CN114357453A - Vulnerability repairing method and device and storage medium - Google Patents
Vulnerability repairing method and device and storage medium Download PDFInfo
- Publication number
- CN114357453A CN114357453A CN202111499400.8A CN202111499400A CN114357453A CN 114357453 A CN114357453 A CN 114357453A CN 202111499400 A CN202111499400 A CN 202111499400A CN 114357453 A CN114357453 A CN 114357453A
- Authority
- CN
- China
- Prior art keywords
- repair
- component
- vulnerability
- bug
- scanning component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The disclosure relates to the field of network security, and discloses a method, a device and a storage medium for bug fixing, wherein the method comprises the following steps: in the process of carrying out vulnerability detection on the internal components through the vulnerability scanning component, if a target internal component needing to repair the vulnerability is detected in the internal components, sending, by the vulnerability scanning component, a repair package request to the host via the first connection path based on the detected vulnerability information of the target internal components, the internal components including the host and the at least one security component, after a repairing packet returned by the host machine according to the repairing packet request is received through the second connecting path, the repairing packet is used for repairing the loophole needing to be repaired in the target internal component, the first connecting path is a connecting path established between the vulnerability scanning component and the internal component through the management network bridge, and the second connecting path is a connecting path established between the vulnerability scanning component and the internal component through the virtual interface, so that the efficiency and the accuracy of vulnerability detection in the integrated security equipment are improved.
Description
Technical Field
The disclosure relates to the technical field of network security, and provides a vulnerability fixing method, device and storage medium.
Background
The integrated safety equipment can be externally connected with various safety capabilities, and provides a multi-dimensional protection effect for the connected various safety capabilities. The integrated safety equipment realizes the containerization packaging of key services and the virtualization management of safety capacity, has the characteristics of unified management and elastic expansion, and can provide one-stop safety protection for networks, hosts, applications and data.
However, at present, vulnerability detection, repair update, log statistics and the like of a host and a security component inside the integrated security device mainly depend on operation and maintenance personnel to perform processing at a single point manually, or perform processing in a manner of updating an upgrade package manually and periodically. The manual detection mode has the problems of low efficiency, untimely response, passive lag and the like, and particularly when a bug such as 0day is encountered, operation and maintenance personnel can not detect the bug in time, and the operation of the integrated safety equipment can be greatly influenced.
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for bug fixing and a storage medium, which are used for guaranteeing the efficiency and the accuracy of bug detection in integrated security equipment.
The specific technical scheme provided by the disclosure is as follows:
in a first aspect, an embodiment of the present disclosure provides a method for bug fixing, where the method is applied to an integrated security device, and the method includes:
in the process of carrying out vulnerability detection on the internal components through the vulnerability scanning component, if a target internal component needing vulnerability repair is detected in the internal components through the vulnerability scanning component, sending a repair package request to a host machine through a first connecting circuit on the basis of the detected vulnerability information of the target internal component through the vulnerability scanning component; wherein the internal components include a host machine and at least one security component;
after a repairing packet returned by the host machine aiming at the repairing packet request is received through the second connecting channel, the repairing packet is applied to repair the bug to be repaired in the target internal component through the bug scanning component;
the first connection path is a connection path established between the vulnerability scanning component and the internal component through the management bridge, and the second connection path is a connection path established between the vulnerability scanning component and the internal component through the virtual interface.
Optionally, before performing vulnerability detection on the internal component by the vulnerability scanning component, the method further includes:
determining a management port and a service port of each internal component through a vulnerability scanning component;
establishing a management path between each management port and a management network bridge through a vulnerability scanning component, respectively configuring a first destination address for each management port through the management network bridge, and taking the management path carrying the first destination address as a first connection path;
configuring a virtual interface for each service port through the vulnerability scanning component, establishing a flow path between the virtual interface and the data packet processing framework, triggering an agent bridge arranged in the data packet processing framework to configure a second destination address for each service port respectively, and taking the flow path carrying the second destination address as a second connection path.
Optionally, the vulnerability information is determined by:
if a target internal component needing to repair the bug is detected in the internal components through the bug scanning component, determining a bug level corresponding to the detected bug needing to repair, and determining a first destination address and a second destination address corresponding to the internal components;
and the vulnerability level, the first destination address and the second destination address are all used as vulnerability information through the vulnerability scanning component.
Optionally, after sending the repair packet request to the host via the first connection path, before receiving a repair packet returned by the host for the repair packet request via the second connection path, the method further includes:
searching whether a vulnerability scanning component corresponding to the repair package request exists in the vulnerability scanning component through a host machine;
if so, analyzing a repair file carried in the vulnerability scanning component;
otherwise, requesting a repair file corresponding to the repair package request from the repair package site through the host, wherein the repair package site is connected with the integrated safety equipment through the internet;
and generating a configuration file for the repair file through the host machine, and generating a repair package based on the vulnerability information, the repair file and the configuration file through the host machine.
Optionally, the repairing, by the vulnerability scanning component, the vulnerability to be repaired in the target internal component by using the repair package includes:
checking whether the vulnerability information carried in the received repairing packet is corresponding to the vulnerability grade corresponding to the detected target internal component or not through a vulnerability scanning component;
if the internal components are consistent with the target internal components, converting the restoration file into a Docker mirror image or a Chart package based on the configuration file when the target internal components are judged to be the host machines, or converting the restoration file into an RPM package based on the configuration file when the target internal components are judged to be the security components;
after a repair instruction of the host computer is received through the first connection path, the bug on the host computer is repaired by the bug scanning component by applying a Docker mirror image or a Chart package, or the bug on the security component is repaired by the bug scanning component by applying an RPM package.
Optionally, the method further comprises:
recording a corresponding repair log in the process of repairing the bug through the bug scanning component, and sending the repair log to a host, wherein the repair log comprises repair time and repair results;
and if the repair time exceeds the preset repair period and the repair result is failure, notifying the user end to repair the bug corresponding to the repair result again through the host.
Optionally, the virtual interface comprises a Vhost-user interface or a veth interface.
In a second aspect, an embodiment of the present disclosure further provides an apparatus for bug fixing, including:
the detection unit is used for sending a repair package request to the host machine through the first connection circuit based on the detected loophole information of the target internal component by the loophole scanning component if the target internal component needing loophole repair is detected in the internal component by the loophole scanning component in the process of carrying out loophole detection on the internal component by the loophole scanning component; wherein the internal components include a host machine and at least one security component;
the repairing unit is used for repairing the bug required to be repaired in the target internal component by applying the repairing packet through the bug scanning component after receiving the repairing packet returned by the host machine aiming at the repairing packet request through the second connecting channel;
the first connection path is a connection path established between the vulnerability scanning component and the internal component through the management bridge, and the second connection path is a connection path established between the vulnerability scanning component and the internal component through the virtual interface.
Optionally, before performing vulnerability detection on the internal component by the vulnerability scanning component, the method further includes:
determining a management port and a service port of each internal component through a vulnerability scanning component;
establishing a management path between each management port and a management network bridge through a vulnerability scanning component, respectively configuring a first destination address for each management port through the management network bridge, and taking the management path carrying the first destination address as a first connection path;
configuring a virtual interface for each service port through the vulnerability scanning component, establishing a flow path between the virtual interface and the data packet processing framework, triggering an agent bridge arranged in the data packet processing framework to configure a second destination address for each service port respectively, and taking the flow path carrying the second destination address as a second connection path.
Optionally, the vulnerability information is determined by:
if a target internal component needing to repair the bug is detected in the internal components through the bug scanning component, determining a bug level corresponding to the detected bug needing to repair, and determining a first destination address and a second destination address corresponding to the internal components;
and the vulnerability level, the first destination address and the second destination address are all used as vulnerability information through the vulnerability scanning component.
Optionally, after sending the repair packet request to the host via the first connection path, before receiving a repair packet returned by the host for the repair packet request via the second connection path, the method further includes:
searching whether a vulnerability scanning component corresponding to the repair package request exists in the vulnerability scanning component through a host machine;
if so, analyzing a repair file carried in the vulnerability scanning component;
otherwise, requesting a repair file corresponding to the repair package request from the repair package site through the host, wherein the repair package site is connected with the integrated safety equipment through the internet;
and generating a configuration file for the repair file through the host machine, and generating a repair package based on the vulnerability information, the repair file and the configuration file through the host machine.
Optionally, the bug that needs to be repaired in the target internal component is repaired by the bug scanning component using the repair package, and the repair unit is configured to:
checking whether the vulnerability information carried in the received repairing packet is corresponding to the vulnerability grade corresponding to the detected target internal component or not through a vulnerability scanning component;
if the internal components are consistent with the target internal components, converting the restoration file into a Docker mirror image or a Chart package based on the configuration file when the target internal components are judged to be the host machines, or converting the restoration file into an RPM package based on the configuration file when the target internal components are judged to be the security components;
after a repair instruction of the host computer is received through the first connection path, the bug on the host computer is repaired by the bug scanning component by applying a Docker mirror image or a Chart package, or the bug on the security component is repaired by the bug scanning component by applying an RPM package.
Optionally, the method further comprises:
recording a corresponding repair log in the process of repairing the bug through the bug scanning component, and sending the repair log to a host, wherein the repair log comprises repair time and repair results;
and if the repair time exceeds the preset repair period and the repair result is failure, notifying the user end to repair the bug corresponding to the repair result again through the host.
Optionally, the virtual interface comprises a Vhost-user interface or a veth interface.
In a third aspect, an integrated security device, comprises:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement a method as in any one of the first aspect.
In a fourth aspect, a computer-readable storage medium, wherein instructions, when executed by a processor, enable the processor to perform the method of any of the first aspect.
The beneficial effects of this disclosure are as follows:
in summary, in the embodiments of the present disclosure, a method, an apparatus, and a storage medium for bug fixing are provided, where the method includes: in the process of carrying out leak detection on the internal components through the leak scanning component, if a target internal component needing leak repair is detected in the internal components, sending a repair package request to a host machine through a first connecting channel through the leak scanning component based on the leak information of the detected target internal component, wherein the internal components comprise the host machine and at least one safety component, and repairing the leak needing repair in the target internal component by using the repair package through the leak scanning component after receiving the repair package returned by the host machine aiming at the repair package request through a second connecting channel, wherein the first connecting channel is a connecting channel established between the leak scanning component and the internal components through a management bridge, the second connecting channel is a connecting channel established between the leak scanning component and the internal components through a virtual interface, so that the efficiency and the accuracy of detecting the leak in the integrated safety equipment are improved, the safe operation of the integrated safety equipment is guaranteed.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:
fig. 1 is a schematic diagram of a system architecture for repairing a vulnerability according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart illustrating bug fixing according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart illustrating the determination of a first connection path and a second connection path in an embodiment of the present disclosure;
fig. 4 is a schematic flow chart illustrating a process of repairing a detected vulnerability according to the embodiment of the present disclosure;
fig. 5 is a schematic flow chart illustrating how to repair a bug again in the embodiment of the present disclosure;
FIG. 6 is a schematic diagram of a logic architecture of a bug fix apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic physical architecture diagram of an integrated security device in an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present disclosure. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments described in the present disclosure without any creative effort belong to the protection scope of the technical solution of the present disclosure.
The terms "first," "second," and the like in the description and in the claims, and in the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein.
Preferred embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, in the embodiment of the present disclosure, a system includes at least one integrated security device, and a vulnerability scanning component and an internal component are disposed inside the integrated security device, where the internal component includes a host and at least one security component. It should be noted that, for the vulnerability scanning component and the security component inside the integrated security device, the host is a host for controlling and managing the vulnerability scanning component, the security component, and the like; the vulnerability scanning component and other security components behave as virtual machines controlled by the host machine. The vulnerability scanning component can be understood as a plurality of vulnerability scanning components of different types, and can also be understood as different types of scanning parts under one vulnerability scanning component.
In the embodiment of the present disclosure, the implementation of the vulnerability repairing method is mainly performed inside the integrated security device, that is, a vulnerability scanning component arranged inside the integrated security device performs vulnerability detection and repair on a host or a security component, which is described in detail below.
Referring to fig. 2, in the embodiment of the present disclosure, a specific process of the integrated security device executing bug fixing is as follows:
step 201: in the process of carrying out vulnerability detection on the internal components through the vulnerability scanning component, if a target internal component needing vulnerability repair is detected in the internal components through the vulnerability scanning component, sending a repair package request to a host machine through a first connecting circuit on the basis of the detected vulnerability information of the target internal component through the vulnerability scanning component; wherein the internal components include a host machine and at least one security component.
Since the vulnerability of the internal components is generated in real time during the operation of the integrated security device, a detection period is usually defined to detect the vulnerability of the internal components, and the duration of the detection period is not specifically limited. In addition, the internal components include a host and at least one security component, where the number of security components is set according to the type of the integrated security device.
It should be noted that before the vulnerability detection is performed on the internal component by the vulnerability scanning component, as shown in fig. 3, the vulnerability detection method further includes:
step 101: and determining the management port and the service port of each internal component through the vulnerability scanning component.
First, it should be noted that each internal component and the vulnerability scanning component are respectively provided with a management port and a service port. Control instructions such as control and management commands are transmitted through the management port, and flow data such as repair packets are transmitted through the service port. Therefore, in the implementation process, the management ports and the service ports of each internal component are determined by the vulnerability scanning component, and on the basis, the connection between the management ports and the connection between the service ports can be established.
Step 102: and establishing a management path between each management port and the management bridge through the vulnerability scanning component, respectively configuring a first destination address for each management port through the management bridge, and taking the management path carrying the first destination address as a first connection path.
In order to connect the vulnerability scanning component, the host and the security component together, all the determined management ports are connected to the management bridge through the vulnerability scanning component, so that a management path between the management ports and the management bridge is formed.
In order to clearly mark each component, the management bridge configures a first destination address, i.e., an Internet Protocol (IP) address of an intranet, for each management port, so that a host or a security component corresponding to the management port can be quickly found through the IP address, and then a related repair packet can be sent to the host or the security component, thereby completing the repair of the vulnerability.
In an implementation process, the first connection path is a connection path established between the vulnerability scanning component and the internal component through the management bridge, specifically, the management path carrying the first destination address is used as the first connection path, that is, the first connection path is collectively called a management link formed by a host, a security component, and the like, and the first connection path is only used for transmitting control instructions such as control commands and management commands.
Step 103: configuring a virtual interface for each service port through the vulnerability scanning component, establishing a flow path between the virtual interface and a Vector Packet Processing (VPP) frame, triggering an agent bridge built in the VPP frame to configure a second destination address for each service port, and taking the flow path carrying the second destination address as a second connection path.
The VPP is an open-source high-performance network forwarding framework, which runs in the Linux system user space, can run on multiple Central Processing Unit (CPU) platforms, and can provide switch or router functions to the outside.
In order to enable the repair package to be transmitted among the vulnerability scanning component, the host and the security component, a virtual interface is configured for each service port through the vulnerability scanning component, specifically, the virtual interface includes a Vhost-user interface or a veth interface, and the virtual interface is mainly used for transmitting flow data. Each virtual interface is connected to the VPP, thereby forming a traffic path between the service port and the VPP.
In order to clearly mark the traffic address of each component, the proxy bridge that triggers the VPP via the vulnerability scanning component also configures a second destination address for each service port, and the configuration method of the second destination address is the same as that of the first destination address, which is not described herein again.
In the implementation process, the second connection path is a connection path established between the vulnerability scanning component and the internal component through a virtual interface. Specifically, a traffic path carrying the second destination address is used as a second connection path, that is, the second connection path is collectively referred to as a traffic link formed by a host, a security component, and the like, and the second connection path is only used for transmitting traffic data such as a repair packet.
After the first connecting path and the second connecting path are established, the loophole can be detected. In a specific implementation process, that is, in a process of performing vulnerability detection on the internal components through the vulnerability scanning component, if a vulnerability needing to be repaired is detected in the host and/or any one of the security components, the host and/or any one of the security components are collectively referred to as a target internal component.
After the target internal component is determined, further determining vulnerability information of the target internal component through a vulnerability scanning component, generating a repair package request according to the vulnerability information, and sending the repair package request to a host machine through the established first connection path.
The following procedure for determining vulnerability information is described first, and vulnerability information is determined in the following manner:
(1) if the target internal component needing to repair the bug is detected in the internal components through the bug scanning component, determining the bug level corresponding to the detected bug needing to repair, and determining a first destination address and a second destination address corresponding to the internal components.
Since the vulnerability detection is targeted by the host and the at least one security component, and the host further includes system components and cluster components (e.g., K8S cluster, etc.), this results in different levels of vulnerability detected. Therefore, in the implementation process, on the basis that the target internal component needing to repair the bug is detected in the internal components through the bug scanning component, the bug level corresponding to the detected bug needing to be repaired needs to be further determined, so as to obtain an accurate repair package.
In addition, in order to transmit the repair packet request and receive the corresponding repair packet, a first destination address and a second destination address corresponding to each internal component are determined, that is, the destination address to which the repair packet request needs to be sent and the destination address to which the repair packet is to be sent are determined to perform specific repair.
(2) And the vulnerability level, the first destination address and the second destination address are all used as vulnerability information through the vulnerability scanning component.
In the implementation process, the detected vulnerability level and the first destination address and the second destination address associated with the detected vulnerability are used as vulnerability information.
And determining the vulnerability information according to the mode, and after generating a repair packet request on the basis, sending the repair packet request to the host machine through the first connecting circuit to obtain a corresponding repair packet.
After sending the repair packet request to the host machine through the first connection path, before receiving a repair packet returned by the host machine for the repair packet request through the second connection path, the method further includes:
1) and searching whether the vulnerability scanning component corresponding to the repairing packet request exists in the vulnerability scanning component through the host machine.
Generally, vulnerability scanning components inside the integrated security device correspond to vulnerability information in a historical detection process, or correspond to relatively common vulnerability information. This can lead to two situations: 1. a vulnerability scanning component inside the integrated security equipment corresponds to the detected vulnerability information; 2. and the vulnerability scanning component in the integrated security equipment does not correspond to the detected vulnerability information. In the implementation process, whether the vulnerability scanning component corresponding to the repair package request exists or not is searched in the vulnerability scanning component through the host machine, namely whether the detected vulnerability can be repaired by the vulnerability scanning component in the integrated security device is judged.
2) If so, finding the vulnerability scanning component corresponding to the repairing packet request in the integrated safety equipment, and thus judging that the vulnerability scanning component in the integrated safety equipment can repair the detected vulnerability. In this case, the repair file carried in the vulnerability scanning component is parsed directly.
3) Otherwise, finding that the bug scanning component corresponding to the repairing packet request does not exist in the integrated safety equipment, so that the fact that the bug scanning component in the integrated safety equipment cannot repair the detected bug can be judged. In this case, a new repair file needs to be introduced by the host to generate a repair package and repair the detected vulnerability.
Specifically, a host machine requests a repair file corresponding to the repair package request to a repair package site, wherein the repair package site is connected with the integrated security device through the internet.
It should be noted that a plurality of repair files are integrated in the repair package site, and compared with the repair files in the bug scanning component, versions of the repair files in the repair package site are updated, that is, the repair files are updated in real time along with the network, and the repair files in the bug scanning component can be updated, optimized, and the like. The host can obtain the repair file corresponding to the repair package request from the repair package site.
4) And generating a configuration file for the repair file through the host machine, and generating a repair package based on the vulnerability information, the repair file and the configuration file through the host machine.
After the repair file is obtained through the steps 2) and 3), a corresponding configuration file needs to be generated for the repair file through the host, wherein the configuration file is used for assisting the repair file in repairing the bug. In addition, in order to repair the bug more accurately, a host generates a repair package based on the bug information, the repair file and the configuration file. In this way, after receiving the repair package, the vulnerability scanning component may verify the correctness of the repair package according to the matching between the received vulnerability information and the vulnerability information generated before.
Step 202: and after a repairing packet returned by the host machine aiming at the repairing packet request is received through the second connecting passage, the repairing packet is applied to repair the bug to be repaired in the target internal component through the bug scanning component.
In the implementation process, the bug scanning component receives a repair package returned by the host, where the repair package is transmitted through a second connection path between the host and the bug scanning component, and then the bug scanning component can repair the bug to be repaired in the target internal component by using the repair package, as shown in fig. 4, the repair process specifically includes:
step 2021: and checking whether the vulnerability information carried in the received repairing packet is corresponding to the vulnerability grade corresponding to the detected target internal component or not through the vulnerability scanning component.
Generally, there are a plurality of vulnerabilities scanned in a host and a security component, and in order to obtain a repair package consistent with a vulnerability to be repaired at present, after the repair package is received, the vulnerability scanning component checks whether vulnerability information carried in the repair package is consistent with a vulnerability level corresponding to a detected target internal component, so as to determine availability of the received repair package.
Step 2022: if the internal components are consistent with the target internal components, converting the repair file into a Docker mirror image or a Chart package based on the configuration file when the target internal components are judged to be the hosts, or converting the repair file into an RPM package based on the configuration file when the target internal components are judged to be the safe components.
In the implementation process, the repairing process is continued only when the carried vulnerability information is judged to be correspondingly consistent with the vulnerability level corresponding to the detected target internal component; and if the carried vulnerability information is not consistent with the vulnerability level corresponding to the detected target internal component, stopping the repairing process.
And further judging whether the target internal component to be subjected to vulnerability repair is a host machine or a security component on the basis of continuing the repair process. Because the host machine comprises the system component and the K8S cluster, when the target internal component is the host machine, the repair file is converted into a Docker mirror image or a Chart package according to the configuration file, so that the system component, the K8S cluster and the like can be repaired in a targeted manner; and when the target internal component is a safety component, converting the repair file into an RPM (revolution speed) packet according to the configuration file so as to carry out targeted repair on the safety component.
Step 2023: after a repair instruction of the host computer is received through the first connection path, the bug on the host computer is repaired by the bug scanning component by applying a Docker mirror image or a Chart package, or the bug on the security component is repaired by the bug scanning component by applying an RPM package.
After determining the target internal component to be repaired and acquiring a specific repair package (a Docker mirror image or a Chart package, an RPM package, and the like), a repair instruction of the host needs to be received through the first connection path, that is, the actual repair process is actually started after receiving a command of the host. In the actual repairing process, when the bug on the host machine is repaired through the bug scanning component, the bug on the host machine is repaired by using a Docker mirror image or a Chart package, or the bug on the security component is repaired by using an RPM package.
In addition, it should be noted that, after bug fixing, the fixing result needs to be tracked, and as shown in fig. 5, the method further includes:
step 3011: in the process of repairing the bug through the bug scanning component, recording a corresponding repair log, and sending the repair log to a host, wherein the repair log comprises repair time and repair results.
In consideration of the fact that a plurality of bugs may be detected simultaneously in a preset repair period and need to be repaired simultaneously through a bug scanning component, in the implementation process, the repair conditions of each bug need to be recorded, for example, the repair time, the repair result, the repair type, the corresponding repair package and the like, the repair conditions are collected into a repair log form and sent to a host, so that the repair conditions of the bugs are collected uniformly, and therefore a user side can check conveniently.
Step 3012: and if the repair time exceeds the preset repair period and the repair result is failure, notifying the user end to repair the bug corresponding to the repair result again through the host.
In the implementation process, if the repair time exceeds the preset repair period, that is, the repair time for a certain bug exceeds the preset repair time, and the repair result is a failure, that is, it indicates that the bug still exists, and the bug is not successfully repaired in the preset repair period. In this case, the host notifies the user side, and further, the repair log corresponding to the bug may be sent to the user side together, so that the user side performs the repair on the bug corresponding to the repair result, where the repair method is not particularly limited.
Based on the same inventive concept, referring to fig. 6, an embodiment of the present disclosure provides a bug fixing device, including:
the detection unit 601 is configured to, in the process of performing vulnerability detection on the internal components through the vulnerability scanning component, if a target internal component needing vulnerability repair is detected in the internal components through the vulnerability scanning component, send a repair package request to the host through the vulnerability scanning component based on vulnerability information of the detected target internal component through the first connection path; wherein the internal components include a host machine and at least one security component;
a repairing unit 602, configured to, after receiving a repairing packet returned by the host for the repairing packet request through the second connection path, apply the repairing packet to repair the bug to be repaired in the target internal component through the bug scanning component;
the first connection path is a connection path established between the vulnerability scanning component and the internal component through the management bridge, and the second connection path is a connection path established between the vulnerability scanning component and the internal component through the virtual interface.
Optionally, before performing vulnerability detection on the internal component by the vulnerability scanning component, the method further includes:
determining a management port and a service port of each internal component through a vulnerability scanning component;
establishing a management path between each management port and a management network bridge through a vulnerability scanning component, respectively configuring a first destination address for each management port through the management network bridge, and taking the management path carrying the first destination address as a first connection path;
configuring a virtual interface for each service port through the vulnerability scanning component, establishing a flow path between the virtual interface and the data packet processing framework, triggering an agent bridge arranged in the data packet processing framework to configure a second destination address for each service port respectively, and taking the flow path carrying the second destination address as a second connection path.
Optionally, the vulnerability information is determined by:
if a target internal component needing to repair the bug is detected in the internal components through the bug scanning component, determining a bug level corresponding to the detected bug needing to repair, and determining a first destination address and a second destination address corresponding to the internal components;
and the vulnerability level, the first destination address and the second destination address are all used as vulnerability information through the vulnerability scanning component.
Optionally, after sending the repair packet request to the host via the first connection path, before receiving a repair packet returned by the host for the repair packet request via the second connection path, the method further includes:
searching whether a vulnerability scanning component corresponding to the repair package request exists in the vulnerability scanning component through a host machine;
if so, analyzing a repair file carried in the vulnerability scanning component;
otherwise, requesting a repair file corresponding to the repair package request from the repair package site through the host, wherein the repair package site is connected with the integrated safety equipment through the internet;
and generating a configuration file for the repair file through the host machine, and generating a repair package based on the vulnerability information, the repair file and the configuration file through the host machine.
Optionally, the bug scanning component applies the repair package to repair a bug that needs to be repaired in the target internal component, and the repairing unit 602 is configured to:
checking whether the vulnerability information carried in the received repairing packet is corresponding to the vulnerability grade corresponding to the detected target internal component or not through a vulnerability scanning component;
if the internal components are consistent with the target internal components, converting the restoration file into a Docker mirror image or a Chart package based on the configuration file when the target internal components are judged to be the host machines, or converting the restoration file into an RPM package based on the configuration file when the target internal components are judged to be the security components;
after a repair instruction of the host computer is received through the first connection path, the bug on the host computer is repaired by the bug scanning component by applying a Docker mirror image or a Chart package, or the bug on the security component is repaired by the bug scanning component by applying an RPM package.
Optionally, the method further comprises:
recording a corresponding repair log in the process of repairing the bug through the bug scanning component, and sending the repair log to a host, wherein the repair log comprises repair time and repair results;
and if the repair time exceeds the preset repair period and the repair result is failure, notifying the user end to repair the bug corresponding to the repair result again through the host.
Optionally, the virtual interface comprises a Vhost-user interface or a veth interface.
Based on the same inventive concept, referring to fig. 7, an embodiment of the present disclosure provides an integrated security device, including: a memory 701 for storing executable instructions; a processor 702 configured to read and execute executable instructions stored in a memory, and perform any one of the methods of the first aspect.
Based on the same inventive concept, the disclosed embodiments provide a computer-readable storage medium, wherein instructions that, when executed by a processor, enable the processor to perform the method of any of the above first aspects.
In summary, in the embodiments of the present disclosure, a method, an apparatus, and a storage medium for bug fixing are provided, where the method includes: in the process of carrying out leak detection on the internal components through the leak scanning component, if a target internal component needing leak repair is detected in the internal components, sending a repair package request to a host machine through a first connecting channel through the leak scanning component based on the leak information of the detected target internal component, wherein the internal components comprise the host machine and at least one safety component, and repairing the leak needing repair in the target internal component by using the repair package through the leak scanning component after receiving the repair package returned by the host machine aiming at the repair package request through a second connecting channel, wherein the first connecting channel is a connecting channel established between the leak scanning component and the internal components through a management bridge, the second connecting channel is a connecting channel established between the leak scanning component and the internal components through a virtual interface, so that the efficiency and the accuracy of detecting the leak in the integrated safety equipment are improved, the safe operation of the integrated safety equipment is guaranteed.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product system. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product system embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program product systems according to the present disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications can be made in the present disclosure without departing from the spirit and scope of the disclosure. Thus, if such modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and their equivalents, the present disclosure is intended to include such modifications and variations as well.
Claims (10)
1. A vulnerability fixing method is applied to integrated security equipment and comprises the following steps:
in the process of carrying out vulnerability detection on internal components through a vulnerability scanning component, if a target internal component needing vulnerability repair is detected in the internal components through the vulnerability scanning component, sending a repair package request to a host machine through a first connection circuit based on the detected vulnerability information of the target internal component through the vulnerability scanning component; wherein the internal components include a host machine and at least one security component;
after a repairing packet returned by the host machine aiming at the repairing packet request is received through a second connecting passage, the repairing packet is applied to repair the bug to be repaired in the target internal component through the bug scanning component;
the first connection path is a connection path established between the vulnerability scanning component and the internal component through a management bridge, and the second connection path is a connection path established between the vulnerability scanning component and the internal component through a virtual interface.
2. The method of claim 1, wherein prior to vulnerability detection of internal components by a vulnerability scanning component, further comprising:
determining a management port and a service port of each internal component through a vulnerability scanning component;
establishing a management path between each management port and the management bridge through a vulnerability scanning component, respectively configuring a first destination address for each management port through the management bridge, and taking the management path carrying the first destination address as the first connection path;
configuring the virtual interfaces for the service ports through a vulnerability scanning component, establishing flow paths between the virtual interfaces and a data packet processing framework, triggering an agent network bridge arranged in the data packet processing framework to configure second destination addresses for the service ports respectively, and taking the flow paths carrying the second destination addresses as second connection paths.
3. The method of claim 2, wherein the vulnerability information is determined by:
if a target internal component needing to repair a bug is detected in the internal components through a bug scanning component, determining a bug level corresponding to the detected bug needing to repair, and determining the first destination address and the second destination address corresponding to the internal components;
and using the vulnerability level, the first destination address and the second destination address as the vulnerability information through a vulnerability scanning component.
4. The method of claim 1, wherein after sending a repair packet request to a host via a first connection, and before receiving a repair packet returned by the host for the repair packet request via a second connection, further comprising:
searching whether a vulnerability scanning component corresponding to the repair package request exists in the vulnerability scanning component through the host machine;
if so, analyzing a repair file carried in the vulnerability scanning component;
otherwise, requesting a repair file corresponding to the repair package request from a repair package site through the host, wherein the repair package site is connected with the integrated safety equipment through the internet;
and generating a configuration file for the repair file through the host machine, and generating the repair package through the host machine based on the vulnerability information, the repair file and the configuration file.
5. The method of claim 1, wherein said deploying, by the vulnerability scanning component, the vulnerability repair package to repair the vulnerability in the target internal component that needs to be repaired comprises:
checking whether the vulnerability information carried in the received repairing packet is corresponding to the detected vulnerability level corresponding to the target internal component or not through the vulnerability scanning component;
if the target internal component is the host, converting the repair file into a Docker mirror image or a Chart package based on the configuration file when the target internal component is judged to be the host, or converting the repair file into an RPM package based on the configuration file when the target internal component is judged to be the security component;
after a repair instruction of the host is received through the first connection path, the bug on the host is repaired by applying the Docker mirror image or the Chart package through the bug scanning component, or the bug on the security component is repaired by applying the RPM package through the bug scanning component.
6. The method of claim 1, wherein the method further comprises:
recording a corresponding repair log in the process of repairing the bug through the bug scanning component, and sending the repair log to the host, wherein the repair log comprises repair time and repair results;
and if the repair time exceeds a preset repair period and the repair result is failure, notifying the user end to repair the bug corresponding to the repair result again through the host.
7. The method of any one of claims 1-6, wherein the virtual interface comprises a Vhost-user interface or a veth interface.
8. An apparatus for bug fixing, comprising:
the detection unit is used for sending a repair package request to a host machine through a first connection circuit based on the detected loophole information of the target internal component by the loophole scanning component if the target internal component needing loophole repair is detected in the internal component by the loophole scanning component in the process of carrying out loophole detection on the internal component by the loophole scanning component; wherein the internal components include a host machine and at least one security component;
the repairing unit is used for repairing the bug to be repaired in the target internal component by using the bug scanning component through the bug repairing package after receiving a repairing package returned by the host machine aiming at the repairing package request through a second connecting channel;
the first connection path is a connection path established between the vulnerability scanning component and the internal component through a management bridge, and the second connection path is a connection path established between the vulnerability scanning component and the internal component through a virtual interface.
9. An integrated security device, comprising:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 1-7.
10. A computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor, enable the processor to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111499400.8A CN114357453A (en) | 2021-12-09 | 2021-12-09 | Vulnerability repairing method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111499400.8A CN114357453A (en) | 2021-12-09 | 2021-12-09 | Vulnerability repairing method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114357453A true CN114357453A (en) | 2022-04-15 |
Family
ID=81096952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111499400.8A Pending CN114357453A (en) | 2021-12-09 | 2021-12-09 | Vulnerability repairing method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114357453A (en) |
-
2021
- 2021-12-09 CN CN202111499400.8A patent/CN114357453A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7408725B2 (en) | Automatic operation management of computer systems | |
| WO2019184164A1 (en) | Method for automatically deploying kubernetes worker node, device, terminal apparatus, and readable storage medium | |
| EP3140960B1 (en) | Methods, systems, and computer readable media for providing fuzz testing functionality | |
| CN107623698B (en) | Method and device for remotely debugging network equipment | |
| CN110932910B (en) | Method and device for recording logs of software faults | |
| CN106911648B (en) | Environment isolation method and equipment | |
| KR100910426B1 (en) | Method for mapping an iscsi target name to a storage resource based on an initiator hardware class identifier | |
| CN112685745B (en) | Firmware detection method, device, equipment and storage medium | |
| TW201509151A (en) | A method and computer program product for providing a remote diagnosis with a secure connection for an appliance and an appliance performing the method | |
| US20180123898A1 (en) | Network verification device, network verification method and program recording medium | |
| US20160203035A1 (en) | Analyzing OpenManage Integration for Troubleshooting Log to Determine Root Cause | |
| CN110928799A (en) | Software fault positioning method and device | |
| Lee et al. | AudiSDN: Automated detection of network policy inconsistencies in software-defined networks | |
| CN112448948B (en) | Firewall opening result verification method, device, equipment and storage medium | |
| TW201417548A (en) | Method of connection reliability assurance of user end to cloud and user end | |
| WO2017084402A1 (en) | System and method for debugging plurality of application programs | |
| CN114357453A (en) | Vulnerability repairing method and device and storage medium | |
| US20170310700A1 (en) | System failure event-based approach to addressing security breaches | |
| CN111723374A (en) | Vulnerability scanning method and device | |
| TWM592531U (en) | Cyber attack analysis system | |
| US9189370B2 (en) | Smart terminal fuzzing apparatus and method using multi-node structure | |
| JP6818654B2 (en) | Test automation equipment, test methods, and programs | |
| WO2017105326A1 (en) | A method for authenticating software | |
| CN111796911A (en) | Attack detection method for cloud platform virtual equipment and electronic device | |
| US20240179049A1 (en) | Systems and methods for device management in a network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |