CN111404889A - Auditing method and device and client - Google Patents
Auditing method and device and client Download PDFInfo
- Publication number
- CN111404889A CN111404889A CN202010147638.3A CN202010147638A CN111404889A CN 111404889 A CN111404889 A CN 111404889A CN 202010147638 A CN202010147638 A CN 202010147638A CN 111404889 A CN111404889 A CN 111404889A
- Authority
- CN
- China
- Prior art keywords
- command
- data
- interactive data
- server
- operation command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000002452 interceptive effect Effects 0.000 claims abstract description 129
- 230000000903 blocking effect Effects 0.000 claims abstract description 22
- 230000014509 gene expression Effects 0.000 claims description 31
- 238000012544 monitoring process Methods 0.000 claims description 15
- 230000003993 interaction Effects 0.000 claims description 11
- 238000012550 audit Methods 0.000 abstract description 12
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 7
- PCTMTFRHKVHKIS-BMFZQQSSSA-N (1s,3r,4e,6e,8e,10e,12e,14e,16e,18s,19r,20r,21s,25r,27r,30r,31r,33s,35r,37s,38r)-3-[(2r,3s,4s,5s,6r)-4-amino-3,5-dihydroxy-6-methyloxan-2-yl]oxy-19,25,27,30,31,33,35,37-octahydroxy-18,20,21-trimethyl-23-oxo-22,39-dioxabicyclo[33.3.1]nonatriaconta-4,6,8,10 Chemical compound C1C=C2C[C@@H](OS(O)(=O)=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H]([C@H](C)CCCC(C)C)[C@@]1(C)CC2.O[C@H]1[C@@H](N)[C@H](O)[C@@H](C)O[C@H]1O[C@H]1/C=C/C=C/C=C/C=C/C=C/C=C/C=C/[C@H](C)[C@@H](O)[C@@H](C)[C@H](C)OC(=O)C[C@H](O)C[C@H](O)CC[C@@H](O)[C@H](O)C[C@H](O)C[C@](O)(C[C@H](O)[C@H]2C(O)=O)O[C@H]2C1 PCTMTFRHKVHKIS-BMFZQQSSSA-N 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 235000019580 granularity Nutrition 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention relates to the technical field of computers, and discloses an auditing method, an auditing device and a client. The auditing method comprises the steps of receiving interactive data input by a user and judging whether the interactive data is a command end symbol; if the interactive data is not the command end character, sending the interactive data to the server; if the interactive data is the command end symbol, obtaining an operation command according to the received interactive data; judging whether the operation command is matched with a preset dangerous command condition or not; and if the operating command is matched with the dangerous command condition, sending an interrupt command for blocking the execution of the operating command to the server so as to block the server from executing the operating command. The invention can audit the operation command input by the user in real time, and can complete blocking before the server executes the operation command with risk, thereby preventing accidents from happening in advance and ensuring the safety of data on the server.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an auditing method and device and a client.
Background
Computer network security audit refers to a process of finding system bugs, intrusion behavior or improving system performance by checking, examining and verifying the environment and activities of operational events according to a certain security policy by using information such as records, system activities and user activities. In the prior art, data stored on a server or an operating system is more and more important for a large-scale internet enterprise, while human computer misoperation is one of main reasons causing production accidents, and the current auditing and backtracking mode of the production accidents is generally post-audit, so that the source of problems is found out.
The inventor finds that at least the following problems exist in the prior art: the existing auditing mode can not prevent accidents from happening in time, and equipment is catastrophically damaged or lost when a fault source is found, so that irreparable loss is caused.
Disclosure of Invention
The invention aims to provide an auditing method, an auditing device and a client, which can audit an operation command input by a user in real time, complete blocking before the server executes the operation command with risk, prevent accidents from happening in advance and ensure the safety of data on the server.
In order to solve the above technical problem, an embodiment of the present invention provides an auditing method applied to a client, where the method includes the following steps: receiving interactive data input by a user, and judging whether the interactive data is a command end symbol; if the interactive data is not the command end character, sending the interactive data to the server; if the interactive data is the command end symbol, obtaining an operation command according to the received interactive data; judging whether the operation command is matched with a preset dangerous command condition or not; and if the operating command is matched with the dangerous command condition, sending an interrupt command for blocking the execution of the operating command to the server so as to block the server from executing the operating command.
The embodiment of the invention also provides an auditing device, which comprises: the command acquisition module is used for receiving the interactive data input by the user and sending the interactive data to the server when the interactive data is not a command end symbol; the command acquisition module is also used for obtaining an operation command according to the received interactive data when the interactive data is a command end character; the audit module is used for judging whether the operation command is matched with a preset dangerous command condition; and the sending module is used for sending an interrupt command for blocking the execution of the operation command to the server so as to block the server from executing the operation command when the operation command is matched with the dangerous command condition.
An embodiment of the present invention further provides a client, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method described above.
Compared with the prior art, the implementation mode of the invention improves the client, when receiving the interactive data input by the user, the client firstly judges whether the interactive data is an ending command symbol, and if the interactive data is not the ending command symbol, the client sends the command data to the server; if the interactive data is a command end symbol, obtaining an operation command according to the received interactive data, judging whether the operation command is matched with a preset dangerous command condition or not, namely whether the operation command has a risk or not is audited, when the operation command is judged to be matched with the preset dangerous command condition, indicating that the risk exists in the audit of the operation command, the server cannot execute the operation command, and at the moment, sending an interrupt command for blocking the execution of the operation command to the server, thereby blocking the server from executing the operation command. The method and the system can audit the operation commands input by the user in real time, and can complete blocking before the server executes the operation commands with risks, so that accidents can be prevented from happening in advance, and the safety of data on the server is guaranteed. Meanwhile, the auditing process is insensitive to the user, interactive data input by the user cannot be modified, and interactive operation between the client and the server is not influenced.
In addition, the hazard command condition includes at least one regular expression; judging whether the operation command is matched with a preset dangerous command condition or not, wherein the judging step comprises the following steps: judging whether the operation command is matched with any regular expression or not; and if the operation command is matched with any regular expression, judging that the operation command is matched with the dangerous command condition. The embodiment provides a specific embodiment for judging whether the operation command is matched with the preset dangerous command condition.
In addition, the dangerous command condition also comprises target objects which are in one-to-one correspondence with the regular expressions; after the operation command is judged to be matched with any regular expression, the method further comprises the following steps: judging whether the client is matched with a target object corresponding to any regular expression; and if the client side is matched with the target object corresponding to any regular expression, judging that the operation command is matched with the dangerous command condition. In the embodiment, the real-time auditing of the target objects with different granularities is realized.
In addition, after receiving the interaction data input by the user, the method further comprises the following steps: judging whether the received interactive data is command data; if the interactive data is command data, the step of judging whether the interactive data is a command end character is carried out. In this embodiment, a large amount of interactive process data belonging to non-command data can be excluded, and only the operation command composed of the interactive data belonging to the command data can be determined.
In addition, before sending the interactive data to the server, the method further comprises: judging whether the command data is a command character; if the command data is a command character, setting a state flag bit corresponding to the command data; after sending the interaction data to the server, the method further comprises: receiving returned data corresponding to the command data returned by the server; obtaining an operation command according to the received interactive data, wherein the operation command comprises: and obtaining the operation command according to the interactive data, the status flag bit corresponding to each command data and the return data corresponding to each command data. In this embodiment, the interactive data can be complemented by combining the return data of the server to obtain the operation command.
In addition, before sending the interactive data to the server, the method further comprises: recording cursor information corresponding to the interactive data; obtaining an operation command according to the received interactive data, wherein the operation command comprises: and obtaining an operation command according to the received interactive data and the cursor information corresponding to each interactive data. In the embodiment, the cursor information of the interactive data is recorded, and the cursor information can simulate the position of the cursor, so that when the operation command is obtained, the position of the interactive data can be combined, so that when the user moves the cursor to input, the position of each interactive data can be accurately obtained, and the accurate operation command can be obtained.
In addition, after the operation command is judged to be matched with the dangerous command condition, the method further comprises the following steps: judging whether the client is in a monitoring mode; if the client is in the monitoring mode, sending a command end symbol to the server; if the client is in the non-monitoring mode, the step of sending an interrupt command for blocking the execution of the operation command to the server is entered. In the embodiment, the monitoring mode is preset in the client, so that the condition of the dangerous command is adjusted manually through the judgment result of the operation command in the monitoring mode, and the error blocking is avoided to a certain extent.
In addition, the method further comprises: forming a command log corresponding to the operation command according to a preset format; the command log is stored locally. In the embodiment, the operation command received by the client is recorded in real time, so that the received operation command can be traced and audited conveniently.
In addition, before storing the command log locally, the method further comprises the following steps: judging whether a key file exists in the client; if the client side has the key file, encrypting the command log according to the key file; storing the command log locally, including: and storing the encrypted command log locally. In the embodiment, the command log can be stored according to the key file in the client, so that the safety of the content of the command log is improved.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
FIG. 1 is a detailed flow diagram of an auditing method according to a first embodiment of the invention;
FIG. 2 is a detailed flow diagram of an auditing method according to a second embodiment of the invention;
FIG. 3 is a detailed flow diagram of an auditing method according to a third embodiment of the present invention;
FIG. 4 is a detailed flow diagram of an auditing method according to a fourth embodiment of the present invention;
FIG. 5 is a detailed flow diagram of an auditing method according to a fifth embodiment of the present invention;
FIG. 6 is a detailed flow diagram of an auditing method according to a sixth embodiment of the invention;
fig. 7 is a block schematic diagram of an auditing apparatus according to a seventh embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
The first embodiment of the invention relates to an auditing method, which is applied to a client, wherein the client can be an SSH client which is in communication connection with a remote server, and a user can control the remote server through the SSH client to perform command and data interaction with the remote server.
Fig. 1 shows a specific flow of the auditing method according to this embodiment.
Step 101, receiving interactive data input by a user, and judging whether the interactive data is a command end symbol. If not, entering step 102; if yes, go to step 103.
Specifically, a user can input interactive data through an external device connected to the client, such as a mouse, a keyboard and the like, the interactive data includes command data, non-command data and the like, the client can traverse the interactive data input by the user, and the client judges whether the interactive data is a command end symbol when receiving each interactive data input by the user; if the current interactive data is not the command end symbol, it indicates that the user is still inputting interactive data, and step 102 is entered; if the current interactive data is the command end symbol, it indicates that the user input is completed, and step 103 is entered. The command terminator is, for example, ASCII code 13.
And 103, obtaining an operation command according to the received interactive data.
Specifically, for a complete operation command, which includes a plurality of characters, the client may cache the received interaction data, and assemble an operation command according to the cached interaction data between the previous command end symbol and the current command end symbol.
And 104, judging whether the operation command is matched with a preset dangerous command condition or not. If yes, go to step 105; if not, go to step 102.
Specifically, whether the assembled operation command is matched with a preset dangerous command condition or not is judged, namely the operation command is audited, when the operation command is judged to be matched with the preset dangerous command condition, the operation command is audited, and the operation command is audited to have a risk, and the operation enters step 105; when the operating command is judged not to be matched with the preset dangerous command condition, the operation command is audited without risk, the step 102 is entered to send the interactive data to the server, namely, the command end symbol is sent to the server, and the server can assemble the operating command and execute the operating command when receiving the command end symbol. The server does not execute the operation command when it does not receive the command end symbol.
And step 105, sending an interrupt command for blocking the execution of the operation command to the server so as to block the server from executing the operation command.
Specifically, when determining that an operation command input by a user is risky, the client sends an interrupt command for blocking execution of the operation command to a server (i.e., the remote server), and the server does not execute the operation command after receiving the interrupt command; in addition, when the server receives the interrupt command, the server can also clear a plurality of interactive data which are already received and form the operation command.
The following description will be given taking an example in which the operation command X includes four command data of ABCD.
The client receives four command data of the ABCD sequentially input by a user, analyzes each command data, and sends the interactive data to the server when the interactive data is analyzed normally, wherein the four interactive data of the ABCD are sent to the server at the moment, but the server does not receive a command end symbol, so that the operation command X is not executed; when receiving a command end symbol input by a user, a client side assembles four interactive data of the ABCD into an operation command X, judges whether the operation command X is matched with a preset dangerous command condition or not, namely whether a risk exists in the audit operation command X or not, and when judging that the operation command X is not matched with the preset dangerous command condition, the audit operation command X does not have a risk and sends the command end symbol to a server, so that the server can assemble the four interactive data of the ABCD into the operation command X and execute the operation command X; and when the operating command X is judged to be matched with the preset dangerous command condition, auditing the operating command X to ensure that the operating command X has risks, sending an interrupt command to the server, and removing the four interactive data of the ABCD by the server so as not to execute the operating command X.
Compared with the prior art, the implementation mode is characterized in that a client is modified, when receiving interactive data input by a user, the client firstly judges whether the interactive data is an ending command symbol, and if the interactive data is not the ending command symbol, the client sends the command data to a server; if the interactive data is a command end symbol, obtaining an operation command according to the received interactive data, judging whether the operation command is matched with a preset dangerous command condition or not, namely whether the operation command has a risk or not is audited, when the operation command is judged to be matched with the preset dangerous command condition, indicating that the risk exists in the audit of the operation command, the server cannot execute the operation command, and at the moment, sending an interrupt command for blocking the execution of the operation command to the server, thereby blocking the server from executing the operation command. The method and the system can audit the operation commands input by the user in real time, and can complete blocking before the server executes the operation commands with risks, so that accidents can be prevented from happening in advance, and the safety of data on the server is guaranteed. Meanwhile, the auditing process is insensitive to the user, interactive data input by the user cannot be modified, and interactive operation between the client and the server is not influenced.
A second embodiment of the invention relates to an auditing method. The second embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the second embodiment of the present invention, a specific implementation manner for determining whether the operation command matches with the preset dangerous command condition is provided.
In this embodiment, the dangerous command condition includes at least one regular expression (regular expression). Specifically, a rule base is arranged in the client, and at least one regular expression is preset in the rule base.
In one example, the hazard command condition also includes target objects in one-to-one correspondence with regular expressions. Specifically, each regular expression has a configuration item, the configuration item is used for storing information of a target object corresponding to the regular expression, the target object may be a user, a server, or the like, and the information of the target object may be type information, address information, or the like. At this time, when the client performs auditing, auditing of a specific user or a specific server can be set, so that real-time auditing of target objects with different granularities is realized.
A specific flow of the auditing method of this embodiment is shown in fig. 2.
Step 201 to step 203 are substantially the same as step 101 to step 103, and step 205 is substantially the same as step 105, which are not described herein again, but the main difference is that step 204 includes the following sub-steps:
Specifically, a plurality of regular expressions are generally preset in the rule base, after the client obtains an operation command, the client audits the operation command, judges whether any regular expression in the rule base is matched with the operation command, and if yes, enters the substep 2042; if the operation command is not present, it indicates that there is no risk of the operation command, and the process proceeds to step 202 to send the interactive data to the server, that is, to send a command end symbol to the server, and the server can assemble and execute the operation command when receiving the command end symbol.
In one example, the determination of whether the rule file has been updated can be added before performing sub-step 2041 to determine whether the operation command matches any regular expression, so that the updated regular expression can be updated to the rule base when the rule file is updated.
And substep 2042, determining whether the client is matched with the target object corresponding to any regular expression. If yes, go to step 205; if not, go to step 202.
Specifically, for a regular expression matched with an operation command, obtaining a configuration item of the regular expression to obtain a target object corresponding to the regular expression, taking the target object as type information as an example, if the type of a client is in the type information, judging that the client is matched with the target object corresponding to any regular expression, auditing the risk of the operation command, and entering step 205 to send an interrupt command for blocking the execution of the operation command to a server to block the server from executing the operation command; otherwise, judging that the client is not matched with the target object corresponding to the regular expression, auditing the operation command without risk, entering step 202, sending interactive data to the server, namely sending a command end symbol to the server, and when receiving the command end symbol, the server can assemble the operation command and execute the operation command.
Compared with the first embodiment, the present embodiment provides a specific implementation manner for determining whether the operation command matches the preset dangerous command condition.
A third embodiment of the present invention relates to an auditing method. The third embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the third embodiment of the present invention, non-command data having a large data processing amount among interactive data can be excluded.
A specific flow of the auditing method of this embodiment is shown in fig. 3.
Step 308 is substantially the same as step 309 and steps 104 to 105, and will not be described herein again, with the main differences being:
Specifically, a user may input interactive data through an external device connected to a client, for example, a mouse, a keyboard, and the like, where the interactive data includes command data, non-command data, and the like, the client may traverse the interactive data input by the user, determine whether the interactive data is command data when receiving each interactive data input by the user, if the interactive data is command data, go to step 302, determine whether the interactive data is a command end symbol, that is, determine whether the user input command is ended; if the interactive command is non-command data, ignoring the currently input non-command data, and setting a command flag bit of the non-command data until the non-command data is processed, for example, the non-command data contains a "- - -INSERT- -" character string, which indicates that the non-command data is currently in a VI/VIM editing state, setting a state flag bit representing the editing state until the non-command data exits the editing state, and clearing the state flag bit representing the editing state; for example, the interactive data represents that the current state of the RZ transmission file represents that the file is being transmitted, a state flag bit representing the state of the transmission file is set, and the state flag bit representing the state of the transmission file is cleared until the file is transmitted; when the received data returned by the server contains the key character string for finishing the transmission of the representation file, the transmission of the representation file is finished.
Specifically, it is determined whether the command data input by the user is a command end symbol, and if not, it indicates that the user is still inputting interactive data, and the process proceeds to step 303; if yes, the user input is completed, and step 306 is entered.
Specifically, the command data includes a single character and a command character, the single character is, for example, a, b, c, etc., and the command character may be: tab character, upward character string, downward character string, etc., and if the command data is determined to be a command character, the process proceeds to step 304, and if the command data is determined not to be a command character, the process proceeds to step 305, and the interactive data is transmitted to the server.
Specifically, different command characters correspond to different status flag bits, for example, a tab character corresponds to a status flag bit for acquiring a completion command, an upward character string and a downward character string correspond to a status flag bit for acquiring a history command, and when the tab character is sent to the server, the acquired return data includes a completion command corresponding to a command currently input by the user; when the upward character string and the downward character string are sent to the server, the acquired return data includes the history command input last time by the user.
It should be noted that, if the command data input by the user is a single character, the interactive data also needs to be sent to the server, and the server does not return corresponding return data at this time.
And step 306, obtaining an operation command according to the interactive data, the status flag bit corresponding to each command data and the return data corresponding to each command data.
Specifically, taking a complete operation command which needs to be input by a user as a config as an example, the user sequentially inputs four single characters of c, o, n and f, then inputs a tab key, at this time, the client sets a current state bit as a state flag bit for acquiring a completion command, then sends the tab key character to the server, return data returned by the server includes the completion command config, and the client automatically completes the operation command config currently input by the user according to the return data returned by the server.
Compared with the first embodiment, the present embodiment can exclude non-command data with a large data processing amount in interactive data, that is, exclude a large amount of interactive process data belonging to non-command data, and determine only an operation command composed of interactive data belonging to command data.
A fourth embodiment of the present invention relates to an auditing method. The fourth embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the fourth embodiment of the present invention, cursor information of interactive data is recorded.
Fig. 4 shows a specific flow of the auditing method according to this embodiment.
The steps 404 and 405 are substantially the same as the steps 104 and 105, and are not described herein again, except that:
And 402, recording cursor information corresponding to the interactive data, and sending the interactive data to a server.
Specifically, when the interactive data input by the user needs to move characters, such as backspace characters, delete characters, and left-right movement characters, current cursor information is recorded according to the position of the cursor movement, and the cursor information is a cursor value and can simulate the position of a cursor; if the interrupt character is input by the user, clearing the command cache and updating the cursor value to be 0; otherwise, if the user inputs a simple single character, the cursor information is updated.
And 403, obtaining an operation command according to the received interactive data and the cursor information corresponding to each interactive data.
Specifically, each interactive data is spliced according to the cursor information of the interactive data recorded by the user, so that a temporary command can be obtained, and when an ending command symbol input by the user is received, the current temporary command is an operation command.
Compared with the first embodiment, the embodiment records the cursor information of the interactive data, and the cursor information can simulate the position of the cursor, so that when the operation command is obtained, the position of the interactive data can be combined, the position of each interactive data can be accurately obtained when the user moves the cursor, and the accurate operation command can be obtained.
A fifth embodiment of the present invention relates to an auditing method. The fifth embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the fifth embodiment of the present invention, a monitoring mode is added in the client.
Fig. 5 shows a specific flow of the auditing method according to this embodiment.
Specifically, the client may preset a monitoring mode lasting for a certain time duration at an initial stage of operation, and in the monitoring mode, if it is determined that the operation command matches a preset dangerous command condition, the client still sends a command end symbol to the server, and at this time, the operation command may be recorded, so as to facilitate manual judgment of whether the operation command is risky, if it is determined that the operation command is risky manually, the dangerous command condition does not need to be modified, and when the monitoring mode is ended, execution of the operation command can be automatically blocked; meanwhile, when the operating command is determined to be free of risks manually, the operating command can be manually removed from dangerous command conditions.
In the embodiment, the monitoring mode is preset in the client, so that the condition of the dangerous command is adjusted manually through the judgment result of the operation command in the monitoring mode, and the error blocking is avoided to a certain extent.
A sixth embodiment of the present invention relates to an auditing method. The sixth embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the sixth embodiment of the present invention, the operation command received by the client is recorded in real time.
Fig. 6 shows a specific flow of the auditing method according to this embodiment.
Wherein, steps 601 to 603 are substantially the same as steps 101 to 103, and steps 608 and 609 are substantially the same as steps 104 and 105, which are not repeated herein, but the main differences are:
and step 604, forming a command log corresponding to the operation command according to a preset format.
In one example, after step 604, the method further includes:
And 606, encrypting the command log according to the key file, and locally storing the encrypted command log.
Specifically, after acquiring a complete operation command, the client generates a command log, where the command log may be a command log in json format, and includes: client name, user name, server name, SSH source, server IP and the operation command.
Then, judging whether a key file exists in the client or not, if so, reading the key in the key file, encrypting the command log by using the key, and storing the encrypted command log to the local; if not, directly storing the command log file to the local.
Compared with the first embodiment, the embodiment records the operation command received by the client in real time, and facilitates backtracking and auditing the received operation command.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
The seventh embodiment of the invention relates to an auditing device, which is applied to a client, wherein the client can be an SSH client which is in communication connection with a remote server, and a user can control the remote server through the SSH client to perform command and data interaction with the remote server. Referring to fig. 7, the auditing apparatus includes:
the command acquisition module 1 is used for receiving the interactive data input by the user and sending the interactive data to the server when the interactive data is not a command end symbol.
The command obtaining module 1 is further configured to obtain an operation command according to the received interactive data when the interactive data is a command end character.
And the auditing module 2 is used for judging whether the operation command is matched with a preset dangerous command condition.
The sending module 3 is configured to send an interrupt command for blocking execution of the operation command to the server to block the server from executing the operation command when the operation command matches the dangerous command condition.
Since the first to sixth embodiments correspond to the present embodiment, the present embodiment can be implemented in cooperation with the first to sixth embodiments. The related technical details mentioned in the first to sixth embodiments are still valid in the present embodiment, and the technical effects that can be achieved in the first to sixth embodiments can also be achieved in the present embodiment, and are not described herein again in order to reduce the repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first to sixth embodiments.
The eighth embodiment of the present invention relates to a client, which may be an SSH client, and is in communication connection with a remote server, and a user may control the remote server through the SSH client to perform command and data interaction with the remote server.
The client comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method of any of the first to sixth embodiments.
Where the memory and processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting together one or more of the various circuits of the processor and the memory. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
A ninth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method according to the above embodiments may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (11)
1. An auditing method, applied to a client, the method comprising:
receiving interactive data input by a user, and judging whether the interactive data is a command end symbol;
if the interactive data is not the command end symbol, sending the interactive data to a server; if the interactive data is a command end character, obtaining an operation command according to the received interactive data;
judging whether the operation command is matched with a preset dangerous command condition or not;
and if the operating command is matched with the dangerous command condition, sending an interrupt command for blocking the execution of the operating command to the server so as to block the server from executing the operating command.
2. The auditing method of claim 1, where the hazard command condition includes at least one regular expression; the judging whether the operation command is matched with a preset dangerous command condition comprises the following steps:
judging whether the operation command is matched with any regular expression or not;
and if the operation command is matched with any regular expression, judging that the operation command is matched with the dangerous command condition.
3. The auditing method of claim 2, where the hazard command condition further includes a target object in one-to-one correspondence with each of the regular expressions;
after determining that the operation command matches any of the regular expressions, the method further includes:
judging whether the client is matched with a target object corresponding to any regular expression;
and if the client side is matched with the target object corresponding to any regular expression, judging that the operation command is matched with the dangerous command condition.
4. The auditing method of claim 1, after said receiving user-entered interaction data, further comprising:
judging whether the received interactive data is command data;
and if the interactive data is command data, the step of judging whether the interactive data is a command end character is carried out.
5. The auditing method of claim 4, prior to said sending the interaction data to a server, further comprising:
judging whether the command data is a command character;
if the command data is a command character, setting a state flag bit corresponding to the command data;
after the sending the interaction data to the server, further comprising:
receiving return data corresponding to the command data returned by the server;
the obtaining an operation command according to the received interactive data includes:
and obtaining the operation command according to the interactive data, the status flag bit corresponding to each command data and the return data corresponding to each command data.
6. The auditing method of claim 1, prior to said sending the interaction data to a server, further comprising:
recording cursor information corresponding to the interactive data;
the obtaining an operation command according to the received interactive data includes:
and obtaining the operation command according to the received interactive data and the cursor information corresponding to each interactive data.
7. The auditing method of claim 1, after determining that the operating command matches the hazard command condition, further comprising:
judging whether the client is in a monitoring mode;
if the client is in the monitoring mode, sending the command end symbol to the server;
and if the client is in a non-monitoring mode, entering the step of sending an interrupt command for blocking the execution of the operation command to the server.
8. The auditing method of claim 1, the method further comprising:
forming a command log corresponding to the operation command according to a preset format;
and storing the command log locally.
9. The auditing method of claim 8, prior to storing the command log locally, further comprising:
judging whether a key file exists in the client;
if a key file exists in the client, encrypting the command log according to the key file;
the locally storing the command log includes:
and storing the encrypted command log locally.
10. An auditing apparatus, comprising:
the command acquisition module is used for receiving interactive data input by a user and sending the interactive data to a server when the interactive data is not a command end symbol;
the command acquisition module is further configured to obtain an operation command according to the received interactive data when the interactive data is a command end character;
the auditing module is used for judging whether the operation command is matched with a preset dangerous command condition;
and the sending module is used for sending an interrupt command for blocking the execution of the operation command to the server so as to block the server from executing the operation command when the operation command is matched with the dangerous command condition.
11. A client, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the auditing method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147638.3A CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147638.3A CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404889A true CN111404889A (en) | 2020-07-10 |
| CN111404889B CN111404889B (en) | 2023-06-09 |
Family
ID=71413201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010147638.3A Active CN111404889B (en) | 2020-03-05 | 2020-03-05 | Audit method and device and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404889B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112232785A (en) * | 2020-10-29 | 2021-01-15 | 哈尔滨学院 | Intelligent operation audit robot system based on big data |
| CN112346791A (en) * | 2020-11-25 | 2021-02-09 | 中盈优创资讯科技有限公司 | AAA-based dangerous command identification and shielding method and device |
| CN113472733A (en) * | 2021-05-07 | 2021-10-01 | 北京东方通软件有限公司 | Internet-oriented security audit method |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070124005A1 (en) * | 2005-11-02 | 2007-05-31 | Veniamin Bourakov | Interfacing between a command line interface-based application program and a remote network device |
| EP2161669A1 (en) * | 2008-09-09 | 2010-03-10 | Chattensoft e.K. | Method for automating data transfer between a user's terminal and a website provided from an external server |
| CN102546606A (en) * | 2011-12-23 | 2012-07-04 | 成都市华为赛门铁克科技有限公司 | Telnet command filter method, network safety device and network safety system |
| CN102571774A (en) * | 2011-12-27 | 2012-07-11 | 浙江省电力公司 | Character operating command identification method and device |
| CN103973782A (en) * | 2014-04-29 | 2014-08-06 | 上海上讯信息技术股份有限公司 | Operation and maintenance operation control system and method based on blacklist command setting |
| CN105139139A (en) * | 2015-08-31 | 2015-12-09 | 国家电网公司 | Data processing method, device and system for operation and maintenance audit |
| JP2016057869A (en) * | 2014-09-10 | 2016-04-21 | 日本電気株式会社 | Command execution system, client device, server device, and command execution method |
| WO2018174486A1 (en) * | 2017-03-20 | 2018-09-27 | 주식회사 넷앤드 | Unauthorized command control method of access control system for server security enhancement |
-
2020
- 2020-03-05 CN CN202010147638.3A patent/CN111404889B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070124005A1 (en) * | 2005-11-02 | 2007-05-31 | Veniamin Bourakov | Interfacing between a command line interface-based application program and a remote network device |
| EP2161669A1 (en) * | 2008-09-09 | 2010-03-10 | Chattensoft e.K. | Method for automating data transfer between a user's terminal and a website provided from an external server |
| CN102546606A (en) * | 2011-12-23 | 2012-07-04 | 成都市华为赛门铁克科技有限公司 | Telnet command filter method, network safety device and network safety system |
| CN102571774A (en) * | 2011-12-27 | 2012-07-11 | 浙江省电力公司 | Character operating command identification method and device |
| CN103973782A (en) * | 2014-04-29 | 2014-08-06 | 上海上讯信息技术股份有限公司 | Operation and maintenance operation control system and method based on blacklist command setting |
| JP2016057869A (en) * | 2014-09-10 | 2016-04-21 | 日本電気株式会社 | Command execution system, client device, server device, and command execution method |
| CN105139139A (en) * | 2015-08-31 | 2015-12-09 | 国家电网公司 | Data processing method, device and system for operation and maintenance audit |
| WO2018174486A1 (en) * | 2017-03-20 | 2018-09-27 | 주식회사 넷앤드 | Unauthorized command control method of access control system for server security enhancement |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112232785A (en) * | 2020-10-29 | 2021-01-15 | 哈尔滨学院 | Intelligent operation audit robot system based on big data |
| CN112346791A (en) * | 2020-11-25 | 2021-02-09 | 中盈优创资讯科技有限公司 | AAA-based dangerous command identification and shielding method and device |
| CN113472733A (en) * | 2021-05-07 | 2021-10-01 | 北京东方通软件有限公司 | Internet-oriented security audit method |
| CN113472733B (en) * | 2021-05-07 | 2022-11-22 | 北京东方通软件有限公司 | Internet-oriented security audit method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404889B (en) | 2023-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111404889B (en) | Audit method and device and client | |
| CN110659202A (en) | Client automatic testing method and device | |
| EP3094948B1 (en) | Web-based recorder configuration utility | |
| US20200073781A1 (en) | Systems and methods of injecting fault tree analysis data into distributed tracing visualizations | |
| CN109450869B (en) | Service safety protection method based on user feedback | |
| CN111737227B (en) | Data modification method and system | |
| JP6282217B2 (en) | Anti-malware system and anti-malware method | |
| CN114024884A (en) | Test method, test device, electronic equipment and storage medium | |
| EP2107484A2 (en) | A method and device for code audit | |
| CN103440460A (en) | Application system change validation method and system | |
| US20210075812A1 (en) | A system and a method for sequential anomaly revealing in a computer network | |
| CN111026531A (en) | Task repeated sending processing method and device, computer equipment and storage medium | |
| CN114063606A (en) | PLC protocol fuzzy test method and device, electronic equipment and storage medium | |
| WO2021090503A1 (en) | Information distribution system, monitoring device, shared device, and information distribution method | |
| US20190235995A1 (en) | Non-transitory computer-readable medium, information processing apparatus, debugging system and debugging method | |
| CN111767299A (en) | Database operation method, device and system, storage medium and electronic equipment | |
| CN110858170A (en) | Sandbox component, data abnormity monitoring method, equipment and storage medium | |
| CN114531335B (en) | Method, equipment and device for detecting management information base data | |
| CN113419758B (en) | Method and device for upgrading server baseline and storage medium | |
| CN117687890B (en) | Abnormal operation identification method, system, medium and equipment based on operation log | |
| CN114116042B (en) | Command processing method and system for Linux service system | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| KR102509402B1 (en) | A method for processing the event on the platform | |
| CN109901997B (en) | Financial system upgrading method and device, electronic equipment and storage medium | |
| CN108958654B (en) | Management method and related device of storage system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |