CN113221101A - Method for realizing safety audit function based on android system - Google Patents
Method for realizing safety audit function based on android system Download PDFInfo
- Publication number
- CN113221101A CN113221101A CN202110366671.XA CN202110366671A CN113221101A CN 113221101 A CN113221101 A CN 113221101A CN 202110366671 A CN202110366671 A CN 202110366671A CN 113221101 A CN113221101 A CN 113221101A
- Authority
- CN
- China
- Prior art keywords
- log
- audit
- filtering
- function
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 94
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000001914 filtration Methods 0.000 claims abstract description 41
- 230000006870 function Effects 0.000 claims description 43
- 239000000872 buffer Substances 0.000 description 9
- 230000006399 behavior Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241000282326 Felis catus Species 0.000 description 1
- 101100537665 Trypanosoma cruzi TOR gene Proteins 0.000 description 1
- 230000009474 immediate action Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/14—Details of searching files based on file metadata
- G06F16/148—File search processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/9035—Filtering based on additional data, e.g. user or group profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/907—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Library & Information Science (AREA)
- Computational Linguistics (AREA)
- Quality & Reliability (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a method for realizing a security audit function based on an android system, which is characterized by comprising the following steps: the method comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log through the filtering of the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of commands logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio. According to the method for realizing the safety audit function based on the android system, the key information is searched through the setting of the audit filtering function.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method for realizing a security audit function based on an android system.
Background
Android log messages are information that records hardware, software and system problems in the system, and can also monitor events occurring in the system. Through which the user can check the cause of the error or look for traces left by the attacker when under attack.
Android provides a lightweight LOG mechanism, and the implementation of the LOG mechanism runs through various layers of Android such as Java, JNI, local c/c + + implementation, LINUX kernel drive and the like.
Android log messages are divided into two categories: linux kernel messages, Android system logs.
1. Linux kernel message
In the Linux kernel, kernel log messages are divided into two types:
(1) debugging messages, driver loading information and the like of the kernel are mainly printed through printk.
(2) The other type of message encapsulated through the audio interface mainly sends the encapsulated log information to a user space through a netlink, the two types of messages both finally write the log information into a kernel log buffer similar to a ring buffer, the buffer log is read through a memory file system/proc/kmsg, only one process with super user authority can read the file at any time, the messages can be retrieved by using a system call syslog, and the messages are generally retrieved by using a tool dmesg or a daemon klog. This file is a special file whose contents are emptied each time a read is called, while it is blocked.
The log format of the output is as follows:
<4>[0.270516]Mount-cache hash table entries:512
where <4> is the log level, printk provides 8 log levels:
<0 >: KERN _ EMERG system is not available
<1 >: KERN _ ALERT requires immediate action
<2 >: KERN _ CRIT severe cases
<3 >: KERN _ ERR error condition
<4 >: KERN _ WARNING CONDITION
<5 >: KERN _ NOTICE is normal, but it is worth noting
<6 >: KERN _ INFO message
<7 >: KERN _ DEBUG DEBUG level information
And the avc cache message of the SELinux module is also in this buffer, so if the avc message is to be filtered, this file needs to be read.
2. Android system log
The Android log system provides a function of recording and viewing system debugging information, logs are recorded from various software and buffers of some systems, and the buffers can be viewed and used through a logcat command.
Logcat is a command of the shell of the android, and can be executed after entering the shell through the adb shell or directly run through the adb Logcat.
Grammar:
[adb]logcat[<option>]...[<filter-spec>]...
the log format of the output is as follows:
14-0409: 32: 35.905D/AndrodidRuntime (1071): CheckJNI is ON option:
b < buffer > specifies the journal buffer to be viewed, which may be system, events, radio, main. They correspond to system, events, radio, main log files under the Android system/dev/log folder, respectively. The system defaults to system and main. This option may occur multiple times to specify multiple log buffers.
C clearing the log on the screen
-d outputting the log on the screen
-v < format > sets the log entry format. For example, using "-v time", the generation log time may be displayed.
The above options are the options required for viewing log files in our front-end application.
Each output Android log message has a tag and its priority. The label of the log is a brief sign of the original information of the system component, and the tag is the tag in the series functions of log.v, log.d, log.i, log.w and log.e.
The priority priorities are listed as follows in order from low to high:
any message of V-Verbase is output, which corresponds to Log.v series function
The D-Debug only outputs Debug debugging information, corresponding to Log.d series functions
I-Info general suggestive message information
W-Warning can be regarded as Warning, and generally we need to pay attention to optimizing Android code
E-Error, showing red color
F-Fatal error
S-Silent without noise
The Android log message comprises a system log message, an application program log message, a safety log message and the like, so that the log message is too many, and key information is difficult to search.
The security audit mainly aims to detect and prevent the intrusion of illegal users to a computer system, display the misoperation of legal users, and provide detailed and reliable basis and support for the inquiry and positioning of accident reasons, the prediction and alarm before the accident and the real-time processing after the accident, so that the places and processes where the event occurs and responsible persons can be effectively tracked after the event which violates the security rules of the system occurs.
Through security auditing, the following two goals can be achieved: firstly, information help can be provided for a damaged system to carry out loss assessment and system recovery; secondly, the behaviors related to the system safety can be recorded in detail, so that the behaviors are analyzed to find unsafe factors in the system.
Disclosure of Invention
The invention provides a method for realizing a security audit function based on an android system, which comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log by filtering the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of a command logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio.
Wherein, the setting of the audit function comprises the setting of an audit switch, the setting of an audit log backup function and the setting of an audit log processing function, wherein,
the audit switch is set to realize the opening or closing of the set Tag audit by calling the interface of the frame layer so as to realize the opening or closing of the audit service;
the setting of the audit log backup function realizes the backup of system log files and the backup of kernel log files by backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, so that a user can view backup data in the directory/sdcard/backup log/;
the audit log processing function is set to realize that a user can perform corresponding processing selection when the audit log file stored in the database is full through the functions of stopping writing the audit log, restarting writing the audit log, sending a mail prompt and the like.
The system audits the log, and the key information is searched through the functions of time filtering, priority filtering, Tag filtering or keyword filtering.
The time filtering function is realized as follows: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period.
The priority filtering function is realized as follows: and filtering the required log information according to the priority input by the user, namely comparing the priority level input by the user with the priority level fields of all logs, if so, displaying the log information, otherwise, not displaying the log information.
The Tag filtering function is realized as follows: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
The implementation manner of the keyword filtering function is as follows: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed.
According to the method for realizing the safety audit function based on the android system, the key information is searched through the setting of the audit filtering function.
Detailed Description
In order to further understand the technical solution and the advantages of the present invention, the following detailed description will be provided for the technical solution and the advantages thereof.
The invention mainly provides a security audit realization method of an android system from two aspects of configuration of an audit function and setting of audit checking.
First, audit configuration
The three functions of audit switch setting, audit log backup and audit log processing are mainly realized.
1. Audit switch settings
The audit switch settings include settings for the opening and closing of audit services. This module mainly calls the interface implementation of the frame layer. The method mainly realizes that when the audit service state is set to be on, the audit of the set Tag is started, namely the log information related to the Tag can be checked in a log list; if the audit service state is set to be closed, the audit of the set Tag is closed, namely the log information of the Tag cannot be seen in the log list.
The service mainly opened and closed is isic, ctmm, user login and equipment management, the opening and closing are mainly realized by calling interface parameters, the opening is true, and the closing is false.
The relevant interface calls are:
auditIsicStatusSet.setEnabled(true);
auditUserLoginStatusSet.setEnabled(true);
auditDevManagerStatusSet.setEnabled(true);
auditCtmmStatusSet.setEnabled(true);
serviceStatusShare.putBoolean("isicaudit",true);
serviceStatusShare.putBoolean("userloginaudit",true);
serviceStatusShare.putBoolean("devmanageraudit",true);
serviceStatusShare.putBoolean("ctmmaudit",true);
commit (); v/validate settings
2. Audit log backup
The audit log backup comprises the backup of a system log file and the backup of a kernel log file, wherein the backup log file is used for backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, and a user can check backup data in the directory. The main implemented code:
String path="/sdcard/backuplog";
File backPath=new File(path);
if(!backPath.exists()){
backPath.mkdirs();
}else{
}
File saveFile=new File(backPath,time+fileName);
backupFileLength=0;
sendMsg(0);
try{
rowCount=c.getCount();
colCount=c.getColumnCount();
fw=new FileWriter(saveFile);
bfw=new BufferedWriter(fw);
if(rowCount>0){
c.moveToFirst();
// write header
for(int i=0;i<colCount;i++){
if(i!=colCount-1)
bfw.write(c.getColumnName(i)+',');
else
bfw.write(c.getColumnName(i));
}
V/line feed after header write
bfw.newLine();
// write data
for(int i=0;i<rowCount;i++){
c.moveToPosition(i);
for(int j=0;j<colCount;j++){
if(j!=colCount-1)
bfw.write(c.getString(j)+',');
else
bfw.write(c.getString(j));
}
// line feed after writing each record
bfw.newLine();
backupFileLength+=1;
sendMsg (1); // update progress Bar
}
}
sendMsg (2); // notify backup completion
/write cached data to File
bfw.flush();
// release cache
bfw.close();
3. Audit log processing
The processing of the audit log is what should be done when the audit log file stored in the database is full, such as stopping writing the audit log, restarting writing the audit log, sending a mail reminder, and the like.
Stopping auditing: the audit record is only required to be stopped being written into the database.
Restart of the write: the original record in the database is deleted and the audit record is re-written to the database from the beginning.
E, mail reminding: when the number of the audit bars in the database reaches a specified value, an email is sent to remind a user that the number of the audit logs reaches the specified value, and meanwhile, writing into the database is stopped.
The function of the mail reminding is realized by sending the mail through JavaMail. Downloading an Android version JavaMail package is required: and (4) adding the three packages into eclipse for development.
The implementation steps are as follows:
(1) establishing Session with mail server
(2) Constructing a mail message mimeessage
(3) Transport sends mail
Note that: adding network authority under android
Because the mail is sent in the background, some necessary information needs to be collected because the user is not required to input the information.
The main codes are as follows:
the mail sending method mainly uses a method in a mail.jar packet, firstly judges some user authentication information, then sets the mail information collected on the user, and finally calls a transport.send () method to send the mail set by the user.
Second, audit checking
The audit checking mainly realizes the checking and filtering of the kernel audit log and the checking and filtering of the system audit log, and the filtering of the audit log well solves the problems that log information is too much and key information is difficult to search.
When the audit log is checked, the kernel log file/proc/kmsg cannot be acquired by using a cat command even if the android front-end application acquires root authority, and the problem of acquiring related information by using a dmesg command is solved. When reading/proc/kmsg files using the "dmesg" command, root rights need to be acquired, and the main program is implemented as follows:
the audit log is obtained by reading the contents of four files of dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio, the command used is logcat-d-v time-b main-b system-b events-b radio, and the main program is realized as follows:
audit filtering is divided into four categories: filtering by time, filtering by priority, filtering by Tag, and filtering by keyword. The user may select a filtering manner to display the corresponding query results.
(1) Filtering according to time: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period. The main implementation codes are as follows:
(2) filtering according to the priority: the method is similar to time filtering, log information required by filtering is carried out through the priority input by the user, namely, the priority level input by the user is compared with the priority level fields of all logs, if the priority level is the priority level, the log information is displayed, and otherwise, the log information is not displayed. The priority levels are divided into: "verbose", "debug", "info", "war", "error", "fat", "silent".
The main implementation codes are as follows:
(3) filtering according to Tag: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
The main implementation codes are as follows:
(4) and filtering according to keywords: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed. The main implementation codes are as follows:
although the present invention has been described with reference to the preferred embodiments, it should be understood that the scope of the present invention is not limited thereto, and those skilled in the art will appreciate that various changes and modifications can be made without departing from the spirit and scope of the present invention.
Claims (7)
1. The method for realizing the safety audit function based on the android system is characterized by comprising the following steps: the method comprises the steps of setting an audit function, and realizing the check of a kernel audit log and the check of a system audit log through the filtering of the audit log, wherein the check of the kernel audit log is realized by using a dmesg command read/proc/kmsg, and the check of the system audit log is realized by using the contents of four files of commands logcat-d-v time-b main-b system-b events-b radio read/dev/log/main,/dev/log/system,/dev/log/events and/dev/log/radio.
2. The android-system-based security audit function implementation method of claim 1, wherein the setting of the audit function includes setting of an audit switch, setting of an audit log backup function, and setting of an audit log processing function, wherein,
the audit switch is set to realize the opening or closing of the set Tag audit by calling the interface of the frame layer so as to realize the opening or closing of the audit service;
the setting of the audit log backup function realizes the backup of system log files and the backup of kernel log files by backing up a log table in a database to a local directory/sdcard/backup log/in a csv format, so that a user can view backup data in the directory/sdcard/backup log/;
the audit log processing function is set to realize that a user can perform corresponding processing selection when the audit log file stored in the database is full through the functions of stopping writing the audit log, restarting writing the audit log, sending a mail prompt and the like.
3. The android-system-based security audit function implementation method of claim 1, wherein the checking of the system audit log implements the searching of the key information through the functions of time filtering, priority filtering, Tag filtering or keyword filtering.
4. The android-system-based security audit function implementation method of claim 3, wherein the time filtering function is implemented as follows: and displaying the log information in the time period according to the time period input by the user, comparing the time of each log in the log file with the time, and displaying the log information if the time period is within the time period, or not displaying the log information if the time period is not within the time period.
5. The android-system-based security audit function implementation method of claim 3, wherein the priority filtering function is implemented as follows: and filtering the required log information according to the priority input by the user, namely comparing the priority level input by the user with the priority level fields of all logs, if so, displaying the log information, otherwise, not displaying the log information.
6. The android-system-based security audit function implementation method of claim 3, wherein the Tag filtering function is implemented as follows: and filtering the required log information through the Tag input by the user, namely comparing the Tag input by the user with all log Tag fields, if the log information is the Tag, displaying the log information, otherwise, not displaying the log information.
7. The android-system-based security audit function implementation method of claim 3, wherein the keyword filtering function is implemented as follows: searching is carried out through keywords input by a user, at the moment, whether log information contains the keywords is compared, and if the keywords exist, the log information is displayed, otherwise, the log information is not displayed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110366671.XA CN113221101A (en) | 2021-04-06 | 2021-04-06 | Method for realizing safety audit function based on android system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110366671.XA CN113221101A (en) | 2021-04-06 | 2021-04-06 | Method for realizing safety audit function based on android system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113221101A true CN113221101A (en) | 2021-08-06 |
Family
ID=77086406
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110366671.XA Pending CN113221101A (en) | 2021-04-06 | 2021-04-06 | Method for realizing safety audit function based on android system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113221101A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103944761A (en) * | 2014-04-18 | 2014-07-23 | 深圳芯智汇科技有限公司 | Android log information filter method and system |
US20150193216A1 (en) * | 2012-07-19 | 2015-07-09 | Tencent Technology (Shenzhen) Company Limited | Method and system for installing application |
CN106570163A (en) * | 2016-11-07 | 2017-04-19 | 深圳市任子行科技开发有限公司 | Unreliable environment-oriented audit log read-write managing method and system |
CN109446816A (en) * | 2018-10-18 | 2019-03-08 | 中电科大数据研究院有限公司 | A kind of user behavior analysis method based on big data platform audit log |
CN109614812A (en) * | 2018-09-25 | 2019-04-12 | 北京计算机技术及应用研究所 | File outgoing managing and control system and method under a kind of security application environment |
-
2021
- 2021-04-06 CN CN202110366671.XA patent/CN113221101A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150193216A1 (en) * | 2012-07-19 | 2015-07-09 | Tencent Technology (Shenzhen) Company Limited | Method and system for installing application |
CN103944761A (en) * | 2014-04-18 | 2014-07-23 | 深圳芯智汇科技有限公司 | Android log information filter method and system |
CN106570163A (en) * | 2016-11-07 | 2017-04-19 | 深圳市任子行科技开发有限公司 | Unreliable environment-oriented audit log read-write managing method and system |
CN109614812A (en) * | 2018-09-25 | 2019-04-12 | 北京计算机技术及应用研究所 | File outgoing managing and control system and method under a kind of security application environment |
CN109446816A (en) * | 2018-10-18 | 2019-03-08 | 中电科大数据研究院有限公司 | A kind of user behavior analysis method based on big data platform audit log |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6347374B1 (en) | Event detection | |
US8032489B2 (en) | Log collection, structuring and processing | |
US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
US7975302B2 (en) | System for real-time detection of computer system files intrusion | |
CA2957315C (en) | Log collection, structuring and processing | |
US9384112B2 (en) | Log collection, structuring and processing | |
US5557742A (en) | Method and system for detecting intrusion into and misuse of a data processing system | |
US7551073B2 (en) | Method, system and program product for alerting an information technology support organization of a security event | |
CN101888311B (en) | Equipment, method and system for preventing network contents from being tampered | |
US20070198610A1 (en) | System and method for backing up a database | |
US6633876B1 (en) | Analyzing post-mortem information on a remote computer system using a downloadable code module | |
CN102739774A (en) | Method and system for obtaining evidence under cloud computing environment | |
CN106503551A (en) | A kind of for the processing method and system of extorting software | |
US20100257376A1 (en) | System and method for management of plaintext data in a mobile data processing device | |
US20200125723A1 (en) | Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium | |
US20050234990A1 (en) | System and method for tracking documents | |
US20050010812A1 (en) | Computer system software "black box" capture device | |
CN113221101A (en) | Method for realizing safety audit function based on android system | |
CN117407247A (en) | Business system log auditing and key file monitoring method and system | |
CN117939258A (en) | Live broadcast on-demand monitoring method and device, equipment and medium thereof | |
CN117971621A (en) | Process management method and computing device | |
Eloff et al. | An Architecture for a Near-Miss Management System (NMS) | |
CN117714176A (en) | Windows active directory processing method, device and storage medium | |
CN115878456A (en) | Open source software model selection-evaluation platform and method | |
CN114154160A (en) | Container cluster monitoring method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |