CN112765600A - Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection - Google Patents
Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection Download PDFInfo
- Publication number
- CN112765600A CN112765600A CN202011585014.6A CN202011585014A CN112765600A CN 112765600 A CN112765600 A CN 112765600A CN 202011585014 A CN202011585014 A CN 202011585014A CN 112765600 A CN112765600 A CN 112765600A
- Authority
- CN
- China
- Prior art keywords
- cmdb
- hids
- intrusion detection
- api
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 title claims abstract description 49
- 206010072219 Mevalonic aciduria Diseases 0.000 title claims abstract description 49
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 title claims abstract description 49
- 238000001514 detection method Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012545 processing Methods 0.000 claims abstract description 7
- 238000013507 mapping Methods 0.000 claims abstract description 5
- 238000004590 computer program Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 claims description 2
- 238000012163 sequencing technique Methods 0.000 claims description 2
- 238000013479 data entry Methods 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001174 ascending effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/254—Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a control method for collecting automatic synchronization CMDB based on HIDS intrusion detection, which comprises the following steps: step 1: acquiring data information of each dimension based on an API acquisition interface provided by an API of an HIDS host intrusion detection product; step 2: creating a CMDB temporary table between data information acquired by an HIDS host intrusion detection product and a CMDB configuration item; and step 3: inserting data information acquired by an HIDS host intrusion detection product into the temporary table through a mapping relation; and 4, step 4: and processing the CMDB temporary table through an ETL tool to complete automatic synchronization from the HIDS host intrusion detection product to the CMDB configuration item. Compared with the prior art, the method has the advantages of providing a solution for the configuration item blind spot which is difficult to manage by the CMDB, improving the proportion of automatic data entry, improving the overall working efficiency and the like.
Description
Technical Field
The invention relates to the technical field of CMDB, in particular to a control method for collecting automatic synchronization CMDB based on HIDS intrusion detection.
Background
As the content of the CMDB (Configuration Management Database) in managing IT asset Configuration items is increasing and closely connected with all the flows of service support and service delivery, the core position of the CMDB is more and more emphasized, and due to the importance of the CMDB, the operation of the core operation and maintenance data becomes a Management problem. Data of the CMDB is divided into two categories of automatic discovery data and manual entry data, the manual entry process usually needs management means to improve data quality, and the efficiency of an acquisition mode is low. Therefore, in the whole basic data source obtaining process, the automatic discovery range is expanded as much as possible, and the cost of configuration management is reduced.
The current main data entry mode is that manual maintenance is combined with automatic discovery, the manual maintenance is that data are deleted through a background interface in batch new modification, and the automatic discovery is that required configuration item data are collected through an automatic discovery program so as to update fields or association relations in a CMDB model.
Some CMDB manufacturers in the market at present carry automatic discovery programs, and can realize automatic discovery of CMDB configuration items to a certain extent, but the automatic discovery programs are tightly coupled with the CMDB, so that external discovery programs cannot be well integrated, discovery contents are fixed, and the discovery contents are not subjected to centralized control.
From the above, the following problems exist in the prior art:
1) only a single type of IT resources can be found, all IT resources cannot be found in a centralized manner, and the finding is not comprehensive enough.
2) The discovery program is tightly coupled to the CMDB, making it difficult to integrate the CMDB with other discovery programs external thereto.
3) The discovery content cannot be flexibly extended by a configuration manner.
4) The data presentation layer does not intuitively distinguish self-discovery data from non-self-discovery data, and confuses the user to understand the data.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a control method for collecting and automatically synchronizing CMDB based on HIDS intrusion detection, which can flexibly obtain information of each dimension through an interface provided by HIDS, solves the problem of configuration item data needing manual collection, is easy to integrate a plurality of discovery programs by the calling program, realizes flexible expansion of discovery contents, and improves data identification and management capabilities.
The purpose of the invention can be realized by the following technical scheme:
a control method for collecting automatic synchronization CMDB based on HIDS intrusion detection comprises the following steps:
step 1: acquiring data information of each dimension based on an API acquisition interface provided by an API of an HIDS host intrusion detection product;
step 2: creating a CMDB temporary table between data information acquired by an HIDS host intrusion detection product and a CMDB configuration item;
and step 3: inserting data information acquired by an HIDS host intrusion detection product into the temporary table through a mapping relation;
and 4, step 4: and processing the CMDB temporary table through an ETL tool to complete automatic synchronization from the HIDS host intrusion detection product to the CMDB configuration item.
Further, the step 4 comprises the following sub-steps:
step 401: extracting data in the CMDB temporary table through an ETL tool;
step 402: matching according to the ip address in the data and the ip address of the logic server recorded in the CMDB configuration item;
step 403: and adding data to the CMDB configuration items aiming at the data meeting the matching conditions so as to complete automatic synchronization.
Further, the step 1 comprises the following steps:
step 101: initiating an API provided by an HIDS host intrusion detection product API to acquire an interface service API request;
step 102: performing api identity authentication, and performing signature verification on the request parameters after the api identity authentication is passed to obtain a token string, a company id, a system current timestamp and a signature value after the authentication;
step 103: different processing is carried out on different business API request types to obtain a secret key string-to-sign;
step 104: carrying out hash algorithm calculation on the key string-to-sign to obtain a sign character string;
step 105: assembling http request header parameters based on the sign character string;
step 106: and completing the API calling step, and inserting the output json array into the CMDB database to obtain the data information of each dimension.
Further, the step 103 specifically includes:
for the get request, sequencing request parameters according to parameter names, and splicing the sequenced request parameters and corresponding values with a company id, a system current timestamp and a signature value according to formats to obtain a secret key string-to-sign;
for the put/post/delete request, data json is used as a character string parameter body, and the data json are spliced according to a format to obtain a string-to-sign key.
Further, the hash algorithm in step 104 adopts a SHA1 algorithm.
Further, the process of performing api identity authentication in step 102 specifically includes: parameters of a user name and a password are defined in a restful interface, and relevant parameters are obtained and api identity authentication is carried out.
Further, the data information of each dimension in step 1 includes coverage host information, process information, system account information, user group information, Web application information, software application information, and database information.
Further, the API call in step 106 is written by python, and the output result is a json array, which is inserted into the CMDB database.
The invention also provides terminal equipment which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the processor realizes the step of the control method for collecting the automatic synchronous CMDB based on the HIDS intrusion detection when executing the computer program.
The invention also provides a computer readable storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the steps of the control method for collecting the automatic synchronization CMDB based on HIDS intrusion detection.
Compared with the prior art, the invention has the following advantages:
(1) the invention is based on the data acquisition of HIDS intrusion detection, writes related calling programs, and automatically updates the related calling programs to the CMDB configuration management system, thereby realizing the automatic entry function of most operation and maintenance configuration items.
(2) Based on the acquisition capability of the safety equipment, the server configuration data collected by the HIDS is acquired through the interface, and the comprehensiveness and accuracy of data acquisition can be ensured.
(3) The temporary table is used for storing the automatically acquired data, secondary processing is carried out on the data, the data can be closer to a CMDB model, a good use environment is provided for a user, in addition, a data collection script is decoupled from the CMDB, the CMDB and an external platform realize data synchronization through the table, and the table is an extended application of external data interaction.
Drawings
FIG. 1 is a flow chart of the HIDS data acquisition step portion of the overall method steps of the present invention;
FIG. 2 is a flow chart of the ETL processing CMDB temporary table step portion of the overall method steps of the present invention;
FIG. 3 is a flow chart of the overall method steps of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The HIDS host intrusion detection product API provides an API acquisition interface with partial functions, which can be used to flexibly acquire information of each dimension, and the current API provides the following queries. All the api requests the mode according to restful, and the returned result is in a json data format. The whole interface call is compiled by python, the output result is a json array, and the json array is inserted into the CMDB database.
S01) as shown in FIG. 1, initiating a request for an API interface of an HIDS product, url being a request address, a corresponding server address being an address of an HIDS java server, and a port being 6000, such as http:// $ { server }:6000/v 1/API/auth; before requesting the service api, the service api needs to pass an authentication request; the service api requests need to be signed by parameters; for the GET/POST mode api, parameters are uniformly put in url for passing, and the mode similar to form is submitted, such as name & key1value 1& key2value 2.
S02) carrying out an api identity authentication mode: before a service API is requested, the service API can be requested only after the parameters user name and password are defined in a restful interface through identity authentication to obtain relevant parameters.
S03), signature verification is carried out on the request parameters, firstly, jwt (authenticated token string), comId (company id), signKey (signature value) parameters and system current timestamp pS03) are obtained through the previous request, for the get request, the parameters are sequenced according to parameter names (natural ascending sequence), the sequenced request parameters and values are spliced with the comId, timetag and signKey according to formats, and a secret key string-to-sign is obtained
The format is as follows: { comId } { key1value1key2value2} { timestamp } { signKey };
s04) for put/post/delete request, data json is used as character string parameter body, and the key string-to-sign is obtained by splicing according to the following form
The format is as follows: { comId } { body } { timetag } { signKey };
s05) carrying out Hash calculation on the key string-to-sign to obtain a sign character string. The Hash algorithm uses SHA 1.
S06) assembling http request header parameters
S07), completing the API calling step, and inserting the output json array into the CMDB database
S08) creating a temporary table object as a transition device of HIDS collection and CMDB configuration items;
s09) establishing mapping relation between the intermediate table object and HIDS collection and CMDB configuration items respectively
S10) inserting the configuration information collected by the HIDS interface into a temporary table through the mapping relation by the previous calling program;
s11) as shown in fig. 2, automatic synchronization from HIDS to CMDB configuration items is done by ETL tool according to server ip address.
As shown in FIG. 3, the present invention uses HIDS as the source of the acquisition data. The HIDS is a Host-based Intrusion Detection System, i.e., a Host-based Intrusion Detection System. As a monitor and analyzer for a computer system, the dynamic behavior of all or part of the system and the state of the entire computer system are monitored. It has the ability to collect almost all server system resources, such as servers, databases, middleware, processes, ports, etc.
In the implementation method for automatically synchronizing CMDB based on HIDS acquisition, the HIDS data acquisition mode is a python calling program, and the HIDS acquisition unit regularly collects relevant configuration information at a server terminal by adopting an Agent deployment mode for a host, a database and various software components.
According to the implementation method of the automatic synchronization CMDB based on the HIDS intrusion detection, the HIDS platform is adopted to achieve comprehensive data acquisition, resources such as covering host information, process information, system account information, user group information, Web application information, software application information, database information and the like are acquired, the comprehensiveness and the neutrality of acquisition capacity are achieved, a solution is provided for configuration item blind spots which are difficult to manage by the CMDB, the proportion of automatic data entry is improved, and the overall working efficiency is improved.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A control method for collecting automatic synchronization CMDB based on HIDS intrusion detection is characterized by comprising the following steps:
step 1: acquiring data information of each dimension based on an API acquisition interface provided by an API of an HIDS host intrusion detection product;
step 2: creating a CMDB temporary table between data information acquired by an HIDS host intrusion detection product and a CMDB configuration item;
and step 3: inserting data information acquired by an HIDS host intrusion detection product into the temporary table through a mapping relation;
and 4, step 4: and processing the CMDB temporary table through an ETL tool to complete automatic synchronization from the HIDS host intrusion detection product to the CMDB configuration item.
2. The HIDS intrusion detection collection based control method for automatically synchronizing CMDBs according to claim 1, wherein the step 4 comprises the following sub-steps:
step 401: extracting data in the CMDB temporary table through an ETL tool;
step 402: matching according to the ip address in the data and the ip address of the logic server recorded in the CMDB configuration item;
step 403: and adding data to the CMDB configuration items aiming at the data meeting the matching conditions so as to complete automatic synchronization.
3. The HIDS intrusion detection collection based control method for automatically synchronizing CMDBs according to claim 1, wherein the step 1 comprises the steps of:
step 101: initiating an API provided by an HIDS host intrusion detection product API to acquire an interface service API request;
step 102: performing api identity authentication, and performing signature verification on the request parameters after the api identity authentication is passed to obtain a token string, a company id, a system current timestamp and a signature value after the authentication;
step 103: different processing is carried out on different business API request types to obtain a secret key string-to-sign;
step 104: carrying out hash algorithm calculation on the key string-to-sign to obtain a sign character string;
step 105: assembling http request header parameters based on the sign character string;
step 106: and completing the API calling step, and inserting the output json array into the CMDB database to obtain the data information of each dimension.
4. The HIDS intrusion detection collection-based automatic synchronization CMDB control method according to claim 3, wherein the step 103 specifically comprises:
for the get request, sequencing request parameters according to parameter names, and splicing the sequenced request parameters and corresponding values with a company id, a system current timestamp and a signature value according to formats to obtain a secret key string-to-sign;
for the put/post/delete request, data json is used as a character string parameter body, and the data json are spliced according to a format to obtain a string-to-sign key.
5. The HIDS intrusion detection collection-based control method for automatically synchronizing the CMDB according to claim 3, wherein the hash algorithm in step 104 employs a SHA1 algorithm.
6. The HIDS intrusion detection collection-based automatic synchronization CMDB control method according to claim 3, wherein the process of api identity authentication in step 102 specifically comprises: parameters of a user name and a password are defined in a restful interface, and relevant parameters are obtained and api identity authentication is carried out.
7. The HIDS intrusion detection acquisition-based automatic synchronization CMDB control method according to claim 1, wherein the data information of each dimension in step 1 includes overlay host information, process information, system account information, user group information, Web application information, software application information and database information.
8. The method as claimed in claim 3, wherein the API call in step 106 is written in python, and the output result is json array, which is inserted into CMDB database.
9. A terminal device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, characterized in that said processor when executing said computer program implements the steps of the HIDS intrusion detection acquisition auto-synchronizing CMDB based control method according to any of claims 1 to 8.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of the HIDS intrusion detection acquisition based auto-synchronizing CMDB control method according to any one of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011585014.6A CN112765600A (en) | 2020-12-28 | 2020-12-28 | Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011585014.6A CN112765600A (en) | 2020-12-28 | 2020-12-28 | Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112765600A true CN112765600A (en) | 2021-05-07 |
Family
ID=75696342
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011585014.6A Pending CN112765600A (en) | 2020-12-28 | 2020-12-28 | Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112765600A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117370470A (en) * | 2023-12-08 | 2024-01-09 | 北京大数元科技发展有限公司 | System and method for realizing data synchronization by dynamic request interface |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103400226A (en) * | 2013-07-31 | 2013-11-20 | 湖南省烟草公司永州市公司 | Integrated tobacco industry information security, operation and maintenance application platform system |
US20140143868A1 (en) * | 2012-11-19 | 2014-05-22 | Hewlett-Packard Development Company, L.P. | Monitoring for anomalies in a computing environment |
CN108960456A (en) * | 2018-08-14 | 2018-12-07 | 东华软件股份公司 | Private clound secure, integral operation platform |
CN108989385A (en) * | 2018-06-05 | 2018-12-11 | 陈艳 | A kind of implementation method based on Zabbix monitoring collection automatic synchronization CMDB |
US10425292B1 (en) * | 2018-10-17 | 2019-09-24 | Servicenow, Inc. | Functional discovery and mapping of serverless resources |
-
2020
- 2020-12-28 CN CN202011585014.6A patent/CN112765600A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140143868A1 (en) * | 2012-11-19 | 2014-05-22 | Hewlett-Packard Development Company, L.P. | Monitoring for anomalies in a computing environment |
CN103400226A (en) * | 2013-07-31 | 2013-11-20 | 湖南省烟草公司永州市公司 | Integrated tobacco industry information security, operation and maintenance application platform system |
CN108989385A (en) * | 2018-06-05 | 2018-12-11 | 陈艳 | A kind of implementation method based on Zabbix monitoring collection automatic synchronization CMDB |
CN108960456A (en) * | 2018-08-14 | 2018-12-07 | 东华软件股份公司 | Private clound secure, integral operation platform |
US10425292B1 (en) * | 2018-10-17 | 2019-09-24 | Servicenow, Inc. | Functional discovery and mapping of serverless resources |
Non-Patent Citations (1)
Title |
---|
林鹏: "互联网安全建设从0到1", 30 June 2020, 机械工业出版社, pages: 228 - 233 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117370470A (en) * | 2023-12-08 | 2024-01-09 | 北京大数元科技发展有限公司 | System and method for realizing data synchronization by dynamic request interface |
CN117370470B (en) * | 2023-12-08 | 2024-03-12 | 北京大数元科技发展有限公司 | System and method for realizing data synchronization by dynamic request interface |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109687991B (en) | User behavior identification method, device, equipment and storage medium | |
WO2020220638A1 (en) | Method and apparatus for associating link system with log system, and storage medium | |
US8838679B2 (en) | Providing state service for online application users | |
JP5080428B2 (en) | Configuration management server, name identification method and name identification program | |
CN108959430B (en) | Advertisement promotion data acquisition method, device and equipment | |
JP2013534675A (en) | Provisioning multiple network resources | |
CN112671887B (en) | Asset identification method and device, electronic equipment and computer storage medium | |
CN110287696B (en) | Detection method, device and equipment for rebound shell process | |
CN106708859A (en) | Auditing method for resource access behaviors and device | |
CN112506755A (en) | Log collection method and device, computer equipment and storage medium | |
CN112052227A (en) | Data change log processing method and device and electronic equipment | |
CN113709187B (en) | Multi-server data request method, device, equipment and storage medium | |
CN115576600A (en) | Code change-based difference processing method and device, terminal and storage medium | |
CN115408569A (en) | Process traceability tree simplification method, device, equipment and medium | |
CN111177481A (en) | User identifier mapping method and device | |
CN112765600A (en) | Control method for collecting automatic synchronization CMDB based on HIDS intrusion detection | |
CN117171108A (en) | Virtual model mapping method and system | |
CN111488286B (en) | Method and device for independently developing Android modules | |
CN107968798B (en) | Network management resource label obtaining method, cache synchronization method, device and system | |
CN111026637B (en) | Method and device for positioning problem code | |
CN111339173A (en) | Data sharing method, server and readable storage medium | |
JP2009276862A (en) | Document management system, server device, client device, document management method, program, and recording medium | |
JP5224839B2 (en) | Document management system, document management apparatus, document management method, and program | |
CN113326506B (en) | Applet monitoring method and device | |
CN116451191A (en) | Information auditing method, device, electronic equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |