Described in the monitoring client is monitored by Hook Function Object run event, wherein, the Hook Function in advance addition the operating system file system filter driver should With layer.
In embodiments of the present invention, file system filter driver of the module in operating system is monitored by the driving of monitoring client Application layer addition Hook Function, trigger Hook Function when the file in operating system has any operation behavior;Hook Function , can be by accordingly after the act of revision of file is obtained, change the process fullpath of file and the parent process of the modification process File distort daily record and be sent to log acquisition module.
Above-described embodiment one and embodiment two are illustrated below in conjunction with specific embodiment.
It is assumed that monitoring client:HOST-A, Protection path:/opt/web;
It is assumed that backup end:HOST-B, backup path:/opt/website;
Wherein, center-side configures to the backup path for backing up end, and configuration mode is as shown in Figure 5.In addition, center End is additionally operable to configure the Protection path of monitoring client.
Monitoring client is monitored Protection path, for example, under monitoring client/opt/web/test/1.sh files are repaiied Changing, operation process is Rsync, and parent process is not the defence program of monitoring client, then it is illegal modifications to illustrate this file modification, Need to recover 1.sh files, the file access pattern module of monitoring client can call Rsync clients to go to perform synch command: Rsync[OPTION...]Rsync://[USER@]HOST-B[:873]/push_cms/test/1.sh/opt/web/test/ 1.sh。
And when being synchronized to full guard path, synch command is:Rsync[OPTION...]Rsync://[USER@] HOST-B[:873]/push_cms//opt/web/。
So when only being synchronized to current file, Rsync is only needed to currently carrying out contrast effect by modification file Test, find differences in time, so as to reach the effect of real-time update.
The modification event of some Rsync temporary files can be produced in synchronizing process, it is Rsync now to change process, and Parent process and be monitoring client defence program, so such file modification is legal modifications, such daily record can be filtered, and will not be triggered File synchronization.
Compared with prior art, the present invention has advantages below:
1st, driving monitors module and adds Hook Function by the application layer of the file system filter driver in operating system, when File in operating system triggers Hook Function when having any operation behavior;Hook Function is obtaining the act of revision of file, repaiied , can be by distorting daily record is sent to log acquisition accordingly after changing the process fullpath of file and the parent process of the modification process Module.
2nd, log acquisition module is communicated by pipeline with the file system filter driver of bottom, and first mistake is distorted after daily record in acquisition It is file that modification file process fullpath, which is filtered, by the Rsync process paths and process father path that file access pattern module is called The daily record of the affiliated process of recovery module, is then sent to file access pattern module in real time by the daily record after filtering.
3rd, file access pattern module is after receiving driving layer and distorting daily record.Extract what is changed from the daily record after filtering File name, Rsync orders are individually created according to the action type of filename and file, only current modification file carried out same Step.
The method that the embodiment of the present invention is provided, its realization principle and caused technique effect and aforementioned system embodiment phase Together, to briefly describe, device embodiment part does not refer to part, refers to corresponding contents in preceding method embodiment.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this Concrete meaning in invention.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ", The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation, With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ", " the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, can be with Realize by another way.Device embodiment described above is only schematical, for example, the division of the unit, Only a kind of division of logic function, can there is other dividing mode when actually realizing, in another example, multiple units or component can To combine or be desirably integrated into another system, or some features can be ignored, or not perform.It is another, it is shown or beg for The mutual coupling of opinion or direct-coupling or communication connection can be by some communication interfaces, device or unit it is indirect Coupling or communication connection, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with It is stored in the executable non-volatile computer read/write memory medium of a processor.Based on such understanding, the present invention The part that is substantially contributed in other words to prior art of technical scheme or the part of the technical scheme can be with software The form of product is embodied, and the computer software product is stored in a storage medium, including some instructions are causing One computer equipment (can be personal computer, server, or network equipment etc.) performs each embodiment institute of the present invention State all or part of step of method.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read- Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with The medium of store program codes.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (10)

  1. A kind of 1. tamper recovery method based on Rsync, it is characterised in that including:
    Monitoring client monitors object run event, wherein, the object run event is the file quilt in operating system to be monitored Perform the event of associative operation;
    The monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, the file is distorted Daily record includes at least one of:By the title of modification file, to the process modified by modification file, it is described enter The parent process of journey;
    The monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to Rsync instructions pair It is described to be recovered by modification file.
  2. 2. according to the method for claim 1, it is characterised in that the monitoring client distorts daily record generation based on the file Rsync is instructed, and is carried out recovery to described so that backup end instructs according to the Rsync by modification file and is included:
    Target journaling is filtrated to get in the file distorts daily record, wherein, at least one of is included in the target journaling: The title for the file destination changed, the target process modified to the file destination, the parent process of the target process, The parent process of the target process is not the defence program of the monitoring client;
    The Rsync instructions are generated based on the target journaling.
  3. 3. according to the method for claim 2, it is characterised in that the Rsync instructions bag is generated based on the target journaling Include:
    The title of the file destination is extracted in the target journaling;
    The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described Action type includes at least one of:It is newly-increased, delete, modification and renaming.
  4. 4. according to the method for claim 1, it is characterised in that monitoring client, which monitors object run event, to be included:
    Whether the monitoring client is monitored Protection path, changed with the file monitored under the Protection path,
    Wherein, changed if listened to, it is determined that listen to the object run event.
  5. 5. method according to any one of claim 1 to 4, it is characterised in that the monitoring client monitors object run thing Part also includes:
    The monitoring client monitors the object run event by Hook Function, wherein, the Hook Function exists for addition in advance The function of the application layer of the file system filter driver of the operating system.
  6. A kind of 6. tamper recovery system based on Rsync, it is characterised in that including:Center-side, monitoring client and backup end, wherein, The center-side, the monitoring client and the backup end connect two-by-two;
    The center-side is used to carry out relevant configuration to the monitoring client and the backup end respectively;
    The monitoring client is used to monitor object run event, wherein, the object run event is in operating system to be monitored File be performed the event of associative operation;And daily record is distorted based on the object run event listened to, acquisition file, its In, the file, which distorts daily record, includes at least one of:By the title of modification file, repaiied to described by modification file The process changed, the parent process of the process;And daily record generation Rsync instructions are distorted based on the file;
    The backup end is used to described by modification file be recovered according to Rsync instructions.
  7. 7. system according to claim 6, it is characterised in that the monitoring client includes:
    Module is monitored in driving, and daily record is distorted for obtaining the file;
    Log acquisition module, for being filtrated to get target journaling in distorting daily record in the file, wherein, in the target journaling Include at least one of:The title for the file destination changed, the target process modified to the file destination are described The parent process of target process, the parent process of the target process are not the defence programs of the monitoring client;
    File access pattern module, for based on target journaling generation Rsync instructions.
  8. 8. system according to claim 7, it is characterised in that the file access pattern module is additionally operable to:
    The title of the file destination is extracted in the target journaling;
    The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described Action type includes at least one of:It is newly-increased, delete, modification and renaming.
  9. 9. system according to claim 7, it is characterised in that the driving monitors the module acquisition file and distorts daily record Including:
    Whether the driving monitors module and Protection path is monitored, become with the file monitored under the Protection path Change,
    Wherein, changed if listened to, it is determined that listen to the object run event.
  10. 10. system according to claim 7, it is characterised in that the driving monitors the module acquisition file and distorts day Will also includes:
    The driving monitors module and monitors the object run event by Hook Function, wherein, the Hook Function is advance Add the function in the application layer of the file system filter driver of the operating system.
CN201710975111.8A 2017-10-19 2017-10-19 Tamper recovery method and system based on Rsync Pending CN107634968A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710975111.8A CN107634968A (en) 2017-10-19 2017-10-19 Tamper recovery method and system based on Rsync

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710975111.8A CN107634968A (en) 2017-10-19 2017-10-19 Tamper recovery method and system based on Rsync

Publications (1)

Publication Number Publication Date
CN107634968A true CN107634968A (en) 2018-01-26

Family

ID=61103447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710975111.8A Pending CN107634968A (en) 2017-10-19 2017-10-19 Tamper recovery method and system based on Rsync

Country Status (1)

Country Link
CN (1) CN107634968A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109783316A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The recognition methods and device, storage medium, computer equipment of system security log tampering
CN110120983A (en) * 2019-06-14 2019-08-13 浪潮软件集团有限公司 The method and system of SVN real-time synchronization backup is realized based on inotify and rsync automation installation and deployment
CN111949978A (en) * 2020-08-14 2020-11-17 南京星邺汇捷网络科技有限公司 File tamper-proofing method and system based on Linux kernel notification chain technology
CN113987469A (en) * 2021-10-26 2022-01-28 山西大鲲智联科技有限公司 Process protection method and device applied to vehicle machine system and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457567A (en) * 2010-11-08 2012-05-16 中标软件有限公司 Mirror image backup/recovery method and tool of web management mode
CN102541685A (en) * 2011-11-16 2012-07-04 中标软件有限公司 Linux system backup method and Linux system repair method
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer
CN104850802A (en) * 2015-05-12 2015-08-19 浪潮电子信息产业股份有限公司 Method for monitoring file change under linux and ensuring data not to be tampered
CN105389507A (en) * 2015-11-13 2016-03-09 小米科技有限责任公司 Method and apparatus for monitoring files of system partition
CN106446718A (en) * 2016-09-13 2017-02-22 郑州云海信息技术有限公司 File protection method and system based on event-driven mechanism

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457567A (en) * 2010-11-08 2012-05-16 中标软件有限公司 Mirror image backup/recovery method and tool of web management mode
CN102541685A (en) * 2011-11-16 2012-07-04 中标软件有限公司 Linux system backup method and Linux system repair method
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer
CN104850802A (en) * 2015-05-12 2015-08-19 浪潮电子信息产业股份有限公司 Method for monitoring file change under linux and ensuring data not to be tampered
CN105389507A (en) * 2015-11-13 2016-03-09 小米科技有限责任公司 Method and apparatus for monitoring files of system partition
CN106446718A (en) * 2016-09-13 2017-02-22 郑州云海信息技术有限公司 File protection method and system based on event-driven mechanism

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109783316A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The recognition methods and device, storage medium, computer equipment of system security log tampering
CN109783316B (en) * 2018-12-29 2022-07-05 奇安信安全技术(珠海)有限公司 Method and device for identifying tampering behavior of system security log, storage medium and computer equipment
CN110120983A (en) * 2019-06-14 2019-08-13 浪潮软件集团有限公司 The method and system of SVN real-time synchronization backup is realized based on inotify and rsync automation installation and deployment
CN111949978A (en) * 2020-08-14 2020-11-17 南京星邺汇捷网络科技有限公司 File tamper-proofing method and system based on Linux kernel notification chain technology
CN111949978B (en) * 2020-08-14 2023-11-24 南京星邺汇捷网络科技有限公司 File tamper-proof method and system based on Linux kernel notification chain technology
CN113987469A (en) * 2021-10-26 2022-01-28 山西大鲲智联科技有限公司 Process protection method and device applied to vehicle machine system and electronic equipment

Similar Documents

Publication Publication Date Title
CN107634968A (en) Tamper recovery method and system based on Rsync
US9098455B2 (en) Systems and methods of event driven recovery management
CN101854392B (en) Personal data management method based on cloud computing environment
US9483359B2 (en) Systems and methods for on-line backup and disaster recovery with local copy
US9152686B2 (en) Asynchronous replication correctness validation
CN102981931B (en) Backup method and device for virtual machine
US9268797B2 (en) Systems and methods for on-line backup and disaster recovery
US9448893B1 (en) Asynchronous replication correctness validation
CN104572357A (en) Backup and recovery method for HDFS (Hadoop distributed filesystem)
US20150309882A1 (en) Systems and methods for minimizing network bandwidth for replication/back up
US20150301900A1 (en) Systems and methods for state consistent replication
US20140181021A1 (en) Back up using locally distributed change detection
CN103761165B (en) Log backup method and device
KR101413298B1 (en) Apparatus, system and method for recovering meta data using fragmentary information
US20140208312A1 (en) Method, System, Device And Storage Medium For Restoring User System
US20140181040A1 (en) Client application software for on-line backup and disaster recovery
CN102169453A (en) File online backup method
US20170255529A1 (en) Smart data replication recoverer
CN103198254B (en) System and method for anti-virus protection
TW200836080A (en) Storing log data efficiently while supporting querying to assist in computer network security
JP2007299284A (en) Log collection system, client device, and log collection agent device
CN106681865B (en) Service recovery method and device
CN102508740A (en) Remote replication method of file system
CN105550230B (en) The method for detecting and device of distributed memory system node failure
CN102571845A (en) Data storage method and device of distributed storage system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180126