CN107634968A - Tamper recovery method and system based on Rsync - Google Patents
Tamper recovery method and system based on Rsync Download PDFInfo
- Publication number
- CN107634968A CN107634968A CN201710975111.8A CN201710975111A CN107634968A CN 107634968 A CN107634968 A CN 107634968A CN 201710975111 A CN201710975111 A CN 201710975111A CN 107634968 A CN107634968 A CN 107634968A
- Authority
- CN
- China
- Prior art keywords
- file
- rsync
- monitoring client
- daily record
- object run
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a kind of tamper recovery method and system based on Rsync, it is related to the technical field of network security, including monitoring client monitors object run event, wherein, object run event is the event that file in operating system to be monitored is performed associative operation;Monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, file, which distorts daily record, includes at least one of:By the title of modification file, to the process modified by modification file, the parent process of process;Monitoring client distorts daily record generation Rsync instructions based on file, so that backup end is instructed to being recovered by modification file according to Rsync, the present invention, which alleviates, when recovering to mass data, recovers less efficient technical problem present in prior art.
Description
Technical field
The present invention relates to the technical field of network security, more particularly, to a kind of tamper recovery method based on Rsync and
System.
Background technology
Rsync be it is a increase income, quickly, multi-functional, the Local or Remote data that full dose and increment can be achieved are same
Walk the instrument of backup.
In the prior art, the anti-tamper scheme based on Rsync includes following two:1st, automatic regular polling enters to protecting with path
The regular full dose of row is synchronous;2nd, Protection path end file is monitored using this kind of file monitor programs of inotify, if protection
Track end file changes then pulls file from backup end.In the prior art, anti-tamper scheme is monitored based on driving layer file to refer to,
The process white list of file can be changed by first specifying, by driving layer monitoring file to change event, then to white list outside enter
Cheng Jinhang is blocked, and is belonged to and is distorted preceding prevention.
Rsync directly performs to Protection path synchronously has problems with:For more comprising quantity of documents, or Documents Comparison
Big Folder synchronizing, elapsed time are long.For example 100G website synchronizations single file may be taken more than 10 minutes,
Need to carry out protected file overall file comparison and effect before Rsync synchronizations, need synchronous file to position,
So as to which the resume speed that causes to tamper with a document is excessively slow, cause wrong file long-term existence in by Protection path.
By this kind of monitoring programmes for listening only to file modification event of inotify, file modification event is listened to every time, then
Trigger one subsynchronous, problems be present:Rsync, can be first by the file synchronization of distal end to local during synchronous documents
In temporary file, after completion to be synchronized, then by the local file changed of temporary file covering, after the completion of covering, it can delete
Temporary file.Synchronous documents each time, will all new synchronous event be produced, this can be to monitoring programme according into serious interference, very
To synchronous endless loop occurs.Drive the monitoring of layer file to be blocked according to white list anti-tamper to realize, problems be present:
There is potential safety hazard in the program, white list process may be utilized by attacker, after causing file to be tampered, can not recover,
The situation occurred in user's use.
The content of the invention
In view of this, it is an object of the invention to provide a kind of tamper recovery method and system based on Rsync, to alleviate
Present in prior art when recovering to mass data, recover less efficient technical problem.
In a first aspect, the embodiments of the invention provide a kind of tamper recovery method based on Rsync, including:Monitoring client is supervised
Object run event is listened, wherein, the object run event is that the file in operating system to be monitored is performed associative operation
Event;The monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, the file
Distorting daily record includes at least one of:By the title of modification file, to the process modified by modification file, institute
State the parent process of process;The monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to
Rsync instructions are recovered to described by modification file.
Further, the monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to institute
Rsync instructions are stated to carry out recovery to described by modification file and include:Target journaling is filtrated to get in the file distorts daily record,
Wherein, at least one of is included in the target journaling:The title for the file destination changed, the file destination is carried out
The target process of modification, the parent process of the target process, the parent process of the target process are not the protections of the monitoring client
Program;The Rsync instructions are generated based on the target journaling.
Further, generating the Rsync instructions based on the target journaling includes:Institute is extracted in the target journaling
State the title of file destination;The Rsync is generated according to the title of the file destination and the action type of the file destination
Instruction, wherein, the action type includes at least one of:It is newly-increased, delete, modification and renaming.
Further, monitoring client is monitored object run event and included:The monitoring client is monitored Protection path, with prison
Listen whether the file under the Protection path is changed, wherein, changed if listened to, it is determined that listen to institute
State object run event.
Further, the monitoring client is monitored object run event and also included:The monitoring client is monitored by Hook Function
The object run event, wherein, the Hook Function is addition in advance in the file system filter driver of the operating system
Application layer function.
Second aspect, the embodiment of the present invention also provide a kind of tamper recovery system based on Rsync, including:Center-side, prison
End and backup end are controlled, wherein, the center-side, the monitoring client and the backup end connect two-by-two;The center-side is used to divide
It is other to the monitoring client and it is described backup end carry out relevant configuration;The monitoring client is used to monitor object run event, wherein, institute
State the event that object run event is performed associative operation for the file in operating system to be monitored;And based on the institute listened to
Object run event is stated, file is obtained and distorts daily record, wherein, the file, which distorts daily record, includes at least one of:Repaiied
Change the title of file, to the process modified by modification file, the parent process of the process;And based on the file
Distort daily record generation Rsync instructions;The backup end is used for according to Rsync instructions to described extensive by the progress of modification file
It is multiple.
Further, the monitoring client includes:Module is monitored in driving, and daily record is distorted for obtaining the file;Daily record obtains
Modulus block, for being filtrated to get target journaling in distorting daily record in the file, wherein, included below extremely in the target journaling
It is one of few:The title for the file destination changed, the target process modified to the file destination, the target process
Parent process, the parent process of the target process are not the defence programs of the monitoring client;File access pattern module, for based on described
Target journaling generation Rsync instructions.
Further, the file access pattern module is additionally operable to:The name of the file destination is extracted in the target journaling
Claim;The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described
Action type includes at least one of:It is newly-increased, delete, modification and renaming.
Further, the driving monitoring module acquisition file, which distorts daily record, includes:Module pair is monitored in the driving
Whether Protection path is monitored, changed with the file monitored under the Protection path, wherein, if listening to generation
Change, it is determined that listen to the object run event.
Further, the driving monitoring module acquisition file, which distorts daily record, also includes:Module is monitored in the driving
The object run event is monitored by Hook Function, wherein, the Hook Function is addition in advance in the operating system
The function of the application layer of file system filter driver.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to
Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that
End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection
After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file
Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data
When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery
Art effect.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate
Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art
The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of schematic diagram of tamper recovery system based on Rsync according to embodiments of the present invention;
Fig. 2 is a kind of schematic diagram of monitoring client according to embodiments of the present invention;
Fig. 3 is a kind of log acquisition module according to embodiments of the present invention and showing for communication process between module is monitored in driving
It is intended to;
Fig. 4 is a kind of flow chart of tamper recovery method based on Rsync according to embodiments of the present invention;
Fig. 5 is a kind of schematic diagram configured to backup end according to embodiments of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention
Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Embodiment one:
According to embodiments of the present invention, there is provided a kind of embodiment of the tamper recovery system based on Rsync.
Fig. 1 is a kind of schematic diagram of tamper recovery system based on Rsync according to embodiments of the present invention, as shown in figure 1,
The system includes:Center-side 10, monitoring client 20 and backup end 30, wherein, the center-side 10, the monitoring client 20 and described standby
Part end 30 connects two-by-two.
The center-side 10 is used to carry out relevant configuration to the monitoring client and the backup end respectively;As shown in figure 1, bag
The setting to monitoring client tamper recovery rule is included, and to backing up the configuration of end Rsync service ends.
The monitoring client 20 is used to monitor object run event, wherein, the object run event is operation to be monitored
File in system is performed the event of associative operation;And based on the object run event listened to, obtain file and distort
Daily record, wherein, the file, which distorts daily record, includes at least one of:By the title of modification file, text is changed to described
The process that part is modified, the parent process of the process;And daily record generation Rsync instructions are distorted based on the file;
The backup end 30 is used to described by modification file be recovered according to Rsync instructions.
Specifically, in embodiments of the present invention, including center-side 10, monitoring client 20 and backup end 30, as shown in figure 1, in
Heart end 10, monitoring client 20 and backup end 30 connect two-by-two, wherein, use C/S frameworks between center-side 10 and backup end 30.In and
Heart end 10 and monitoring client 20, and center-side 10 and backup end 30 are communicated by using SSL http protocol, the number of communication
It is encrypted and decrypted according to using RC4 methods.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to
Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that
End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection
After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file
Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data
When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery
Art effect.
In embodiments of the present invention, center-side 10 includes monitoring client management module, backs up end management module, and monitoring client is distorted
Recover rule setting module, back up end backup services configuration module.
Wherein, monitoring client management module is used for configuration monitoring end 20, and the configuration information that will be configured to monitoring client 20
It is stored in database;Backup end management module is used for configuration backup end 30, and matches somebody with somebody confidence by what is configured to backup end 30
Breath is stored in database;Monitoring client tamper recovery rule setting module is used to configure storing path, backup path, and will preserve
Path and backup path are stored in database, and are issued to monitoring client 20 by center-side 10 so that monitoring client 20 read it is above-mentioned
Information, and notify to drive layer and application layer renewal Protection path;Backup end backup services configuration module is used to configure Rsync services
Hold the information such as the installation path at backup end, backup port, backup path.Above-mentioned backup information is issued to backup by center-side
End, information is read at backup end, and updates the relevant configuration of Rsync service ends.
In an optional embodiment, as shown in Fig. 2 monitoring client 20 includes:Module 21, log acquisition are monitored in driving
Module 22 and file access pattern module 23.
Wherein, module is monitored in driving, and daily record is distorted for obtaining the file;Alternatively, the driving is monitored module and led to
Cross Hook Function and monitor the object run event, wherein, the Hook Function is addition in advance in the text of the operating system
The function of the application layer of part system filtration drive.
The driving monitoring module, which obtains the file, which distorts daily record, includes:The driving monitors module and Protection path is entered
Whether row is monitored, changed with the file monitored under the Protection path, wherein, changed if listened to,
It is determined that listen to the object run event.
In embodiments of the present invention, application of the module 21 by the file system filter driver in operating system is monitored in driving
Layer addition Hook Function, Hook Function is triggered when the file in operating system has any operation behavior;Hook Function is obtaining
, can be by corresponding file after the parent process of the act of revision of file, the process fullpath for changing file and the modification process
Distort daily record and be sent to log acquisition module 22.
Log acquisition module, for being filtrated to get target journaling in distorting daily record in the file, wherein, the target day
At least one of is included in will:The title for the file destination changed, the target process modified to the file destination,
The parent process of the target process, the parent process of the target process are not the defence programs of the monitoring client;
In embodiments of the present invention, log acquisition module, communicate, receiving for monitoring module with driving by pipeline
After the file of driving layer distorts daily record, it is Rsync under monitoring client installation path to filter out modification file process fullpath first
It is then that the daily record after filtering is real-time and process father path is the daily record (that is, target journaling) of the affiliated process of file access pattern module
It is transmitted to file access pattern module.
File access pattern module, for based on target journaling generation Rsync instructions.
In embodiments of the present invention, as shown in Figure 3 is to be communicated between log acquisition module and driving monitoring module
The schematic diagram of journey, as shown in Figure 3.Driving monitors module and creates socket first by netlink_kernel_creat (), and
Indicate receiver function;Then, log acquisition module creates socket by user space processes, and process ID is sent into kernel
Space;Finally, driving monitors module and receives user space processes ID by receiver function.Now, module and day are monitored in driving
Will acquisition module can realizes communication.
In another optional embodiment of the embodiment of the present invention, the file access pattern module is additionally operable to:Described
The title of the file destination is extracted in target journaling;According to the title of the file destination and the operation class of the file destination
Type generates the Rsync instructions, wherein, the action type includes at least one of:It is newly-increased, delete, modification and renaming.
In embodiments of the present invention, file access pattern module is distorted from file extracts the file destination changed in daily record
Title, Rsync orders are individually created according to the action type of the file name of file destination and file destination.
The action type of file destination includes newly-increased, deletion, modification and renaming.When action type is newly-increased and modification class
During type, only with the synchronous file destinations that are currently increased newly and change of Rsync, when action type is deletes with renaming type,
Only pressed from both sides with the topmost paper of the Rsync file destinations for synchronously currently being increased newly and being changed.
Embodiment two:
According to embodiments of the present invention, there is provided a kind of embodiment of the tamper recovery method based on Rsync.
Fig. 4 is a kind of flow chart of tamper recovery method based on Rsync according to embodiments of the present invention, as shown in figure 4,
This method comprises the following steps:
Step S102, monitoring client monitor object run event, wherein, the object run event is operation system to be monitored
File in system is performed the event of associative operation;
Step S104, the monitoring client distort daily record based on the object run event listened to, acquisition file, its
In, the file, which distorts daily record, includes at least one of:By the title of modification file, repaiied to described by modification file
The process changed, the parent process of the process;
Step S106, the monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to institute
Rsync instructions are stated to described by modification file to be recovered.
It should be noted that the monitoring client and backup end described in the embodiment of the present invention in above-described embodiment one with being retouched
The monitoring client stated is identical with backup end, and here is omitted.
In embodiments of the present invention, object run event is monitored by monitoring client first;Then, monitoring client is based on listening to
Object run event, obtain file distort daily record;Finally, monitoring client distorts daily record generation Rsync instructions based on file, so that
End is backed up to be instructed to by modification file being recovered according to Rsync.In the embodiment of the present invention, based on adopt file distort daily record inspection
After survey file is tampered, it is possible to daily record generation Rsync instructions are distorted based on file, then, only to currently by modification file
Renewal is synchronized, so as to improve the efficiency of data recovery, and then alleviate present in prior art to mass data
When being recovered, recover less efficient technical problem, it is achieved thereby that efficiently data to be restored are synchronized with the skill of recovery
Art effect.
In an optional embodiment of the embodiment of the present invention, the monitoring client distorts daily record generation based on the file
Rsync is instructed, and carries out recovering to include following process by modification file to described so that backup end instructs according to the Rsync:
Be filtrated to get target journaling in the file distorts daily record, wherein, in the target journaling comprising it is following at least
One of:The title for the file destination changed, the target process modified to the file destination, the father of the target process
Process, the parent process of the target process are not the defence programs of the monitoring client;
The Rsync instructions are generated based on the target journaling.
In embodiments of the present invention, the log acquisition module in monitoring client is monitored module with driving by pipeline and communicated,
Receive driving layer file distort daily record after, it is under monitoring client installation path to filter out modification file process fullpath first
Rsync and process father path are the daily record (that is, target journaling) of the affiliated process of file access pattern module, then by the daily record after filtering
The file access pattern module of monitoring client is transmitted in real time.So that file access pattern module is based on the target journaling and generates the Rsync
Instruction.
In an optional embodiment of the embodiment of the present invention, the Rsync instructions are generated based on the target journaling
Including following process:
The title of the file destination is extracted in the target journaling;
The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein,
The action type includes at least one of:It is newly-increased, delete, modification and renaming.
In embodiments of the present invention, file access pattern module is distorted from file extracts the file destination changed in daily record
Title, Rsync orders are individually created according to the action type of the file name of file destination and file destination.
The action type of file destination includes newly-increased, deletion, modification and renaming.When action type is newly-increased and modification class
During type, only with the synchronous file destinations that are currently increased newly and change of Rsync, when action type is deletes with renaming type,
Only pressed from both sides with the topmost paper of the Rsync files for synchronously currently being increased newly and being changed.
In an optional embodiment of the embodiment of the present invention, monitoring client, which monitors object run event, includes following mistake
Journey:
Whether the monitoring client is monitored Protection path, become with the file monitored under the Protection path
Change,
Wherein, changed if listened to, it is determined that listen to the object run event.
Wherein, the monitoring client is monitored object run event and also included:Described in the monitoring client is monitored by Hook Function
Object run event, wherein, the Hook Function in advance addition the operating system file system filter driver should
With layer.
In embodiments of the present invention, file system filter driver of the module in operating system is monitored by the driving of monitoring client
Application layer addition Hook Function, trigger Hook Function when the file in operating system has any operation behavior;Hook Function
, can be by accordingly after the act of revision of file is obtained, change the process fullpath of file and the parent process of the modification process
File distort daily record and be sent to log acquisition module.
Above-described embodiment one and embodiment two are illustrated below in conjunction with specific embodiment.
It is assumed that monitoring client:HOST-A, Protection path:/opt/web;
It is assumed that backup end:HOST-B, backup path:/opt/website;
Wherein, center-side configures to the backup path for backing up end, and configuration mode is as shown in Figure 5.In addition, center
End is additionally operable to configure the Protection path of monitoring client.
Monitoring client is monitored Protection path, for example, under monitoring client/opt/web/test/1.sh files are repaiied
Changing, operation process is Rsync, and parent process is not the defence program of monitoring client, then it is illegal modifications to illustrate this file modification,
Need to recover 1.sh files, the file access pattern module of monitoring client can call Rsync clients to go to perform synch command:
Rsync[OPTION...]Rsync://[USER@]HOST-B[:873]/push_cms/test/1.sh/opt/web/test/
1.sh。
And when being synchronized to full guard path, synch command is:Rsync[OPTION...]Rsync://[USER@]
HOST-B[:873]/push_cms//opt/web/。
So when only being synchronized to current file, Rsync is only needed to currently carrying out contrast effect by modification file
Test, find differences in time, so as to reach the effect of real-time update.
The modification event of some Rsync temporary files can be produced in synchronizing process, it is Rsync now to change process, and
Parent process and be monitoring client defence program, so such file modification is legal modifications, such daily record can be filtered, and will not be triggered
File synchronization.
Compared with prior art, the present invention has advantages below:
1st, driving monitors module and adds Hook Function by the application layer of the file system filter driver in operating system, when
File in operating system triggers Hook Function when having any operation behavior;Hook Function is obtaining the act of revision of file, repaiied
, can be by distorting daily record is sent to log acquisition accordingly after changing the process fullpath of file and the parent process of the modification process
Module.
2nd, log acquisition module is communicated by pipeline with the file system filter driver of bottom, and first mistake is distorted after daily record in acquisition
It is file that modification file process fullpath, which is filtered, by the Rsync process paths and process father path that file access pattern module is called
The daily record of the affiliated process of recovery module, is then sent to file access pattern module in real time by the daily record after filtering.
3rd, file access pattern module is after receiving driving layer and distorting daily record.Extract what is changed from the daily record after filtering
File name, Rsync orders are individually created according to the action type of filename and file, only current modification file carried out same
Step.
The method that the embodiment of the present invention is provided, its realization principle and caused technique effect and aforementioned system embodiment phase
Together, to briefly describe, device embodiment part does not refer to part, refers to corresponding contents in preceding method embodiment.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can
To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi
The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this
Concrete meaning in invention.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ",
The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to
Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, can be with
Realize by another way.Device embodiment described above is only schematical, for example, the division of the unit,
Only a kind of division of logic function, can there is other dividing mode when actually realizing, in another example, multiple units or component can
To combine or be desirably integrated into another system, or some features can be ignored, or not perform.It is another, it is shown or beg for
The mutual coupling of opinion or direct-coupling or communication connection can be by some communication interfaces, device or unit it is indirect
Coupling or communication connection, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with
It is stored in the executable non-volatile computer read/write memory medium of a processor.Based on such understanding, the present invention
The part that is substantially contributed in other words to prior art of technical scheme or the part of the technical scheme can be with software
The form of product is embodied, and the computer software product is stored in a storage medium, including some instructions are causing
One computer equipment (can be personal computer, server, or network equipment etc.) performs each embodiment institute of the present invention
State all or part of step of method.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with
The medium of store program codes.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention
Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art
The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light
Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make
The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention
Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (10)
- A kind of 1. tamper recovery method based on Rsync, it is characterised in that including:Monitoring client monitors object run event, wherein, the object run event is the file quilt in operating system to be monitored Perform the event of associative operation;The monitoring client distorts daily record based on the object run event listened to, acquisition file, wherein, the file is distorted Daily record includes at least one of:By the title of modification file, to the process modified by modification file, it is described enter The parent process of journey;The monitoring client distorts daily record generation Rsync instructions based on the file, so that backup end is according to Rsync instructions pair It is described to be recovered by modification file.
- 2. according to the method for claim 1, it is characterised in that the monitoring client distorts daily record generation based on the file Rsync is instructed, and is carried out recovery to described so that backup end instructs according to the Rsync by modification file and is included:Target journaling is filtrated to get in the file distorts daily record, wherein, at least one of is included in the target journaling: The title for the file destination changed, the target process modified to the file destination, the parent process of the target process, The parent process of the target process is not the defence program of the monitoring client;The Rsync instructions are generated based on the target journaling.
- 3. according to the method for claim 2, it is characterised in that the Rsync instructions bag is generated based on the target journaling Include:The title of the file destination is extracted in the target journaling;The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described Action type includes at least one of:It is newly-increased, delete, modification and renaming.
- 4. according to the method for claim 1, it is characterised in that monitoring client, which monitors object run event, to be included:Whether the monitoring client is monitored Protection path, changed with the file monitored under the Protection path,Wherein, changed if listened to, it is determined that listen to the object run event.
- 5. method according to any one of claim 1 to 4, it is characterised in that the monitoring client monitors object run thing Part also includes:The monitoring client monitors the object run event by Hook Function, wherein, the Hook Function exists for addition in advance The function of the application layer of the file system filter driver of the operating system.
- A kind of 6. tamper recovery system based on Rsync, it is characterised in that including:Center-side, monitoring client and backup end, wherein, The center-side, the monitoring client and the backup end connect two-by-two;The center-side is used to carry out relevant configuration to the monitoring client and the backup end respectively;The monitoring client is used to monitor object run event, wherein, the object run event is in operating system to be monitored File be performed the event of associative operation;And daily record is distorted based on the object run event listened to, acquisition file, its In, the file, which distorts daily record, includes at least one of:By the title of modification file, repaiied to described by modification file The process changed, the parent process of the process;And daily record generation Rsync instructions are distorted based on the file;The backup end is used to described by modification file be recovered according to Rsync instructions.
- 7. system according to claim 6, it is characterised in that the monitoring client includes:Module is monitored in driving, and daily record is distorted for obtaining the file;Log acquisition module, for being filtrated to get target journaling in distorting daily record in the file, wherein, in the target journaling Include at least one of:The title for the file destination changed, the target process modified to the file destination are described The parent process of target process, the parent process of the target process are not the defence programs of the monitoring client;File access pattern module, for based on target journaling generation Rsync instructions.
- 8. system according to claim 7, it is characterised in that the file access pattern module is additionally operable to:The title of the file destination is extracted in the target journaling;The Rsync instructions are generated according to the title of the file destination and the action type of the file destination, wherein, it is described Action type includes at least one of:It is newly-increased, delete, modification and renaming.
- 9. system according to claim 7, it is characterised in that the driving monitors the module acquisition file and distorts daily record Including:Whether the driving monitors module and Protection path is monitored, become with the file monitored under the Protection path Change,Wherein, changed if listened to, it is determined that listen to the object run event.
- 10. system according to claim 7, it is characterised in that the driving monitors the module acquisition file and distorts day Will also includes:The driving monitors module and monitors the object run event by Hook Function, wherein, the Hook Function is advance Add the function in the application layer of the file system filter driver of the operating system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710975111.8A CN107634968A (en) | 2017-10-19 | 2017-10-19 | Tamper recovery method and system based on Rsync |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710975111.8A CN107634968A (en) | 2017-10-19 | 2017-10-19 | Tamper recovery method and system based on Rsync |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107634968A true CN107634968A (en) | 2018-01-26 |
Family
ID=61103447
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710975111.8A Pending CN107634968A (en) | 2017-10-19 | 2017-10-19 | Tamper recovery method and system based on Rsync |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107634968A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109783316A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The recognition methods and device, storage medium, computer equipment of system security log tampering |
CN110120983A (en) * | 2019-06-14 | 2019-08-13 | 浪潮软件集团有限公司 | The method and system of SVN real-time synchronization backup is realized based on inotify and rsync automation installation and deployment |
CN111949978A (en) * | 2020-08-14 | 2020-11-17 | 南京星邺汇捷网络科技有限公司 | File tamper-proofing method and system based on Linux kernel notification chain technology |
CN113987469A (en) * | 2021-10-26 | 2022-01-28 | 山西大鲲智联科技有限公司 | Process protection method and device applied to vehicle machine system and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457567A (en) * | 2010-11-08 | 2012-05-16 | 中标软件有限公司 | Mirror image backup/recovery method and tool of web management mode |
CN102541685A (en) * | 2011-11-16 | 2012-07-04 | 中标软件有限公司 | Linux system backup method and Linux system repair method |
CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
CN104850802A (en) * | 2015-05-12 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Method for monitoring file change under linux and ensuring data not to be tampered |
CN105389507A (en) * | 2015-11-13 | 2016-03-09 | 小米科技有限责任公司 | Method and apparatus for monitoring files of system partition |
CN106446718A (en) * | 2016-09-13 | 2017-02-22 | 郑州云海信息技术有限公司 | File protection method and system based on event-driven mechanism |
-
2017
- 2017-10-19 CN CN201710975111.8A patent/CN107634968A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457567A (en) * | 2010-11-08 | 2012-05-16 | 中标软件有限公司 | Mirror image backup/recovery method and tool of web management mode |
CN102541685A (en) * | 2011-11-16 | 2012-07-04 | 中标软件有限公司 | Linux system backup method and Linux system repair method |
CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
CN104850802A (en) * | 2015-05-12 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Method for monitoring file change under linux and ensuring data not to be tampered |
CN105389507A (en) * | 2015-11-13 | 2016-03-09 | 小米科技有限责任公司 | Method and apparatus for monitoring files of system partition |
CN106446718A (en) * | 2016-09-13 | 2017-02-22 | 郑州云海信息技术有限公司 | File protection method and system based on event-driven mechanism |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109783316A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The recognition methods and device, storage medium, computer equipment of system security log tampering |
CN109783316B (en) * | 2018-12-29 | 2022-07-05 | 奇安信安全技术(珠海)有限公司 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
CN110120983A (en) * | 2019-06-14 | 2019-08-13 | 浪潮软件集团有限公司 | The method and system of SVN real-time synchronization backup is realized based on inotify and rsync automation installation and deployment |
CN111949978A (en) * | 2020-08-14 | 2020-11-17 | 南京星邺汇捷网络科技有限公司 | File tamper-proofing method and system based on Linux kernel notification chain technology |
CN111949978B (en) * | 2020-08-14 | 2023-11-24 | 南京星邺汇捷网络科技有限公司 | File tamper-proof method and system based on Linux kernel notification chain technology |
CN113987469A (en) * | 2021-10-26 | 2022-01-28 | 山西大鲲智联科技有限公司 | Process protection method and device applied to vehicle machine system and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107634968A (en) | Tamper recovery method and system based on Rsync | |
US9098455B2 (en) | Systems and methods of event driven recovery management | |
CN101854392B (en) | Personal data management method based on cloud computing environment | |
US9483359B2 (en) | Systems and methods for on-line backup and disaster recovery with local copy | |
US9152686B2 (en) | Asynchronous replication correctness validation | |
CN102981931B (en) | Backup method and device for virtual machine | |
US9268797B2 (en) | Systems and methods for on-line backup and disaster recovery | |
US9448893B1 (en) | Asynchronous replication correctness validation | |
CN104572357A (en) | Backup and recovery method for HDFS (Hadoop distributed filesystem) | |
US20150309882A1 (en) | Systems and methods for minimizing network bandwidth for replication/back up | |
US20150301900A1 (en) | Systems and methods for state consistent replication | |
US20140181021A1 (en) | Back up using locally distributed change detection | |
CN103761165B (en) | Log backup method and device | |
KR101413298B1 (en) | Apparatus, system and method for recovering meta data using fragmentary information | |
US20140208312A1 (en) | Method, System, Device And Storage Medium For Restoring User System | |
US20140181040A1 (en) | Client application software for on-line backup and disaster recovery | |
CN102169453A (en) | File online backup method | |
US20170255529A1 (en) | Smart data replication recoverer | |
CN103198254B (en) | System and method for anti-virus protection | |
TW200836080A (en) | Storing log data efficiently while supporting querying to assist in computer network security | |
JP2007299284A (en) | Log collection system, client device, and log collection agent device | |
CN106681865B (en) | Service recovery method and device | |
CN102508740A (en) | Remote replication method of file system | |
CN105550230B (en) | The method for detecting and device of distributed memory system node failure | |
CN102571845A (en) | Data storage method and device of distributed storage system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180126 |