CN113221101A - Method for realizing safety audit function based on android system - Google Patents

Method for realizing safety audit function based on android system Download PDF

Info

Publication number
CN113221101A
CN113221101A CN202110366671.XA CN202110366671A CN113221101A CN 113221101 A CN113221101 A CN 113221101A CN 202110366671 A CN202110366671 A CN 202110366671A CN 113221101 A CN113221101 A CN 113221101A
Authority
CN
China
Prior art keywords
log
audit
filtering
function
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110366671.XA
Other languages
Chinese (zh)
Inventor
李帅
张志成
王文功
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Standard Software Co Ltd
Original Assignee
China Standard Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Standard Software Co Ltd filed Critical China Standard Software Co Ltd
Priority to CN202110366671.XA priority Critical patent/CN113221101A/en
Publication of CN113221101A publication Critical patent/CN113221101A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • G06F16/148File search processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9035Filtering based on additional data, e.g. user or group profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/907Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Library & Information Science (AREA)
  • Computational Linguistics (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a method for realizing a security audit function based on an android system, which is characterized by comprising the following steps: the method comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log through the filtering of the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of commands logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio. According to the method for realizing the safety audit function based on the android system, the key information is searched through the setting of the audit filtering function.

Description

Method for realizing safety audit function based on android system
Technical Field
The invention relates to the technical field of data security, in particular to a method for realizing a security audit function based on an android system.
Background
Android log messages are information that records hardware, software and system problems in the system, and can also monitor events occurring in the system. Through which the user can check the cause of the error or look for traces left by the attacker when under attack.
Android provides a lightweight LOG mechanism, and the implementation of the LOG mechanism runs through various layers of Android such as Java, JNI, local c/c + + implementation, LINUX kernel drive and the like.
Android log messages are divided into two categories: linux kernel messages, Android system logs.
1. Linux kernel message
In the Linux kernel, kernel log messages are divided into two types:
(1) debugging messages, driver loading information and the like of the kernel are mainly printed through printk.
(2) The other type of message encapsulated through the audio interface mainly sends the encapsulated log information to a user space through a netlink, the two types of messages both finally write the log information into a kernel log buffer similar to a ring buffer, the buffer log is read through a memory file system/proc/kmsg, only one process with super user authority can read the file at any time, the messages can be retrieved by using a system call syslog, and the messages are generally retrieved by using a tool dmesg or a daemon klog. This file is a special file whose contents are emptied each time a read is called, while it is blocked.
The log format of the output is as follows:
<4>[0.270516]Mount-cache hash table entries:512
where <4> is the log level, printk provides 8 log levels:
<0 >: KERN _ EMERG system is not available
<1 >: KERN _ ALERT requires immediate action
<2 >: KERN _ CRIT severe cases
<3 >: KERN _ ERR error condition
<4 >: KERN _ WARNING CONDITION
<5 >: KERN _ NOTICE is normal, but it is worth noting
<6 >: KERN _ INFO message
<7 >: KERN _ DEBUG DEBUG level information
And the avc cache message of the SELinux module is also in this buffer, so if the avc message is to be filtered, this file needs to be read.
2. Android system log
The Android log system provides a function of recording and viewing system debugging information, logs are recorded from various software and buffers of some systems, and the buffers can be viewed and used through a logcat command.
Logcat is a command of the shell of the android, and can be executed after entering the shell through the adb shell or directly run through the adb Logcat.
Grammar:
[adb]logcat[<option>]...[<filter-spec>]...
the log format of the output is as follows:
14-0409: 32: 35.905D/AndrodidRuntime (1071): CheckJNI is ON option:
b < buffer > specifies the journal buffer to be viewed, which may be system, events, radio, main. They correspond to system, events, radio, main log files under the Android system/dev/log folder, respectively. The system defaults to system and main. This option may occur multiple times to specify multiple log buffers.
C clearing the log on the screen
-d outputting the log on the screen
-v < format > sets the log entry format. For example, using "-v time", the generation log time may be displayed.
The above options are the options required for viewing log files in our front-end application.
Each output Android log message has a tag and its priority. The label of the log is a brief sign of the original information of the system component, and the tag is the tag in the series functions of log.v, log.d, log.i, log.w and log.e.
The priority priorities are listed as follows in order from low to high:
any message of V-Verbase is output, which corresponds to Log.v series function
The D-Debug only outputs Debug debugging information, corresponding to Log.d series functions
I-Info general suggestive message information
W-Warning can be regarded as Warning, and generally we need to pay attention to optimizing Android code
E-Error, showing red color
F-Fatal error
S-Silent without noise
The Android log message comprises a system log message, an application program log message, a safety log message and the like, so that the log message is too many, and key information is difficult to search.
The security audit mainly aims to detect and prevent the intrusion of illegal users to a computer system, display the misoperation of legal users, and provide detailed and reliable basis and support for the inquiry and positioning of accident reasons, the prediction and alarm before the accident and the real-time processing after the accident, so that the places and processes where the event occurs and responsible persons can be effectively tracked after the event which violates the security rules of the system occurs.
Through security auditing, the following two goals can be achieved: firstly, information help can be provided for a damaged system to carry out loss assessment and system recovery; secondly, the behaviors related to the system safety can be recorded in detail, so that the behaviors are analyzed to find unsafe factors in the system.
Disclosure of Invention
The invention provides a method for realizing a security audit function based on an android system, which comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log by filtering the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of a command logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio.
Wherein, the setting of the audit function comprises the setting of an audit switch, the setting of an audit log backup function and the setting of an audit log processing function, wherein,
the audit switch is set to realize the opening or closing of the set Tag audit by calling the interface of the frame layer so as to realize the opening or closing of the audit service;
the setting of the audit log backup function realizes the backup of system log files and the backup of kernel log files by backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, so that a user can view backup data in the directory/sdcard/backup log/;
the audit log processing function is set to realize that a user can perform corresponding processing selection when the audit log file stored in the database is full through the functions of stopping writing the audit log, restarting writing the audit log, sending a mail prompt and the like.
The system audits the log, and the key information is searched through the functions of time filtering, priority filtering, Tag filtering or keyword filtering.
The time filtering function is realized as follows: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period.
The priority filtering function is realized as follows: and filtering the required log information according to the priority input by the user, namely comparing the priority level input by the user with the priority level fields of all logs, if so, displaying the log information, otherwise, not displaying the log information.
The Tag filtering function is realized as follows: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
The implementation manner of the keyword filtering function is as follows: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed.
According to the method for realizing the safety audit function based on the android system, the key information is searched through the setting of the audit filtering function.
Detailed Description
In order to further understand the technical solution and the advantages of the present invention, the following detailed description will be provided for the technical solution and the advantages thereof.
The invention mainly provides a security audit realization method of an android system from two aspects of configuration of an audit function and setting of audit checking.
First, audit configuration
The three functions of audit switch setting, audit log backup and audit log processing are mainly realized.
1. Audit switch settings
The audit switch settings include settings for the opening and closing of audit services. This module mainly calls the interface implementation of the frame layer. The method mainly realizes that when the audit service state is set to be on, the audit of the set Tag is started, namely the log information related to the Tag can be checked in a log list; if the audit service state is set to be closed, the audit of the set Tag is closed, namely the log information of the Tag cannot be seen in the log list.
The service mainly opened and closed is isic, ctmm, user login and equipment management, the opening and closing are mainly realized by calling interface parameters, the opening is true, and the closing is false.
The relevant interface calls are:
auditIsicStatusSet.setEnabled(true);
auditUserLoginStatusSet.setEnabled(true);
auditDevManagerStatusSet.setEnabled(true);
auditCtmmStatusSet.setEnabled(true);
serviceStatusShare.putBoolean("isicaudit",true);
serviceStatusShare.putBoolean("userloginaudit",true);
serviceStatusShare.putBoolean("devmanageraudit",true);
serviceStatusShare.putBoolean("ctmmaudit",true);
commit (); v/validate settings
2. Audit log backup
The audit log backup comprises the backup of a system log file and the backup of a kernel log file, wherein the backup log file is used for backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, and a user can check backup data in the directory. The main implemented code:
String path="/sdcard/backuplog";
File backPath=new File(path);
if(!backPath.exists()){
backPath.mkdirs();
}else{
}
File saveFile=new File(backPath,time+fileName);
backupFileLength=0;
sendMsg(0);
try{
rowCount=c.getCount();
colCount=c.getColumnCount();
fw=new FileWriter(saveFile);
bfw=new BufferedWriter(fw);
if(rowCount>0){
c.moveToFirst();
// write header
for(int i=0;i<colCount;i++){
if(i!=colCount-1)
bfw.write(c.getColumnName(i)+',');
else
bfw.write(c.getColumnName(i));
}
V/line feed after header write
bfw.newLine();
// write data
for(int i=0;i<rowCount;i++){
c.moveToPosition(i);
for(int j=0;j<colCount;j++){
if(j!=colCount-1)
bfw.write(c.getString(j)+',');
else
bfw.write(c.getString(j));
}
// line feed after writing each record
bfw.newLine();
backupFileLength+=1;
sendMsg (1); // update progress Bar
}
}
sendMsg (2); // notify backup completion
/write cached data to File
bfw.flush();
// release cache
bfw.close();
3. Audit log processing
The processing of the audit log is what should be done when the audit log file stored in the database is full, such as stopping writing the audit log, restarting writing the audit log, sending a mail reminder, and the like.
Stopping auditing: the audit record is only required to be stopped being written into the database.
Restart of the write: the original record in the database is deleted and the audit record is re-written to the database from the beginning.
E, mail reminding: when the number of the audit bars in the database reaches a specified value, an email is sent to remind a user that the number of the audit logs reaches the specified value, and meanwhile, writing into the database is stopped.
The function of the mail reminding is realized by sending the mail through JavaMail. Downloading an Android version JavaMail package is required: and (4) adding the three packages into eclipse for development.
The implementation steps are as follows:
(1) establishing Session with mail server
(2) Constructing a mail message mimeessage
(3) Transport sends mail
Note that: adding network authority under android
Because the mail is sent in the background, some necessary information needs to be collected because the user is not required to input the information.
The main codes are as follows:
Figure BDA0003007836200000101
Figure BDA0003007836200000111
Figure BDA0003007836200000121
the mail sending method mainly uses a method in a mail.jar packet, firstly judges some user authentication information, then sets the mail information collected on the user, and finally calls a transport.send () method to send the mail set by the user.
Second, audit checking
The audit checking mainly realizes the checking and filtering of the kernel audit log and the checking and filtering of the system audit log, and the filtering of the audit log well solves the problems that log information is too much and key information is difficult to search.
When the audit log is checked, the kernel log file/proc/kmsg cannot be acquired by using a cat command even if the android front-end application acquires root authority, and the problem of acquiring related information by using a dmesg command is solved. When reading/proc/kmsg files using the "dmesg" command, root rights need to be acquired, and the main program is implemented as follows:
Figure BDA0003007836200000131
Figure BDA0003007836200000141
the audit log is obtained by reading the contents of four files of dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio, the command used is logcat-d-v time-b main-b system-b events-b radio, and the main program is realized as follows:
Figure BDA0003007836200000142
Figure BDA0003007836200000151
Figure BDA0003007836200000161
Figure BDA0003007836200000171
audit filtering is divided into four categories: filtering by time, filtering by priority, filtering by Tag, and filtering by keyword. The user may select a filtering manner to display the corresponding query results.
(1) Filtering according to time: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period. The main implementation codes are as follows:
Figure BDA0003007836200000172
Figure BDA0003007836200000181
Figure BDA0003007836200000191
(2) filtering according to the priority: the method is similar to time filtering, log information required by filtering is carried out through the priority input by the user, namely, the priority level input by the user is compared with the priority level fields of all logs, if the priority level is the priority level, the log information is displayed, and otherwise, the log information is not displayed. The priority levels are divided into: "verbose", "debug", "info", "war", "error", "fat", "silent".
The main implementation codes are as follows:
Figure BDA0003007836200000192
Figure BDA0003007836200000201
(3) filtering according to Tag: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
The main implementation codes are as follows:
Figure BDA0003007836200000202
Figure BDA0003007836200000211
(4) and filtering according to keywords: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed. The main implementation codes are as follows:
Figure BDA0003007836200000212
Figure BDA0003007836200000221
although the present invention has been described with reference to the preferred embodiments, it should be understood that the scope of the present invention is not limited thereto, and those skilled in the art will appreciate that various changes and modifications can be made without departing from the spirit and scope of the present invention.

Claims (7)

1. The method for realizing the safety audit function based on the android system is characterized by comprising the following steps: the method comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log through the filtering of the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of commands logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio.
2. The android-system-based security audit function implementation method of claim 1, wherein the setting of the audit function includes setting of an audit switch, setting of an audit log backup function, and setting of an audit log processing function, wherein,
the audit switch is set to realize the opening or closing of the set Tag audit by calling the interface of the frame layer so as to realize the opening or closing of the audit service;
the setting of the audit log backup function realizes the backup of system log files and the backup of kernel log files by backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, so that a user can view backup data in the directory/sdcard/backup log/;
the audit log processing function is set to realize that a user can perform corresponding processing selection when the audit log file stored in the database is full through the functions of stopping writing the audit log, restarting writing the audit log, sending a mail prompt and the like.
3. The android-system-based security audit function implementation method of claim 1, wherein the checking of the system audit log implements the searching of the key information through the functions of time filtering, priority filtering, Tag filtering or keyword filtering.
4. The android-system-based security audit function implementation method of claim 3, wherein the time filtering function is implemented as follows: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period.
5. The android-system-based security audit function implementation method of claim 3, wherein the priority filtering function is implemented as follows: and filtering the required log information according to the priority input by the user, namely comparing the priority level input by the user with the priority level fields of all logs, if so, displaying the log information, otherwise, not displaying the log information.
6. The android-system-based security audit function implementation method of claim 3, wherein the Tag filtering function is implemented as follows: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
7. The android-system-based security audit function implementation method of claim 3, wherein the keyword filtering function is implemented as follows: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed.
CN202110366671.XA 2021-04-06 2021-04-06 Method for realizing safety audit function based on android system Pending CN113221101A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110366671.XA CN113221101A (en) 2021-04-06 2021-04-06 Method for realizing safety audit function based on android system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110366671.XA CN113221101A (en) 2021-04-06 2021-04-06 Method for realizing safety audit function based on android system

Publications (1)

Publication Number Publication Date
CN113221101A true CN113221101A (en) 2021-08-06

Family

ID=77086406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110366671.XA Pending CN113221101A (en) 2021-04-06 2021-04-06 Method for realizing safety audit function based on android system

Country Status (1)

Country Link
CN (1) CN113221101A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944761A (en) * 2014-04-18 2014-07-23 深圳芯智汇科技有限公司 Android log information filter method and system
US20150193216A1 (en) * 2012-07-19 2015-07-09 Tencent Technology (Shenzhen) Company Limited Method and system for installing application
CN106570163A (en) * 2016-11-07 2017-04-19 深圳市任子行科技开发有限公司 Unreliable environment-oriented audit log read-write managing method and system
CN109446816A (en) * 2018-10-18 2019-03-08 中电科大数据研究院有限公司 A kind of user behavior analysis method based on big data platform audit log
CN109614812A (en) * 2018-09-25 2019-04-12 北京计算机技术及应用研究所 File outgoing managing and control system and method under a kind of security application environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150193216A1 (en) * 2012-07-19 2015-07-09 Tencent Technology (Shenzhen) Company Limited Method and system for installing application
CN103944761A (en) * 2014-04-18 2014-07-23 深圳芯智汇科技有限公司 Android log information filter method and system
CN106570163A (en) * 2016-11-07 2017-04-19 深圳市任子行科技开发有限公司 Unreliable environment-oriented audit log read-write managing method and system
CN109614812A (en) * 2018-09-25 2019-04-12 北京计算机技术及应用研究所 File outgoing managing and control system and method under a kind of security application environment
CN109446816A (en) * 2018-10-18 2019-03-08 中电科大数据研究院有限公司 A kind of user behavior analysis method based on big data platform audit log

Similar Documents

Publication Publication Date Title
US6347374B1 (en) Event detection
US8032489B2 (en) Log collection, structuring and processing
US7673324B2 (en) Method and system for tracking an operating performed on an information asset with metadata associated therewith
US7975302B2 (en) System for real-time detection of computer system files intrusion
CA2957315C (en) Log collection, structuring and processing
US9384112B2 (en) Log collection, structuring and processing
US5557742A (en) Method and system for detecting intrusion into and misuse of a data processing system
US7551073B2 (en) Method, system and program product for alerting an information technology support organization of a security event
CN101888311B (en) Equipment, method and system for preventing network contents from being tampered
US20070198610A1 (en) System and method for backing up a database
US6633876B1 (en) Analyzing post-mortem information on a remote computer system using a downloadable code module
CN102739774A (en) Method and system for obtaining evidence under cloud computing environment
CN106503551A (en) A kind of for the processing method and system of extorting software
US20100257376A1 (en) System and method for management of plaintext data in a mobile data processing device
US20200125723A1 (en) Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium
US20050234990A1 (en) System and method for tracking documents
US20050010812A1 (en) Computer system software &#34;black box&#34; capture device
CN113221101A (en) Method for realizing safety audit function based on android system
CN117407247A (en) Business system log auditing and key file monitoring method and system
CN117939258A (en) Live broadcast on-demand monitoring method and device, equipment and medium thereof
CN117971621A (en) Process management method and computing device
Eloff et al. An Architecture for a Near-Miss Management System (NMS)
CN117714176A (en) Windows active directory processing method, device and storage medium
CN115878456A (en) Open source software model selection-evaluation platform and method
CN114154160A (en) Container cluster monitoring method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination